-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2011.0094
       Vulnerabilities have been identified in IBM Rational AppScan
                              25 October 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              IBM Rational AppScan 7.8, 7.8.0.1, 7.8.0.2, 7.9, 
                        7.9.0.1, 7.9.0.2, 7.9.0.3
                      IBM Rational AppScan 8.0, 8.0.0.1, 8.0.0.2
Operating System:     Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2011-1367 CVE-2011-1366 
Member content until: Thursday, November 24 2011

OVERVIEW

        Vulnerabilities have been identified in IBM Rational AppScan 
        Enterprise, IBM Rational AppScan Reporting Console and IBM Rational 
        AppScan Standard and Express.


IMPACT

        The vendor has provided the following description regarding these 
        vulnerabilities which have been assigned CVE-2011-1366 & CVE-2011-1367:
        
        CVE-2011-1366: "When importing the contents of a ZIP file in IBM 
        Rational AppScan Enterprise or IBM Rational AppScan Reporting Console,
        remote command execution is possible on an agent server computer when
        the import job is run." [1]
        
        CVE-2011-1367: "When loading a .scan file into IBM Rational AppScan
        Standard or IBM Rational AppScan Express, remote command execution is
        possible on the computer running these AppScan products." [1]


MITIGATION

        The vendor recommends updating to the latest version of IBM Rational 
        AppScan or applying the appropriate Fix Pack. [1]


REFERENCES

        [1] Security Bulletin: Vulnerability in Rational AppScan Standard,
            Express, Enterprise and Reporting Console with potential for
            command execution (CVE-2011-1366, CVE-2011-1367)
            https://www-304.ibm.com/support/docview.wss?uid=swg21515110

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTqYcAu4yVqjM2NGpAQIhPQ//UgkuRV96VuVo6m8L4774/qbGzl2Rj15k
jGWI7kcU4V5UVrQwksZA0bjZEpHezhZyJJSULo7ZS2BfBYzOByQ27pXEaouf+sMb
rvpMNbGEvCWg63bOLz0JvScShGocI9yf0f71Pc4FUdbO3asNZRBQ573E2fYHifA5
m+zLV9os5JtvD/35W4jpv/l+nevfeSJGeiF+aW+l7yENyiCK8DCTE6dG5s6YSSbd
H/dw+etpaUuEvVouQBWc6mJizI1It7iDL6mrqSQJmL8iDW5U2RdBgwd4yIPoUR2L
zi0EPEaCzGwqfB1dFP3VRbWYjFGcRY5K4/Gu6k26ez7H4E0ci6ax3I71bHwGbjM3
fl4QWHJVaU8Q5C4qGxkDfl5oyxYi3wGGc2zlAUMwX/tLL78u5RKK2uMZVcOou0PI
rV1QgOBzCAHtG/y3vaJ+rq6zkS/OHQfGHlzb9ZtyAP2Vs8XKUbtJxVZcTSeF97IV
QdWcWMw7MP1vdm87IHiGQ3Ub2vGLQgx7ZxLCtUfXy9lF91JsmdlvTEdE+9IlHFdc
GqNGrHOh5kJWrd9elYMLE+0obrwgQl+TTJjoX3Rp1YK854R843jimRDQxSGQSSbW
UiypdpJwFW55PQEY6dDlAACu+LSszKOMJjeZ4Wp3e2R33oqwUCUibXaUn6dJeX41
rUyAPnrGhHs=
=F00Z
-----END PGP SIGNATURE-----