Security Bulletin: Tivoli Workload Dynamic Console Vulnerability exposure in Tivoli Integrated Portal component

Abstract

New versions of Tivoli Integrated Portal are available (versions TIP 1.1.1.19 and/or TIP 2.2.0.9) containing security fixes for the following security Advisories.
“653: IEHS - XSS issue on Search control box”,
“474: Potential security exposure with IBM WebSphere application server after installing PM44303”,
“216: Apache Tomcat hash denial of service - apache-tomcat-hash-dos (72016)”

Content

VULNERABILITY DETAILS:

Advisory: 653
**CVEID:**CVE-2013-0464
CVSS: 4.3
X-Force: <https://exchange.xforce.ibmcloud.com/vulnerabilities/81060&gt;
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Advisory: 216
**CVEID:**CVE-2011-4858
CVSS: 5.0
X-Force: <https://exchange.xforce.ibmcloud.com/vulnerabilities/72016&gt;
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Advisory: 474
**CVEID:**CVE-2012-3325
CVSS: 6.0
X-Force: <https://exchange.xforce.ibmcloud.com/vulnerabilities/77959&gt;
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:P/A:P)

**DESCRIPTION:**Tivoli Dynamic Workload Console as consumer of Tivoli Integrated Portal should pickup the newest version versions TIP 1.1.1.19 and/or TIP 2.2.0.9.
These TIP versions contain security fixes for the following security advisories:
“653: IEHS - XSS issue on Search control box”
“474: Potential security exposure with IBM WebSphere application server after installing PM44303”
“216: Apache Tomcat hash denial of service - apache-tomcat-hash-dos (72016)”

The Tivoli Integrated Portal security exposures apply to Tivoli Dynamic Workload Console because Tivoli Integrated Portal is part of TDWC starting from 8.6.0.0 release.

AFFECTED PRODUCTS AND VERSIONS:
Tivoli Dynamic Workload Console 8.6.0.0
Tivoli Dynamic Workload Console 8.6.0.1

REMEDIATION:
New version of Tivoli Integrated Portal has been included in
Tivoli Dynamic Workload Console 8.6.0.2.
Tivoli Dynamic Workload Console 8.6.0.2 is available on FixCentral for download starting from December 2012.

Workaround(s):
None

Mitigation(s):
None

REFERENCES:
· On-line Calculator V2_ _
· CVE-2013-0464 (__<https://vulners.com/cve/CVE-2013-0464&gt;__)
· CVE-2012-3325 (__<https://vulners.com/cve/CVE-2012-3325&gt;__)
· CVE-2011-4858 (__<https://vulners.com/cve/CVE-2011-4858&gt;__)
· _X-Force:__<https://exchange.xforce.ibmcloud.com/vulnerabilities/81060&gt;_
· _X-Force: __<https://exchange.xforce.ibmcloud.com/vulnerabilities/77959&gt;_
· _X-Force: __<https://exchange.xforce.ibmcloud.com/vulnerabilities/72016&gt;_

RELATED INFORMATION:
_IBM Secure Engineering Web Portal _
IBM Product Security Incident Response Blog

ACKNOWLEDGEMENT
None

CHANGE HISTORY
20 September, 2013: Original Copy Published

_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _

_Note: _According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY

[{“Product”:{“code”:“SSGSPN”,“label”:“IBM Workload Scheduler”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“Tivoli Dynamic Workload Console”,“Platform”:[{“code”:“PF025”,“label”:“Platform Independent”}],“Version”:“8.6”,“Edition”:“”,“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}}]