=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2008/VULN586
_____________________________________________________________________

DATE                      : 15/12/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running IBM Tivoli Provisioning
                             Manager, IBM Tivoli Intelligent Orchestrator.

======================================================================
http://www-01.ibm.com/support/docview.wss?uid=swg21330228
______________________________________________________________________

Abstract
Any LDAP users that belongs to the domain used by Tivoli Provisioning Manager
(TPM), Tivoli Provisioning Manager for Software (TPMfSW) or Tivoli Intelligent
Orchestrator (TIO) can run SOAP commands

Content
When the LDAP used for authentication is shared by other applications,
any LDAP users under the domain used can run SOAP commands.
For example, if a user is created in LDAP under the domain or suffix of
TPM, TPMfSW or TIO, but the same user is not created in the TPM user
records, then that user can run provisioning workflows using SOAP.

This problem occurs only if you are using LDAP authentication and the
LDAP service is shared with other applications. There is no vulnerability
if the LDAP service is used only for authentication with Tivoli Provisioning
Manager.

This vulnerability has been fixed in Interim Fix IF0006. To install
Interim Fix IF0006, you must first upgrade to version 5.1.1.1.

Software version:
  5.1.0.2, 5.1.1, 5.1.1.1

Related information
Interim Fix 5.1.1.1-TIV-TPM-IF00006
Interim Fix 5.1.1.1-TIV-TIO-IF00006
Interim Fix 5.1.1.1-TIV-TPMFSW-IF00006


Cross Reference information
Segment 	Product 	Component 	Platform 	Version 	Edition
Systems and Asset Management	IBM Tivoli Intelligent Orchestrator				
Systems and Asset Management	IBM Tivoli Provisioning Manager for Software				

	

Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business
Machines Corp., registered in many jurisdictions worldwide. Other product
and service names might be trademarks of IBM or other companies. A current
list of IBM trademarks is available on the Web at "Copyright and trademark
information" at www.ibm.com/legal/copytrade.shtml.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================