-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.0220
       Security Vulnerabilities Addressed in Asset and Service Mgmt
                             19 February 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Maximo Asset Management
Publisher:         IBM
Operating System:  AIX
                   Solaris
                   HP-UX
                   Windows 2000
                   Windows Server 2003
                   Windows Server 2008
                   Windows Server 2008 R2
                   Windows Server 2012
                   SUSE
                   Red Hat Enterprise Linux AS/ES/WS 3
                   Red Hat Enterprise Linux AS/ES/WS 4
                   Red Hat Enterprise Linux Server 5
                   Red Hat Enterprise Linux Server 6
Impact/Access:     Increased Privileges           -- Existing Account            
                   Cross-site Scripting           -- Remote with User Interaction
                   Provide Misleading Information -- Remote with User Interaction
                   Unauthorised Access            -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-0457 CVE-2012-6357 CVE-2012-6356
                   CVE-2012-6355 CVE-2012-3328 CVE-2012-3327
                   CVE-2012-3322 CVE-2012-3321 CVE-2012-3316
                   CVE-2012-2161 CVE-2012-2159 

Reference:         ESB-2012.1194
                   ESB-2012.1189
                   ESB-2012.1101
                   ESB-2012.1040
                   ESB-2012.1014
                   ESB-2012.0944
                   ESB-2012.0937
                   ESB-2012.0936
                   ESB-2012.0915
                   ESB-2012.0801
                   ESB-2012.0693
                   ESB-2012.0530
                   ESB-2012.1044.2

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21625624

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Vulnerabilities Addressed in Asset and Service Mgmt

Flash (Alert)

Document information

IBM Maximo Asset Management

Software version:
6.2, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 7.1, 7.1.1, 
7.1.2, 7.2, 7.2.1, 7.5

Operating system(s):
Platform Independent

Reference #:
1625624

Modified date:
2013-02-15

Abstract

Security Bulletin: XSS, Gain Privileges, Improper Access Control 
vulnerabilities in Maximo Asset Mgmt, Tivoli Asset Mgmt for IT, Tivoli Service 
Request Mgr, Change and Configuration Mgmt Database, and SmartCloud Control 
Desk. See Details for CVE IDs.

Content

VULNERABILITY DETAILS:

Customers who have Maximo Asset Management, Maximo Asset Management 
Essentials, Tivoli Asset Management for IT, Tivoli Service Request Manager, 
Change and Configuration Management Database, and SmartCloud Control Desk are 
potentially impacted by these vulnerabilities, which can cause issues related 
to Cross-Site Scripting (XSS), which can be used to bypass access controls, 
gaining elevated privileges, and improper access control.

CVE ID		APAR		DESCRIPTION		
CVE-2012-2159	JR43170		Open Redirect
CVE-2012-2161	JR43170		Cross-site Scripting
CVE-2012-3316	IV24609		Cross-Site Scripting
CVE-2012-3321	IV25198		Improper Access Control
CVE-2012-3322	IV23838		Cross-Site Scripting
CVE-2012-3327	IV22698		Cross Site Scripting
CVE-2012-3328	IV20823		Cross-Site Scripting
CVE-2012-6355	IV30384		Gain Privileges
CVE-2012-6356	IV27329		Gain Privileges
CVE-2012-6357	IV23511		Gain Privileges
CVE-2013-0457	IV20590		Cross-site Scripting

CVE ID		CVSS 	CVSS Temporal Score Link		CVSS Vector
		Base Score					(see below)
CVE-2012-2159	4.3	http://xforce.iss.net/xforce/xfdb/74832		3
CVE-2012-2161	4.3	http://xforce.iss.net/xforce/xfdb/74833		3
CVE-2012-3316	3.5	http://xforce.iss.net/xforce/xfdb/77813		1
CVE-2012-3321	6.5	http://xforce.iss.net/xforce/xfdb/77916		2
CVE-2012-3322	3.5	http://xforce.iss.net/xforce/xfdb/77918		1
CVE-2012-3327	4.3	http://xforce.iss.net/xforce/xfdb/78039		3
CVE-2012-3328	4.3	http://xforce.iss.net/xforce/xfdb/78040		3
CVE-2012-6355	3.5	http://xforce.iss.net/xforce/xfdb/80747		1
CVE-2012-6356	3.5	http://xforce.iss.net/xforce/xfdb/80748		1
CVE-2012-6357	3.5	http://xforce.iss.net/xforce/xfdb/80749		1
CVE-2013-0457	3.5	http://xforce.iss.net/xforce/xfdb/81011		1

Note: CVE-2012-2159 and CVE-2012-2161 are vulnerabilities in the IBM Eclipse 
Help System (IEHS) 3.4.2, a viewer provided to render user assistance 
documentation. 

