Security Bulletin: Multiple vulnerabilities in IBM InfoSphere Optim Data Growth for Oracle E-Business Suite (CVE-2013-2953, CVE-2013-2954, CVE-2013-2955, CVE-2013-2956, CVE-2013-2957, CVE-2013-2959)

Abstract

Multiple vulnerabilities have been identified in the Optim E-Business Console making the product vulnerable to phishing attacks, the interception of credentials and the bypass of login entirely.

Content

VULNERABILITY DETAILS:

CVE ID: CVE-2013-2953

**DESCRIPTION:**Use of MD5 as SSL Certificate Signature Algorithm –
The signature algorithm used to sign the certificate used for secure communication is MD5. The signature algorithm is obsolete and using it may allow elaborate phishing attacks.

CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83662 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:S/C:N/I:P/A:N)

CVE ID: CVE-2013-2954

**DESCRIPTION:**Inadequate Account Lockout – The Optim for E-Business Console login page is not restricting users after repeatedly entering incorrect login credentials.

CVSS:
CVSS Base Score: 4.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83663 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/AU:S/C:C/I:N/A:N)

CVE ID: CVE-2013-2955

**DESCRIPTION:**Stored Cross-Site Scripting - inserting a mal-formed URL address into their browser or clicking on a mal-formed URL link could allow an attacker to collect sensitive data.

CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83664 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:S/C:N/I:P/A:N)

AFFECTED PRODUCTS:
Versions 6.0 through 9.1 of IBM InfoSphere Optim Data Growth for Oracle E-Business Suite are affected.

CVE ID: CVE-2013-2956

**DESCRIPTION:**Authentication Bypass Using SQL Injection - When logging into the Optim E-Business Console authentication can be bypassed using SQL injection. An exploit will not impact accessibility of system resources but both the confidentiality of information and the integrity of data could be compromised.

CVSS:
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83665 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:P/A:P)

CVE ID: CVE-2013-2957

DESCRIPTION: Cross-Site Scripting - inserting a mal-formed URL address into their browser or clicking on a mal-formed URL link could allow an attacker to collect sensitive data.

CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83666&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:S/C:N/I:P/A:N)

CVE ID: CVE-2013-2959

DESCRIPTION: Unencrypted Login Request - Credentials used for logging into the Optim E-Business Console are not encrypted and are thus subject to compromise. Exploitation requires local network access and the use of specialized knowledge and techniques. An exploit will not impact accessibility of system resources but both the confidentiality of information and the integrity of data could be compromised.

CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83668&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:N/A:N)

AFFECTED PRODUCTS:
Versions 6.0 through 9.1 of IBM InfoSphere Optim Data Growth for Oracle E-Business Suite are affected.

**REMEDIATION:**The recommended solution is to apply Fix Pack 9.1.0.3 as soon as possible.

Fix(es):
For version 9.1:
- Apply Fix Pack 9.1.0.3

For other versions contact technical support for assistance.

Workaround(s):
None known

Mitigation(s):
None known

REFERENCES:

· Complete CVSS Guide_ _
· On-line Calculator V2_ _
· X-Force Vulnerability Database
· CVE-2013-2953_ _
· CVE-2013-2954
· CVE-2013-2955
· CVE-2013-2956
· CVE-2013-2957
· CVE-2013-2959

CHANGE HISTORY:

13-May-2013: Original version published

_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _

_Note: _According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{“Product”:{“code”:“SSMLQ4”,“label”:“IBM InfoSphere Optim Test Data Management Solution”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“Data Growth Solution for Oracle E-business Suite”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF010”,“label”:“HP-UX”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF033”,“label”:“Windows”}],“Version”:“9.1;7.1.2;7.1.1;7.1.0;6.1;6.0”,“Edition”:“”,“Line of Business”:{“code”:“LOB10”,“label”:“Data and AI”}}]