Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMFFF6E72260796E946FF51E795E63FD1A7809FB67349D0154DA578D11772B5408
HistorySep 25, 2022 - 11:09 p.m.

Security Bulletin: Multiple vulnerabilities in IBM QRadar SIEM (CVE-2013-5448, CVE-2013-6307, CVE-2013-5463)

2022-09-2523:09:27
www.ibm.com
11
ibm qradar
cross site scripting
system integrity

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS

0.001

Percentile

50.1%

JSON

Abstract

Cross Site Scripting and injection vulnerabilities have been discovered within IBM Security QRadar SIEM.

Content

VULNERABILITY DETAILS:

CVE ID:CVE-2013-5448

DESCRIPTION: A Cross Site Scripting vulnerability has been discovered within the IBM QRadar Security Information and Event Management (SIEM) software in the ā€œRight Click Pluginā€ context menus for IP information. This issue is only apparent when the plugin menu is enabled (via ip_context_menu.xml file), and is not enabled by default.

The attack requires network access, some specialized knowledge of the system and the attacker does not need to be authenticated by the application. An exploit could impact the integrity of the data, but the availability of the system and confidentiality of information are not compromised.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/87912&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

AFFECT PRODUCTS:
IBM QRadar Security Information and Event Manager (SIEM) 7.1
IBM QRadar Security Information and Event Manager (SIEM) 7.2

REMEDIATION:

The vulnerability is fixed in the following versions of QRadar SIEM:
Ā· For QRadar SIEM 7.2 ā€“ Install QRadar SIEM 7.2 MR1 Patch 1
Ā· For QRadar SIEM 7.1 ā€“ Follow Workaround instructions below (patch to be released on February 3, 2014)

Workaround(s):
The following workaround will work for all versions of the product by disabling the IP Right Click Context Plugin by following the following steps.

1. Using SSH, log in to the IBM QRadar SIEM Console as the root user:
ssh <consoleip>

2. Move the plugin xml file to a backup file.
mv /opt/qradar/conf/ip_context_menu.xml /opt/qradar/conf/ip_context_menu.xml.bak

3. Restart tomcat
service tomcat restart

After these steps have been completed, the plugin menu will be disabled and the system no longer vulnerable to the XSS issue. Once the patch has been applied you can re-enable the plugin menu.

Mitigation(s):
None

ACKNOWLEDGEMENT
This vulnerability was reported to IBM by Stephen Hosom

CVE ID:CVE-2013-6307

DESCRIPTION: A Cross Site Scripting vulnerability has been discovered within the IBM QRadar SIEM software.

The attack requires network access, some specialized knowledge of the system and the attacker does not need to be authenticated by the application. An exploit could impact the integrity of the system, but the availability of the system and confidentiality of information are not compromised.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/88556&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

AFFECT PRODUCTS:
IBM QRadar Security Information and Event Manager (SIEM) 7.0

REMEDIATION:

The vulnerability is fixed in the following versions of QRadar SIEM:
Ā· QRadar SIEM 7.1 MR2 Patch 3 (or higher)

(NOTE: For QRadar SIEM 7.0 users, contact IBM Support for instructions)

Workaround(s):
None

Mitigation(s):
None

ACKNOWLEDGEMENT
This vulnerability was reported to IBM by azzeddine @ zertox1

CVE ID:CVE-2013-5463

DESCRIPTION: It is possible to bypass protections in the QRadar WinCollect agent, by using a injection based attack. Using such an attack it is possible to inject a malicious dll or configuration into the agent, which can affect the security of the host it is installed on.

The attack requires network access, requires some specialized knowledge or techniques and does not require authentication. An exploit can impact the integrity of the system, availability of the system and confidentiality of information stored within the system.

CVSS:
CVSS Base Score: 9.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/88361&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

AFFECT PRODUCTS:
IBM QRadar Security Information and Event Manager (SIEM) WinCollect Agent prior to v7.1.1

REMEDIATION:

The vulnerability is fixed in the following versions of QRadar SIEM:
Ā· QRadar SIEM WinCollect Agent 7.1.1 (7.1.1.569824-setup.exe or above)

Workaround(s):
None

Mitigation(s):
None

ACKNOWLEDGEMENT
This vulnerability was reported to IBM by Allan A. Klein

REFERENCES:
Ā· Complete CVSS Guide
Ā· On-line Calculator V2
Ā· CVE-2013-5448
Ā· CVE-2013-6307
Ā· CVE-2013-5463
Ā· https://exchange.xforce.ibmcloud.com/vulnerabilities/87912
Ā· https://exchange.xforce.ibmcloud.com/vulnerabilities/88556
Ā· https://exchange.xforce.ibmcloud.com/vulnerabilities/88361
Ā· IBM Security Alerts
Ā· QRadar SIEM 7.2 MR1 Patch 1
Ā· QRadar SIEM 7.1 MR2 Patch 3
Ā· QRadar SIEM WinCollect Agent 7.1.1

RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

CHANGE HISTORY:

_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _

_Note: _According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an ā€œindustry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.ā€ IBM PROVIDES THE CVSS SCORES ā€œAS ISā€ WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY

[{ā€œProductā€:{ā€œcodeā€:ā€œSSBQACā€,ā€œlabelā€:ā€œIBM Security QRadar SIEMā€},ā€œBusiness Unitā€:{ā€œcodeā€:ā€œBU059ā€,ā€œlabelā€:ā€œIBM Software w/o TPSā€},ā€œComponentā€:ā€œGeneral Informationā€,ā€œPlatformā€:[{ā€œcodeā€:ā€œPF016ā€,ā€œlabelā€:ā€œLinuxā€},{ā€œcodeā€:ā€œPF033ā€,ā€œlabelā€:ā€œWindowsā€}],ā€œVersionā€:ā€œ7.1;7.0;7.2ā€,ā€œEditionā€:ā€œā€,ā€œLine of Businessā€:{ā€œcodeā€:ā€œLOB24ā€,ā€œlabelā€:ā€œSecurity Softwareā€}}]

Affected configurations

Vulners
Node
ibmqradar_network_securityMatch7.1
OR
ibmqradar_network_securityMatch7.0
OR
ibmqradar_network_securityMatch7.2
VendorProductVersionCPE
ibmqradar_network_security7.1cpe:2.3:a:ibm:qradar_network_security:7.1:*:*:*:*:*:*:*
ibmqradar_network_security7.0cpe:2.3:a:ibm:qradar_network_security:7.0:*:*:*:*:*:*:*
ibmqradar_network_security7.2cpe:2.3:a:ibm:qradar_network_security:7.2:*:*:*:*:*:*:*

Related

prion 3
cvelist 3
cve 3
nvd 3
prion
prion
Design/Logic Flaw
2013-11-29 15:55:00
Cross site scripting
2013-11-29 15:55:00
Cross site scripting
2013-11-29 15:55:00
cvelist
cvelist
CVE-2013-5463
2013-11-29 15:00:00
CVE-2013-5448
2013-11-29 15:00:00
CVE-2013-6307
2013-11-29 15:00:00
cve
cve
CVE-2013-6307
2013-11-29 15:55:03
CVE-2013-5448
2013-11-29 15:55:03
CVE-2013-5463
2013-11-29 15:55:03
nvd
nvd
CVE-2013-5448
2013-11-29 15:55:03
CVE-2013-5463
2013-11-29 15:55:03
CVE-2013-6307
2013-11-29 15:55:03

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS

0.001

Percentile

50.1%

JSON
Related for FFF6E72260796E946FF51E795E63FD1A7809FB67349D0154DA578D11772B5408
prion3cvelist3cve3nvd3