Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0125 A number of vulnerabilities have been identified in IBM Asset and Service Management products 7 September 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Maximo Asset Management Maximo Asset Management Essentials SmartCloud Control Desk Tivoli Asset Management for IT Tivoli Service Request Manager Maximo Service Desk Change and Configuration Management Database Operating System: AIX HP-UX Linux variants Solaris Windows VMWare ESX Server Impact/Access: Execute Arbitrary Code/Commands -- Unknown/Unspecified Cross-site Request Forgery -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2012-3326 CVE-2012-3313 CVE-2012-2185 CVE-2012-2184 CVE-2012-2183 CVE-2012-0747 CVE-2012-0746 CVE-2012-0728 CVE-2012-0727 CVE-2012-0714 Member content until: Sunday, October 7 2012 OVERVIEW A number of vulnerabilities have been identified in the following IBM products: Maximo Asset Management 7.5, 7.1, 6.2, Maximo Asset Management Essentials 7.5, 7.1, 6.2, SmartCloud Control Desk 7.5, Tivoli Asset Management for IT 7.2, 7.1, 6.2, Tivoli Service Request Manager 7.2, 7.1, Maximo Service Desk 6.2, Change and Configuration Management Database 7.2, 7.1 IMPACT The vendor has provided the following descriptions regarding these issues which have been assigned CVE-2012-0714, CVE-2012-0727, CVE-2012-0728, CVE-2012-0746, CVE-2012-0747, CVE-2012-2183, CVE-2012-2184, CVE-2012-2185, CVE-2012-3313, CVE-2012-3326: "Security vulnerabilities, including Session Fixation, Cross-site Scripting, Cross-site Request Forgery, Information Disclosure, and SQL Injection" [1] MITIGATION IBM recommends that users install the appropriate Interim Fix or Fix Pack to correct these issues. [1] REFERENCES [1] Security Vulnerabilities Addressed in Asset and Service Mgmt http://www-01.ibm.com/support/docview.wss?uid=swg21610081 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUEmXg+4yVqjM2NGpAQLSVhAAh9O7aUNFahxAfCcsqCRJd2N1x140UCLP QCtsrSNNjiu5SAz2Wki2AxYDHHNMHBBh/C/LgSoEDNmq4USmK/C2XrTkniur93W0 LwVqyhHm73OqpfwcryvdEA45SYBwXRnOlDWwRAkXULBGzgHWIfsnKU+tLu+SLnAE 4OZ7cdWc2+wEgSkYR6Dl7S2A5mf9B0KDRYrvHvCjxzvPKS1A7GezA3Ineimrj8t8 2fshLMr/yf3uIG1xDHdfp8sWzD0wMmqKLVHC7OurcT3C+SjX4sGN51oFXL8EvNil 0Q2Yfxf5zS9jMkaqdHQRg8bJ1xcZgXsCmBjfRrS2zSHDnDdqxb1sGOYTiBf+ruZV i1et0xdq3jsdpGopiWwgGke5jgFWfd56c8t4+gSgpauHjON+6brRJmUbVzAJx6tI pgwnBFwKeBnB0psYuCB1KyLdPP769CgAUeJBzTzvgoBkCz7EFsCUVFoC8PZ4bfiB UIcOn7g+u3D/D1NbRAel+nO90BHzVlHMX/eQnfP1DGirm1ZyII3KSy6q90qlJqMm oYGznfapFkEByKBdvwl6rnmjsVrsWpaETWk4uOcg5KukLVK51XH5vZZqplmUcofR 9E/KowHF7soeG44wPH3MMNWolOQ7L7UMrZMNAEO6s1pLqRlY6OkmkPoiLO+usF5g 12NdnyVt5IY= =SFWu -----END PGP SIGNATURE-----