Security Bulletin: Open Redirect and Cross-Site Scripting Vulnerabilities in the locally installable IBM DB2 Information Center (CVE-2012-2159, CVE-2012-2161, CVE-2013-0467)

Abstract

The IBM DB2 Information Center package gives you local access to DB2 documentation on a local or intranet system. Some scripts in the help system, used by DB2 Information Center, are vulnerable to open redirect, or cross-site scripting attacks.

This security bulletin only applies to the installed (local or intranet system) DB2 Information Center. If you don’t have a DB2 Information Center installed on a local or intranet system, then this security bulletin is not applicable.

Content

VULNERABILITY DETAILS:

CVE ID: CVE-2012-2159

DESCRIPTION: Some scripts used by the help system are vulnerable to redirects from trusted to untrusted web sites when users click a malicious link.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See X-Force Vulnerability Database 74832 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE ID: CVE-2012-2161

DESCRIPTION: Some scripts used by the help system are vulnerable to open redirect attacks. Attackers could potentially exploit this vulnerability to direct users to a page that contains malware or to steal credentials.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See X-Force Vulnerability Database 74833 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE ID: CVE-2013-0467

**DESCRIPTION:**IBM DB2 Information Center could allow a remote attacker to obtain sensitive information. An attacker could send a specially-crafted URL to view source code on the help system server.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See X-Force Vulnerability Database 81102 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

AFFECTED PRODUCTS:

The following locally installed IBM DB2 Information Center editions running on Linux, and Windows are affected by this security bulletin:

IBM® DB2® 10.1 Information Center Network package
IBM® DB2® 10.1 Information Center Workstation package

IBM® DB2® 9.7 Information Center Network package
IBM® DB2® 9.7 Information Center Workstation package

IBM® DB2® 9.5 Information Center package
IBM® DB2® 9.5 Information Center non-admin/non-root package

IBM® DB2® 9 Information Center package
IBM® DB2® 9 Information Center non-admin/non-root package

Network version (installable) of the DB2 Information Center
The Network version of the DB2 Information Center lets you install the Information Center on a computer for intranet access. The install program requires that you have administrative authority on your computer to complete the installation.

The Workstation version (stand-alone) of the DB2 Information Center
This package allows you to run the DB2 Information Center on local workstation if you do not have administrator or root authority. The Workstation version of the DB2 Information Center runs in “stand-alone” mode. There are no services or daemons associated with this type of DB2 Information Center and you must start and stop it manually.

REMEDIATION:

Please see the following for information on the fixes available.

Note: The DB2 Information Center for Version 9 will not be updated since the product is out of service. Please update to a newer versions of the DB2 Information Center or use an online version listed at <http://www.ibm.com/software/data/db2/linux-unix-windows/library.html#Information centers&gt;.

Vendor Fix(es):

The fix for this vulnerability is available for download for DB2 Information Center release Version 9.5, Version 9.7, and Version 10.1. View the instructions for the for installing the patch at <http://www.ibm.com/support/docview.wss?uid=swg21624607&gt;

The package for the Workstation version includes the latest version of all the content for that release and a fully patched version of the DB2 Information Center. The package for the Network version of the DB2 Information Center only includes the patch for the base information center code. An updated install package for the Network version of the information centers will be available in the future.

Mitigation(s): None.

Workaround(s): None.

REFERENCES:
Complete CVSS Guide
On-line Calculator V2
X-Force Vulnerability Database 74832
X-Force Vulnerability Database 74833
X-Force Vulnerability Database 81102
CVE-2012-2159
CVE-2012-2161
CVE-2013-0467

CHANGE HISTORY: March 1, 2013 Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{“Product”:{“code”:“SSEPGG”,“label”:“Db2 for Linux, UNIX and Windows”},“Business Unit”:{“code”:“BU058”,“label”:“IBM Infrastructure w/TPS”},“Component”:“Security / Plug-Ins - Security Vulnerability”,“Platform”:[{“code”:“PF016”,“label”:“Linux”},{“code”:“PF033”,“label”:“Windows”}],“Version”:“9.7;9.5;10.1”,“Edition”:“”,“Line of Business”:{“code”:“LOB10”,“label”:“Data and AI”}}]