CVSS Vector:
1 AV:N/AC:M/Au:S/C:N/I:P/A:N
2 AV:N/AC:L/Au:S/C:P/I:P/A:P
3 AV:N/AC:M/Au:N/C:N/I:P/A:N
* CVSS Environmental Scores: Undefined

VERSIONS AFFECTED:
* Maximo Asset Management 7.5, 7.1, 6.2
* Maximo Asset Management Essentials 7.5, 7.1, 6.2
* SmartCloud Control Desk 7.5
* Tivoli Asset Management for IT 7.2, 7.1, 6.2 
* Tivoli Service Request Manager 7.2, 7.1, Maximo Service Desk 6.2
* Change and Configuration Management Database 7.2, 7.1

CVE		APAR	Products Listed Above
			7.5	7.1 / 7.2	6.2
CVE-2012-2159	JR43170	Fixed	Fix Pending	N/A
CVE-2012-2161	JR43170	Fixed	Fix Pending	N/A
CVE-2012-3316	IV24609	Fixed	Fix Pending	Fix Pending
CVE-2012-3321	IV25198	Fixed**	N/A		N/A
CVE-2012-3322	IV23838	Fixed	Fix Pending	Fix Pending
CVE-2012-3327	IV22698	Fixed	Fixed		Fixed
CVE-2012-3328	IV20823	N/A	Fix Pending	N/A
CVE-2012-6355	IV30384	Fixed	Fixed		Fix Pending
CVE-2012-6356	IV27329	Fixed	N/A		N/A
CVE-2012-6357	IV23511	Fixed	N/A		N/A
CVE-2013-0457	IV20590	Fixed	N/A		N/A
N/A in this table means that the vulnerability does not exist in that release

Note:
** CVE-2012-3321 is only applicable to SmartCloud Control Desk 7.5, not Maximo 
Asset Management.
It is likely that earlier versions of affected products are also affected by 
these vulnerabilities. Remediation is not provided for product versions that 
are no longer supported. IBM recommends that customers upgrade to the latest 
supported version of products in order to obtain remediation for the 
vulnerabilities.

REMEDIATION: 
The recommended solution is to download the appropriate Interim Fix or Fix 
Pack from Fix Central (What is Fix Central?) and apply for each affected 
product as soon as possible. Please see below for information on the fixes 
available for each product, version, and release. Follow the installation 
instructions in the 'readme' documentation provided with each fix pack or 
interim fix. 

For Maximo Asset Management and Maximo Asset Management Essentials:

VRMF	 Fix Pack or Interim Fix	  Vulnerability APARs 	     Download
7.5.0.4	 Maximo 7.5.0.4 Fix Pack:
	 7.5.0.4-TIV-MAM-FP004		  IV20590, IV22698, IV23511, FixCentral
					  IV23838, IV24609, IV27329, 
					  IV30384, and IEHS 3.4.2 
					  JR43170			   
7.5.0.2	 Maximo 7.5.0.2 Interim Fix: 	  IV27329		     FixCentral
	 7.5.0.2-TIV-MAM-IFIX004 or 
	 latest Interim Fix available	
7.5.0.1	 Maximo 7.5.0.1 Interim Fix: 	  IV23511		     FixCentral
	 7.5.0.1-TIV-MBS-IFIX004 or 
	 latest Interim Fix available	
7.1.1.12 7.1.1.12 Fix Pack: 		  IV20823, IV23838, IV24609, FixCentral
	 7.1.1.12-TIV-MBS-FP012		  IV30384, and IEHS 3.4.2    (when
					  JR43170		     available)
7.1.1.11 7.1.1.11 Fix Pack:		  IV22698		     FixCentral
	 7.1.1.11-TIV-MBS-FP011		
6.2.8	 6.2.8 Interim Fix:		  IV22698, IV23838, IV24609, Contact
	 Maximo_6.2.8_LAFix_20120725-1611 IV30384		     IBM 
	 or latest Interim Fix available			     Support

