Security Bulletin: Multiple vulnerabilities in Product IBM Application Manager For Smart Business 1.2.1 (CVE-2013-0548, CVE-2013-0551, CVE-2013-0576 , CVE-2013-2960, CVE-2013-2961, CVE-2012-2190, CVE-2012-2191, CVE-2012-2203)

Abstract

Several vulnerabilities have been resolved in the Basic Services component of IBM Tivoli Monitoring. These vulnerabilities could have potentially caused a denial of service or Cross Site Scripting (XSS) exposure.

Content

VULNERABILITY DETAILS:

CVE ID: CVE-2013-0548

DESCRIPTION: Security scan reported several Cross Site Scripting (XSS) vulnerabilities.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/82767&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:N/C:N/I:P/A:N)

CVEID: CVE-2013-0551

DESCRIPTION: Specially crafted URLs could result in an abend for an IBM Tivoli Monitoring process.

CVSS:
CVSS Base Score: 5.0
_CVSS Temporal Score: See __<https://exchange.xforce.ibmcloud.com/vulnerabilities/82768&gt;___ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:N/I:N/A:P)

__CVE ID: CVE-2013-0576 __

DESCRIPTION: Cross site scripting (XSS) vulnerability using Tivoli Enterprise Portal browser client…

CVSS:
CVSS Base Score: 4.3
_CVSS Temporal Score: See __<https://exchange.xforce.ibmcloud.com/vulnerabilities/83328&gt;___ for the current score
CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/AU:N/C:N/I:P/A:N)

**__CVE ID: __**CVE-2013-2960

DESCRIPTION: The HTTP processing of specialized URLs could result in a buffer overrun resulting in a segmentation fault in KDSMAIN.

CVSS:
CVSS Base Score: 7.8
_CVSS Temporal Score: See __<https://exchange.xforce.ibmcloud.com/vulnerabilities/83724&gt;___ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:N/I:N/A:C)

CVE ID: CVE-2013-2961

DESCRIPTION: Client security scanners reported potential issues with the Tivoli Monitoring internal web server with certain HTTP requests. CVSS:
CVSS Base Score: 4.3
_CVSS Temporal Score: See __<https://exchange.xforce.ibmcloud.com/vulnerabilities/77280&gt;___ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:N/C:N/I:P/A:N)

__CVE ID: CVE-2012-2190 __

DESCRIPTION: A vulnerability which allows remote attackers to cause a denial of service (daemon crash) via a crafted ClientHello message in the TLS Handshake Protocol.

CVSS:
CVSS Base Score: 5
_CVSS Temporal Score: See __<https://exchange.xforce.ibmcloud.com/vulnerabilities/75994&gt;___ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:N/I:N/A:P)

__CVE ID: CVE-2012-2191 __

DESCRIPTION: A vulnerability which does not properly validate data during execution of a protection mechanism against the Vaudenay SSL CBC timing attack.

CVSS:
CVSS Base Score: 5
_CVSS Temporal Score: See __<https://exchange.xforce.ibmcloud.com/vulnerabilities/75996&gt;___ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:N/I:N/A:P)

**__CVE ID: __**CVE-2012-2203

DESCRIPTION: A vulnerability regarding the use of PKCS #12 file format for certificate objects without enforcing file integrity. CVSS:
CVSS Base Score: 5.8
_CVSS Temporal Score: See __<https://exchange.xforce.ibmcloud.com/vulnerabilities/77280&gt;___ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:N/C:P/I:P/A:N)

__CVE ID: ( All Java vulnerabilities Mentioned under : __http://www-01.ibm.com/support/docview.wss?uid=swg21616490

AFFECTED PRODUCTS:

IBM Application Manager For Smart Business 1.2.1 (earlier known as : Tivoli Foundations Application Manager 1.2 ) having ITM base at 6.2.2 FP7 level OR at 6.2.2 FP2 level.

REMEDIATION:

Apply the Fix pack 1.2.1.0-TIV-IAMSB-FP0004.tar.gz to IBM Application Manager For Smart Business 1.2.1

Vendor Fix(es):

1.2.1.0-TIV-IAMSB-FP0004 | N/A| _ N/A_| Fix Central
_
_
Workaround(s):

None known, apply fixes

Mitigation(s):

None known

_REFERENCES: _

· Complete CVSS Guide
· On-line Calculator V2
· CVE-2013-2960
· CVE-2013-2961
· CVE-2013-0548
· CVE-2013-0551
· CVE-2013-0576
· CVE-2012-2190
· CVE-2013-2191

• _X-Force Vulnerability Database __<https://exchange.xforce.ibmcloud.com/vulnerabilities/83724&gt;_
• _X-Force Vulnerability Database __<https://exchange.xforce.ibmcloud.com/vulnerabilities/83725&gt;_
• _X-Force Vulnerability Database __<https://exchange.xforce.ibmcloud.com/vulnerabilities/82767&gt;_
• _X-Force Vulnerability Database __<https://exchange.xforce.ibmcloud.com/vulnerabilities/82768&gt;_
• X-Force Vulnerability Database <https://exchange.xforce.ibmcloud.com/vulnerabilities/77280&gt;
• X-Force Vulnerability Database <https://exchange.xforce.ibmcloud.com/vulnerabilities/75996&gt;
• _X-Force Vulnerability Database __<https://exchange.xforce.ibmcloud.com/vulnerabilities/75994&gt;_
• _Security bulletin: _http://www-01.ibm.com/support/docview.wss?uid=swg21622585
• _Security bulletin: _http://www-01.ibm.com/support/docview.wss?uid=swg21634920
• _Security bulletin: _http://www-01.ibm.com/support/docview.wss?uid=swg21616490

RELATED INFORMATION:

_IBM Secure Engineering Web Portal _

ACKNOWLEDGEMENT

The vulnerabilities described in CVE-2013-0548 andCVE-2013-0551 were discovered by Ewerson Guimarães of DCLABs Security Team (DCA-2013-0001 and DCA-2013-0002 ).

[{“Product”:{“code”:“SS9KZM”,“label”:“IBM Application Manager for Smart Business”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“–”,“Platform”:[{“code”:“PF025”,“label”:“Platform Independent”}],“Version”:“Version Independent”,“Edition”:“All Editions”,“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}}]