Operating System:

[WIN][LINUX][Virtual][HP-UX][Solaris][AIX]

Published:

07 September 2012

Protect yourself against future threats.

//Service

Phishing Take-Down

Drawing on our strong international CERT relationships we have a high success rate in delivering phishing take-downs.

Read more
Resources > Security Bulletins > ASB-2012.0125 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2012.0125
          A number of vulnerabilities have been identified in IBM
                   Asset and Service Management products
                             7 September 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Maximo Asset Management
                      Maximo Asset Management Essentials
                      SmartCloud Control Desk
                      Tivoli Asset Management for IT
                      Tivoli Service Request Manager
                      Maximo Service Desk
                      Change and Configuration Management Database
Operating System:     AIX
                      HP-UX
                      Linux variants
                      Solaris
                      Windows
                      VMWare ESX Server
Impact/Access:        Execute Arbitrary Code/Commands -- Unknown/Unspecified         
                      Cross-site Request Forgery      -- Remote with User Interaction
                      Cross-site Scripting            -- Remote with User Interaction
                      Access Confidential Data        -- Unknown/Unspecified         
Resolution:           Patch/Upgrade
CVE Names:            CVE-2012-3326 CVE-2012-3313 CVE-2012-2185
                      CVE-2012-2184 CVE-2012-2183 CVE-2012-0747
                      CVE-2012-0746 CVE-2012-0728 CVE-2012-0727
                      CVE-2012-0714  
Member content until: Sunday, October  7 2012

OVERVIEW

        A number of vulnerabilities have been identified in the following IBM 
        products: 
        
        Maximo Asset Management 7.5, 7.1, 6.2,  
        Maximo Asset Management Essentials 7.5, 7.1, 6.2, 
        SmartCloud Control Desk 7.5, 
        Tivoli Asset Management for IT 7.2, 7.1, 6.2, 
        Tivoli Service Request Manager 7.2, 7.1, 
        Maximo Service Desk 6.2, 
        Change and Configuration Management Database 7.2, 7.1


IMPACT

        The vendor has provided the following descriptions regarding these
        issues which have been assigned CVE-2012-0714, CVE-2012-0727, 
        CVE-2012-0728, CVE-2012-0746, CVE-2012-0747, CVE-2012-2183, 
        CVE-2012-2184, CVE-2012-2185, CVE-2012-3313, CVE-2012-3326:
        
        "Security vulnerabilities, including Session Fixation, Cross-site 
        Scripting, Cross-site Request Forgery, Information Disclosure, and 
        SQL Injection" [1]


MITIGATION

        IBM recommends that users install the appropriate Interim Fix or
        Fix Pack to correct these issues. [1]


REFERENCES

        [1] Security Vulnerabilities Addressed in Asset and Service Mgmt
            http://www-01.ibm.com/support/docview.wss?uid=swg21610081

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUEmXg+4yVqjM2NGpAQLSVhAAh9O7aUNFahxAfCcsqCRJd2N1x140UCLP
QCtsrSNNjiu5SAz2Wki2AxYDHHNMHBBh/C/LgSoEDNmq4USmK/C2XrTkniur93W0
LwVqyhHm73OqpfwcryvdEA45SYBwXRnOlDWwRAkXULBGzgHWIfsnKU+tLu+SLnAE
4OZ7cdWc2+wEgSkYR6Dl7S2A5mf9B0KDRYrvHvCjxzvPKS1A7GezA3Ineimrj8t8
2fshLMr/yf3uIG1xDHdfp8sWzD0wMmqKLVHC7OurcT3C+SjX4sGN51oFXL8EvNil
0Q2Yfxf5zS9jMkaqdHQRg8bJ1xcZgXsCmBjfRrS2zSHDnDdqxb1sGOYTiBf+ruZV
i1et0xdq3jsdpGopiWwgGke5jgFWfd56c8t4+gSgpauHjON+6brRJmUbVzAJx6tI
pgwnBFwKeBnB0psYuCB1KyLdPP769CgAUeJBzTzvgoBkCz7EFsCUVFoC8PZ4bfiB
UIcOn7g+u3D/D1NbRAel+nO90BHzVlHMX/eQnfP1DGirm1ZyII3KSy6q90qlJqMm
oYGznfapFkEByKBdvwl6rnmjsVrsWpaETWk4uOcg5KukLVK51XH5vZZqplmUcofR
9E/KowHF7soeG44wPH3MMNWolOQ7L7UMrZMNAEO6s1pLqRlY6OkmkPoiLO+usF5g
12NdnyVt5IY=
=SFWu
-----END PGP SIGNATURE-----