Security Bulletin: Vulnerability in IBM SPSS Data Collection due to issues in Eclipse Help System (CVE-2013-0464, CVE-2013-0467)

Abstract

The version of IBM Eclipse Help System that is shipped with IBM SPSS Data Collection versions 6.0, 6.0.1 (“Data Collection”) and 7.0 has multiple security vulnerabilities. These vulnerabilities allow attackers to perform cross-site scripting and source code disclosure attacks.

Content

VULNERABILITY DETAILS:

DESCRIPTION:
Cross-Site Scripting vulnerabilities may enable malicious scripts to be injected into a victim’s context.
CVE IDs: CVE-2013-0464 CVSS Base Score: 4.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81060&gt; for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

DESCRIPTION:
A source code disclosure vulnerability may allow an attacker to retrieve the source code of some resources located on the server.
CVE IDs: CVE-2013-0467 CVSS Base Score: 4 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81102&gt; for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

AFFECTED PRODUCTS AND VERSIONS:
IBM SPSS Data Collection Developer Library 6.0 (DDL 6.0) using IEHS 3.4.3
IBM SPSS Data Collection Developer Library 6.0.1 (DDL 6.0.1) using IEHS 3.4.3
IBM SPSS Data Collection Developer Library 7.0 (DDL 7.0) using IEHS 3.6.2

REMEDIATION:

Vendor fixes
These 2 issues can be fixed by installing the fix pack for IBM® Eclipse Help System (IEHS) 3.4.3 and 3.6.2.

Steps to apply the fix pack

1. Back up the files in your <IEHS>directory. The default directory is "C:\Program Files\Common Files\IBM\SPSS\DataCollection&lt;Data Collection Version>\Documentation\ibm_help

2. Download the right version fix patches for issue P001620 (source code disclosure issue) and P001643 (XSS in Search control box and performance issue in banner or welcome page in doc.zip)

3. Extract them to your <IEHS>directory. The default directory is “C:\Program Files\Common Files\IBM\SPSS\DataCollection&lt;Data Collection Version>\Documentation\ibm_help”, and override all the files.

Workaround(s):****none – apply the patches above

Mitigation(s): none

REFERENCES:

• Complete CVSS Guide
• On-line Calculator V2
• CVE-2013-0464
• CVE-2013-0467
• X-Force Vulnerability Database <https://exchange.xforce.ibmcloud.com/vulnerabilities/81060&gt;
• X-Force Vulnerability Database <https://exchange.xforce.ibmcloud.com/vulnerabilities/81102&gt;

RELATED INFORMATION:

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

CHANGE HISTORY
May 30, 2013: Originally published.
July 18, 2013: Updated download links and steps to apply fix pack.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{“Product”:{“code”:“SSLVQG”,“label”:“IBM SPSS Data Collection”},“Business Unit”:{“code”:“BU053”,“label”:“Cloud \u0026 Data Platform”},“Component”:“–”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF010”,“label”:“HP-UX”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF033”,“label”:“Windows”},{“code”:“PF025”,“label”:“Platform Independent”}],“Version”:“7.0;6.0.1;6.0”,“Edition”:“”,“Line of Business”:{“code”:“LOB10”,“label”:“Data and AI”}}]