IBM Maximo Asset Management 7.6 through 7.6.3 installs with a default administrator account that a remote intruder could use to gain administrator access to the system. This vulnerability is due to an incomplete fix for CVE-2015-4966. IBM X-Force ID: 142116.
The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Maximo_asset_management | Ibm | 7.6.0.0 (including) | 7.6.3.0 (including) |
Maximo_for_aviation | Ibm | 7.6.0.0 (including) | 7.6.0.0 (including) |
Maximo_for_aviation | Ibm | 7.6.1.0 (including) | 7.6.1.0 (including) |
Maximo_for_aviation | Ibm | 7.6.2.0 (including) | 7.6.2.0 (including) |
Maximo_for_aviation | Ibm | 7.6.2.1 (including) | 7.6.2.1 (including) |
Maximo_for_aviation | Ibm | 7.6.3.0 (including) | 7.6.3.0 (including) |
Maximo_for_life_sciences | Ibm | 7.6.0.0 (including) | 7.6.0.0 (including) |
Maximo_for_nuclear_power | Ibm | 7.6.0.0 (including) | 7.6.0.0 (including) |
Maximo_for_oil_and_gas | Ibm | 7.5.0.0 (including) | 7.5.0.0 (including) |
Maximo_for_oil_and_gas | Ibm | 7.6.0.0 (including) | 7.6.0.0 (including) |
Maximo_for_transportation | Ibm | 7.6.1.0 (including) | 7.6.1.0 (including) |
Maximo_for_transportation | Ibm | 7.6.2.0 (including) | 7.6.2.0 (including) |
Maximo_for_transportation | Ibm | 7.6.2.1 (including) | 7.6.2.1 (including) |
Maximo_for_transportation | Ibm | 7.6.2.2 (including) | 7.6.2.2 (including) |
Maximo_for_transportation | Ibm | 7.6.2.3 (including) | 7.6.2.3 (including) |
Maximo_for_transportation | Ibm | 7.6.2.4 (including) | 7.6.2.4 (including) |
Maximo_for_utilities | Ibm | 7.6.0.0 (including) | 7.6.0.0 (including) |
Smartcloud_control_desk | Ibm | 7.6.0.0 (including) | 7.6.0.0 (including) |
Smartcloud_control_desk | Ibm | 7.6.0.1 (including) | 7.6.0.1 (including) |
Developers often choose default values that leave the product as open and easy to use as possible out-of-the-box, under the assumption that the administrator can (or should) change the default value. However, this ease-of-use comes at a cost when the default is insecure and the administrator does not change it.