IBM Support Assistant: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0634
        IBM Support Assistant Security Advisory and Security Update
                                2 July 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Support Assistant
Publisher:         IBM
Operating System:  Linux variants
                   Windows
Impact/Access:     Access Confidential Data        -- Remote/Unauthenticated      
                   Provide Misleading Information  -- Remote/Unauthenticated      
                   Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Cross-site Scripting            -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-0191 CVE-2012-0187 CVE-2012-0186
                   CVE-2010-4647 CVE-2008-7271 

Reference:         ESB-2012.0613
                   ESB-2011.0542

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21599620

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: IBM Support Assistant Security Advisory and Security Update
Pack (CVE-2008-7271, CVE-2010-4647, CVE-2012-0186, CVE-2012-0191, 
CVE-2012-0187)

Document information
IBM Support Assistant

Workbench

Software version:
4.1

Operating system(s):
Linux, Windows

Software edition:
Workbench

Reference #:
1599620

Modified date:
2012-06-28

Flash (Alert)

Abstract

IBM has identified a total of four vulnerabilities in IBM Support Assistant. 
All four vulnerabilities are resolved by the IBM Support Assistant 4.1.3 
fixpack.

Content

VULNERABILITY DETAILS  Directory Traversal

    CVE ID: CVE-2012-0186

    DESCRIPTION: Specially-crafted URLs can be sent to the Eclipse Help 
    component of IBM Support Assistant to disclose the location of private 
    resources (files). This issue can be tracked by SPR # SAKL7QQG28.

    CVSS: 
    CVSS Base Score: 4.3
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72096 for the 
    current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)



VULNERABILITY DETAILS  Flawed Access Control Checks for Remote requests to Web 
Container

    CVE ID: CVE-2012-0191

    DESCRIPTION: Malicious users can spoof request headers sent to the IBM 
    Support Assistant web container exploiting a flaw in access control 
    checking to make it appear that the request came from localhost. This issue 
    can be tracked as SPR# SAKL7QQG28 and MSTO89WRX8.

    CVSS: 
    CVSS Base Score: 5
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72156 for the 
    current score
    CVSS Environmental Score*: Undefined
    CVSS String: (AV:N/AC:L/Au:N/C:N/I:P/A:N)



VULNERABILITY DETAILS  Microsoft Windows Insecure Library Loading

    CVE ID: CVE-2012-0187

    DESCRIPTION: A vulnerability in IBM Support Assistant caused by the 
    Microsoft Windows Insecure Library Loading issue could allow remote code 
    execution. Users clicking on a known file type from an untrusted and 
    vulnerable location may inadvertently cause execution of untrusted code on 
    their system. For more details please reference Microsoft Security Advisory 
    2269637. This issue can be tracked as SPR# DKLN8K7TEA, RAKA89HPF2, 
    JKAE893E7R and RAKA899QV5.

    CVSS: 
    CVSS Base Score: 9.3
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72097 for the 
    current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)



VULNERABILITY DETAILS  Multiple IBM Support Assistant Cross-site Scripting 
issues

    CVE IDs: CVE-2008-7271, CVE-2010-4647

    DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in the 
    Help Contents web application (i.e., the Help Server) in Eclipse IDE, 
    possibly 3.3.2, allow remote attackers to inject arbitrary web script or 
    HTML. These issues can be tracked as SPR# SAKL7QQG28 and JCHC89R945.

    CVSS: 
    CVSS Base Score: 4.3
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/64833 and
    http://xforce.iss.net/xforce/xfdb/64834 for the current scores
    CVSS Environmental Score*: Undefined
    CVSS String: (AV:R/AC:M/Au:N/C:N/I:P/A:N)




REMEDIATION:
The recommended solution is to apply the fix. To obtain this fix, IBM Support 
Assistant customers can use the update component to download and install the 
fixpack. The update component can be accessed from the "Update -> Find Updates
To Add-ons..." menu option within the IBM Support Assistant Workbench.

Workaround: 
None known, apply fixes.

Mitigation:
None known, apply fixes.


REFERENCES: 
 Complete CVSS Guide 
 On-line Calculator V2
 X-Force Vulnerability Database  Eclipse IDE searchWord cross-site scripting
 X-Force Vulnerability Database  Eclipse IDE query string cross-site scripting
 X-Force Vulnerability Database  Directory Traversal
 X-Force Vulnerability Database  Flawed Access Control Checks for Remote 
 requests to Web Container
 X-Force Vulnerability Database  Microsoft Windows Insecure Library Loading
 CVE-2008-7271
 CVE-2010-4647
 CVE-2012-0186
 CVE-2012-0191
 CVE-2012-0187

RELATED INFORMATION:
 IBM Secure Engineering Web Portal 
 IBM Product Security Incident Response Blog

CHANGE HISTORY: 
 25/06/2012: Initial publication.

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of 
this vulnerability in their environments by accessing the links in the 
Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), 
the Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF 
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY 
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Cross reference information 
Segment 				Product 		Component 		Platform 	
Mobile- Speech and Enterprise Access	Lotus Expeditor		Client for Desktop	Linux, Windows		

Copyright and trademark information

IBM, the IBM logo and ibm.com are trademarks of International Business
Machines Corp., registered in many jurisdictions worldwide. Other product and 
service names might be trademarks of IBM or other companies. A current list of 
IBM trademarks is available on the Web at "Copyright and trademark information" 
at www.ibm.com/legal/copytrade.shtml.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBT/EQHe4yVqjM2NGpAQKC0BAAsbpLqA0r0ml5SwYcLVffMTdjNldg3ivY
7aSeFmGWoECHjjHLpjCH9wfgSYzRhRYW1jxjw4U6IuFH5kTMIAgr8vRxzigjWPtC
DqFwcbncKIPvUhY8l01js3CLtLpb2ML6ZRTK6wkVK7uT7CnolwqqZo5NQHNThYzl
hBEBeBm7o9ym8YBATsKQ8nwBk7GPwF2xtMNFuHGP6w87vBfHGwyPNiAfa9g3QaTW
12PJgKCcI0XzHdeb/czjKOcDjGaEl4yPO5IIhpHvufjIRUIKDcnt8RgiCjXdly93
khoN/bEXlWDiUv71gSJYHhe9PCmROE8FF9Gn6OozRqNvAhBlu4f28f4fK4x3494X
GJcNGZGa00TxxzpAkLxrix/l5aiwh1k0LrYniZfbmGkHWFIWG+YLC+MP5mgcHYEw
742fgKcMLk2j3SNoiYX8Ov+DWkupCZbfdFeBlG0b8vB5TvcDT5qh52MOsJAGqWbG
STniy/P8Ig+COFoAlABwGGM4O1mwSjYD4x4TkUCxj5I9sTV3gFWv/jUUXiejgY6K
EgZ6qCksHhtGaxz2IGkPv2skXRrd++xWCRa/gyUKRU5BL5TpRquaZ7F6hNMQIomn
ECGBLJAmhJAAbjA2H19MXbqCK7YTaP10mz+LovoGjKyS7bPL7Y/z9GGseOf20MoW
CLtRv7Ch93k=
=hxRN
-----END PGP SIGNATURE-----