For SmartCloud Control Desk:
VRMF	Fix Pack or Interim Fix			Vulnerability APARs  Download
7.5.0.2	SmartCloud Control Desk 7.5.0.2 Fix 	IV20590, IV22698,    FixCentral
	Pack:					IV23511, IV23838, 
	7.5.0.2-TIV-SCCD-AIX-FP0002		IV24609, IV25198, 
	7.5.0.2-TIV-SCCD-Linux-FP0002		IV27329, IV30384 and 
	7.5.0.2-TIV-SCCD-Windows-FP0002		IEHS 3.4.2 JR43170   
7.5.1.0	SmartCloud Control Desk 7.5.1.0 Release	IV20590, IV22698,    Passport 
						IV23511, IV23838,    Advantage
						IV24609, IV25198, 
						IV27329, IV30384 and 
						IEHS 3.4.2 JR43170   

For Tivoli IT Asset Management for IT, Tivoli Service Request Manager, Maximo 
Service Desk, and Change and Configuration Management Database
VRMF	 Fix Pack or Interim Fix		Vulnerability APARs  Download
7.1.1.12 7.1.1.12 Fix Pack: 			IV20823, IV23838,    FixCentral
	 7.1.1.12-TIV-MBS-FP012			IV24609, IV30384 and (when
						IEHS 3.4.2 JR43170   available)
7.1.1.11 7.1.1.11 Fix Pack:			IV22698		     FixCentral
	 7.1.1.11-TIV-MBS-FP011			
6.2.8	 6.2.8 Interim Fix:			IV22698, IV23838,    Contact 
	 Maximo_6.2.8_LAFix_20120725-1611 or	IV24609, IV30384     IBM 
	 latest Interim Fix available				     Support

If assistance is needed in determining the appropriate Fix Pack or Interim Fix 
level, contact IBM Technical Support. It is recommended that you always 
request the latest available Fix Pack or Interim Fix.

Due to the threat posed by a successful attack, IBM strongly recommends that 
customers apply fixes as soon as possible.

WORKAROUND: 
Until you apply the fixes, it may be possible to reduce the risk of successful 
attack by restricting network protocols required by an attack. For attacks 
that require certain privileges or access to certain packages, removing the 
privileges or the ability to access the packages from unprivileged users may 
help reduce the risk of successful attack. Both approaches may break 
application functionality, so IBM strongly recommends that customers test 
changes on non-production systems. Neither approach should be considered a 
long-term solution as neither corrects the underlying problem.

MITIGATION: None

REFERENCES:
Complete CVSS Guide
On-line Calculator V2
X-Force Vulnerability Database
CVE-2012-2159
CVE-2012-2161
CVE-2012-3316
CVE-2012-3321
CVE-2012-3322
CVE-2012-3327
CVE-2012-3328
CVE-2012-6355
CVE-2012-6356
CVE-2012-6357
CVE-2013-0457

* The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of 
this vulnerability in their environments by accessing the links in the 
Reference section of this Flash. 

Note: According to the Forum of Incident Response and Security Teams (FIRST), 
the Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Change History
15 Feb 2013	Flash published

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUSMZs+4yVqjM2NGpAQKfDQ/+JFi/AUNDeOzz+4VRwooO/M4iPZkVshb5
wdwhsSU/UBjWibGql+A9yO+JPsn/zHxRsSInW8uB6Huhm4ACS6aOwPu+j2xBNDK0
Bzp/Cj3phcTVWlte0BQoZqDZZN8NTm+pAtJPK/jHIAvTzUtouMZujQND+XQy6IbA
ZuUMAlep6v5yKH5xRnWtdscWlv718aFOfaO7I6e+p7EgeOLw+OA1xM/JSrFUykgC
Wy1NtlsTL/MaK+xi2s3XNgk6zvici0WZY9JO9Usi+mu/Db9cOnW1F5QNvVDBvR2Z
JTZbUTLZl+GrrAu6yUj8CtjkKqDf/TACbf6hZwxmiEw6+3ESabpHBuCvrpWhq83Q
8/rApeDFEcAV7432adajh5WnL049IGS8lcpXVGGnNnJvEZaC3Gulygl8YXfSkXnI
AZDa7doCJVX+MM9zNlONaa8copW5C09V5IKrfJWB/4W/yXddUPGcROKKyorTrpXE
VE+ze+UTwaM6KWfKED6wmox9TyRj7BlrcMRrmdgtsJnUObXekmCOieAP8DzXCBen
cdiMn167VLG55zxPlL3nESRYUqMnn2xRBkwc7FFLsl8UbPBVJGmdJxhmvsY8InNT
c6H6EYcw3LM4xh9yGa1CPsm1VaeYpnpEEBMzvx6Gon8tV+IgmQlMY7attGBJ8n8o
f55x8cX5DMY=
=dhsC
-----END PGP SIGNATURE-----