Security Bulletin: Multiple vulnerabilities exist in IBM Data Studio Web Console, Optim Performance Manager, IBM InfoSphere Optim Configuration Manager, and DB2 Recovery Expert for Linux, UNIX and Windows (CVE-2013-4025, CVE-2013-4024, CVE-2013-4022)

Abstract

Multiple vulnerabilities exist in IBM Data Studio Web Console, Optim Performance Manager, IBM InfoSphere Optim Configuration Manager, and DB2 Recovery Expert for Linux, UNIX and Windows which could allow an attacker to view sensitive information or perform actions as a compromised user.

Content

VULNERABILITY DETAILS:

CVE ID:CVE-2013-4025

DESCRIPTION:
If a user’s web browser is configured to store form information, the browser’s ‘Auto-Complete’ stores completed form fields, such as the web console login passwords locally for reuse when the user returns to that website. An attacker, with physical access to the client system from which the browser is launched, may be able to access the password if the browser’s storage is not secure enough.

CVSS:
CVSS Base Score: 1.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85933
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:N)

CVE IDCVE-2013-4024

DESCRIPTION:
If the Web Console application is accessed via a network with HTTP, an attacker may be able to sniff packets for non-encrypted cookies that could potentially contain sensitive session information.

CVSS:
CVSS Base Score: 2.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85931
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:A/AC:M/Au:S/C:N/I:P/A:N)

CVE ID:CVE-2013-4022

DESCRIPTION:
Information is stored in a cookie, that when compromised, could allow an attacker to gain access as the authenticated user to view sensitive information or perform actions as that user.

CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/85928
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)

AFFECTED PRODUCTS:
IBM Data Studio Web Console versions v3.1.x
Optim Performance Manager for DB2 on LUW v5.1.x
IBM InfoSphere Optim Configuration Manager v2.1
DB2 Recovery Expert for Linux, UNIX and Windows v2.x

REMEDIATION:

FIX(ES):
1. For IBM Data Studio Web Console v.3.1.x, upgrade to IBM Data Studio Web Console v3.2 or later version. Information regarding how to download IBM Data Studio Web Console 4.1 can be found here.
http://www.ibm.com/developerworks/downloads/im/data/
2. For Optim Performance Manager v5.1.x, upgrade to Optim Performance Manager 5.2 or later version. Information regarding how to download Optim Performance
Manager 5.2 or later version can be found here
http://www-01.ibm.com/support/docview.wss?uid=swg24031043
3. For Optim Configuration Manager v2.1, upgrade to Optim Configuration Manager V2.2 or later version. Information regarding on Optim Configuration Manager V3.1 and prior version could be found here.
http://pic.dhe.ibm.com/infocenter/cfgmgr/v3r1/index.jsp
4. For DB2 Recovery Expert v2.x, upgrade to DB2 Recovery Expert V3.1 or later versions. Information regarding on DB2 Recovery Expert V3.1 or later version could be found here. http://www-933.ibm.com/support/fixcentral/

WORKAROUNDS/ MITIGATIONS:
None known.

REFERENCES:

__ Complete CVSS Guide___ _
__ On-line Calculator V2__

RELATED INFORMATION:

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Program

ACKNOWLEDGEMENT:
None

CHANGE HISTORY:

23 Sep, 2013: Original publication

_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _

_Note: _According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{“Product”:{“code”:“SS62YD”,“label”:“IBM Data Studio”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“Web Console”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF010”,“label”:“HP-UX”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF033”,“label”:“Windows”},{“code”:“PF035”,“label”:“z/OS”}],“Version”:“3.1;3.1.1”,“Edition”:“”,“Line of Business”:{“code”:“LOB10”,“label”:“Data and AI”}}]