IBM WebSphere Portal 8.5.0 < 8.5.0 CF14 / 9.0.0 < 9.0.0 CF14 Multiple Vulnerabilities

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(99236);
  script_version("1.6");
  script_cvs_date("Date: 2019/11/12");

  script_cve_id(
    "CVE-2017-1120",
    "CVE-2017-1156",
    "CVE-2017-1217",
    "CVE-2017-3266",
    "CVE-2017-3267",
    "CVE-2017-3268",
    "CVE-2017-3269",
    "CVE-2017-3270",
    "CVE-2017-3271",
    "CVE-2017-3293",
    "CVE-2017-3294",
    "CVE-2017-3295"
  );
  script_bugtraq_id(
    95507,
    95513,
    95522,
    95524,
    95529,
    95532,
    95534,
    95536,
    95539,
    97075,
    98340,
    99350
  );

  script_name(english:"IBM WebSphere Portal 8.5.0 < 8.5.0 CF14 / 9.0.0 < 9.0.0 CF14 Multiple Vulnerabilities");
  script_summary(english:"Checks for the installed patch.");

  script_set_attribute(attribute:"synopsis", value:
"The web portal software installed on the remote Windows host is
affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of IBM WebSphere Portal installed on the remote Windows
host is 8.5.0 prior to 8.5.0.0 CF14 or 9.0.0 prior to CF14. It is,
therefore, affected by multiple vulnerabilities :

  - Multiple cross-site scripting (XSS) vulnerabilities
    exist in the web UI due to improper validation of
    user-supplied input before returning it to users. An
    unauthenticated, remote attacker can exploit these, via
    a specially crafted request, to execute arbitrary script
    code in a user's browser session. (CVE-2017-1120,
    CVE-2017-1217)

  - A cross-site redirection vulnerability exists due to
    improper validation of user-supplied input. An
    unauthenticated, remote attacker can exploit this, by
    convincing a user to follow a specially crafted link,
    to redirect the unsuspecting user from an intended
    trusted website to an arbitrary website of the
    attacker's choosing, which then can be used to conduct
    further attacks. (CVE-2017-1156)

  - A use-after-free error exists in the Outside In Filters
    subcomponent when handling PageHeight and PageWidth
    values in VSDX files. An unauthenticated, remote
    attacker can exploit this to deference already freed
    memory, resulting in the execution of arbitrary code.
    (CVE-2017-3266)

  - Multiple unspecified flaws exist in the Outside In
    Filters subcomponent that allow an unauthenticated,
    remote attacker to cause a denial of service condition.
    (CVE-2017-3267, CVE-2017-3268, CVE-2017-3270)

  - Multiple unspecified flaws exist in the Outside In
    Filters subcomponent that allow an unauthenticated,
    remote attacker to impact confidentiality, integrity,
    and availability. (CVE-2017-3269, CVE-2017-3271,
    CVE-2017-3293)

  - A denial of service vulnerability exists in the Outside
    In Filters subcomponent, specifically in the Content
    Access functionality within the vspdf.dll library, when
    parsing the /Pages key in a Catalog Dictionary. An
    unauthenticated, remote attacker can exploit this, via a
    specially crafted PDF file, to crash an application
    linked to the library. (CVE-2017-3294)

  - A denial of service vulnerability exists in the Outside
    In Filters subcomponent, specifically in the Content
    Access functionality within the vspdf.dll library, when
    parsing the /Matrix entry in a /CalRGB element within a
    PDF file. An unauthenticated, remote attacker can
    exploit this, via a specially crafted PDF file that
    triggers an invalid read, to crash an application linked
    to the library. (CVE-2017-3295)");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg24037786#CF14");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg22000152");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg22000153");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg22001394");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg22004348");
  script_set_attribute(attribute:"solution", value:
"Upgrade to IBM WebSphere Portal version 8.5.0 CF14 / 9.0.0 CF14 or
later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-3293");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/06/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/03");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:websphere_portal");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("websphere_portal_installed.nbin");
  script_require_keys("installed_sw/IBM WebSphere Portal");

  exit(0);
}

include("websphere_portal_version.inc");

websphere_portal_check_version(
  ranges:make_list(
    "9.0.0.0, 9.0.0.0, CF14",
    "8.5.0.0, 8.5.0.0, CF14"
    ),
  fix:"PI73835",
  severity:SECURITY_HOLE,
  xss:TRUE
);