IBM Jazz Foundation information disclosure

Vulnerability

IBM Jazz Foundation, specifically IBM Engineering Lifecycle Management (ELM) versions 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2, as well as Collaborative Lifecycle Management (CLM) versions 6.0.6 and 6.0.6.1, displays sensitive version information (e.g., JVM, database, application server) on the ADMIN page. This information disclosure occurs without requiring authentication to the admin interface, though the attacker must have local access to the system (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) [1].

Exploitation

An attacker with local access to the IBM Jazz Foundation system can access the ADMIN page and view detailed version strings of underlying technologies. No authentication or user interaction is required to exploit this vulnerability, as the page is exposed to any local user [1]. The attacker simply navigates to the admin interface to obtain the sensitive version data.

Impact

Successful exploitation leads to low confidentiality impact: the attacker learns the exact versions of backend components (e.g., JVM, database, application server). This information can be used to tailor further attacks against the system, such as exploiting known vulnerabilities in those specific versions [1].

Mitigation

IBM has released fixes: for CLM 6.0.6 install iFix028 or later, for CLM 6.0.6.1 install iFix027 or later; for ELM 7.0 install iFix017 or later, for ELM 7.0.1 install iFix018 or later, and for ELM 7.0.2 install iFix016 or later [1]. No workarounds are available.