Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0220
Security Vulnerabilities Addressed in Asset and Service Mgmt
19 February 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Maximo Asset Management
Publisher: IBM
Operating System: AIX
Solaris
HP-UX
Windows 2000
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
SUSE
Red Hat Enterprise Linux AS/ES/WS 3
Red Hat Enterprise Linux AS/ES/WS 4
Red Hat Enterprise Linux Server 5
Red Hat Enterprise Linux Server 6
Impact/Access: Increased Privileges -- Existing Account
Cross-site Scripting -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2013-0457 CVE-2012-6357 CVE-2012-6356
CVE-2012-6355 CVE-2012-3328 CVE-2012-3327
CVE-2012-3322 CVE-2012-3321 CVE-2012-3316
CVE-2012-2161 CVE-2012-2159
Reference: ESB-2012.1194
ESB-2012.1189
ESB-2012.1101
ESB-2012.1040
ESB-2012.1014
ESB-2012.0944
ESB-2012.0937
ESB-2012.0936
ESB-2012.0915
ESB-2012.0801
ESB-2012.0693
ESB-2012.0530
ESB-2012.1044.2
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21625624
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Vulnerabilities Addressed in Asset and Service Mgmt
Flash (Alert)
Document information
IBM Maximo Asset Management
Software version:
6.2, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 7.1, 7.1.1,
7.1.2, 7.2, 7.2.1, 7.5
Operating system(s):
Platform Independent
Reference #:
1625624
Modified date:
2013-02-15
Abstract
Security Bulletin: XSS, Gain Privileges, Improper Access Control
vulnerabilities in Maximo Asset Mgmt, Tivoli Asset Mgmt for IT, Tivoli Service
Request Mgr, Change and Configuration Mgmt Database, and SmartCloud Control
Desk. See Details for CVE IDs.
Content
VULNERABILITY DETAILS:
Customers who have Maximo Asset Management, Maximo Asset Management
Essentials, Tivoli Asset Management for IT, Tivoli Service Request Manager,
Change and Configuration Management Database, and SmartCloud Control Desk are
potentially impacted by these vulnerabilities, which can cause issues related
to Cross-Site Scripting (XSS), which can be used to bypass access controls,
gaining elevated privileges, and improper access control.
CVE ID APAR DESCRIPTION
CVE-2012-2159 JR43170 Open Redirect
CVE-2012-2161 JR43170 Cross-site Scripting
CVE-2012-3316 IV24609 Cross-Site Scripting
CVE-2012-3321 IV25198 Improper Access Control
CVE-2012-3322 IV23838 Cross-Site Scripting
CVE-2012-3327 IV22698 Cross Site Scripting
CVE-2012-3328 IV20823 Cross-Site Scripting
CVE-2012-6355 IV30384 Gain Privileges
CVE-2012-6356 IV27329 Gain Privileges
CVE-2012-6357 IV23511 Gain Privileges
CVE-2013-0457 IV20590 Cross-site Scripting
CVE ID CVSS CVSS Temporal Score Link CVSS Vector
Base Score (see below)
CVE-2012-2159 4.3 http://xforce.iss.net/xforce/xfdb/74832 3
CVE-2012-2161 4.3 http://xforce.iss.net/xforce/xfdb/74833 3
CVE-2012-3316 3.5 http://xforce.iss.net/xforce/xfdb/77813 1
CVE-2012-3321 6.5 http://xforce.iss.net/xforce/xfdb/77916 2
CVE-2012-3322 3.5 http://xforce.iss.net/xforce/xfdb/77918 1
CVE-2012-3327 4.3 http://xforce.iss.net/xforce/xfdb/78039 3
CVE-2012-3328 4.3 http://xforce.iss.net/xforce/xfdb/78040 3
CVE-2012-6355 3.5 http://xforce.iss.net/xforce/xfdb/80747 1
CVE-2012-6356 3.5 http://xforce.iss.net/xforce/xfdb/80748 1
CVE-2012-6357 3.5 http://xforce.iss.net/xforce/xfdb/80749 1
CVE-2013-0457 3.5 http://xforce.iss.net/xforce/xfdb/81011 1
Note: CVE-2012-2159 and CVE-2012-2161 are vulnerabilities in the IBM Eclipse
Help System (IEHS) 3.4.2, a viewer provided to render user assistance
documentation.
CVSS Vector:
1 AV:N/AC:M/Au:S/C:N/I:P/A:N
2 AV:N/AC:L/Au:S/C:P/I:P/A:P
3 AV:N/AC:M/Au:N/C:N/I:P/A:N
* CVSS Environmental Scores: Undefined
VERSIONS AFFECTED:
* Maximo Asset Management 7.5, 7.1, 6.2
* Maximo Asset Management Essentials 7.5, 7.1, 6.2
* SmartCloud Control Desk 7.5
* Tivoli Asset Management for IT 7.2, 7.1, 6.2
* Tivoli Service Request Manager 7.2, 7.1, Maximo Service Desk 6.2
* Change and Configuration Management Database 7.2, 7.1
CVE APAR Products Listed Above
7.5 7.1 / 7.2 6.2
CVE-2012-2159 JR43170 Fixed Fix Pending N/A
CVE-2012-2161 JR43170 Fixed Fix Pending N/A
CVE-2012-3316 IV24609 Fixed Fix Pending Fix Pending
CVE-2012-3321 IV25198 Fixed** N/A N/A
CVE-2012-3322 IV23838 Fixed Fix Pending Fix Pending
CVE-2012-3327 IV22698 Fixed Fixed Fixed
CVE-2012-3328 IV20823 N/A Fix Pending N/A
CVE-2012-6355 IV30384 Fixed Fixed Fix Pending
CVE-2012-6356 IV27329 Fixed N/A N/A
CVE-2012-6357 IV23511 Fixed N/A N/A
CVE-2013-0457 IV20590 Fixed N/A N/A
N/A in this table means that the vulnerability does not exist in that release
Note:
** CVE-2012-3321 is only applicable to SmartCloud Control Desk 7.5, not Maximo
Asset Management.
It is likely that earlier versions of affected products are also affected by
these vulnerabilities. Remediation is not provided for product versions that
are no longer supported. IBM recommends that customers upgrade to the latest
supported version of products in order to obtain remediation for the
vulnerabilities.
REMEDIATION:
The recommended solution is to download the appropriate Interim Fix or Fix
Pack from Fix Central (What is Fix Central?) and apply for each affected
product as soon as possible. Please see below for information on the fixes
available for each product, version, and release. Follow the installation
instructions in the 'readme' documentation provided with each fix pack or
interim fix.
For Maximo Asset Management and Maximo Asset Management Essentials:
VRMF Fix Pack or Interim Fix Vulnerability APARs Download
7.5.0.4 Maximo 7.5.0.4 Fix Pack:
7.5.0.4-TIV-MAM-FP004 IV20590, IV22698, IV23511, FixCentral
IV23838, IV24609, IV27329,
IV30384, and IEHS 3.4.2
JR43170
7.5.0.2 Maximo 7.5.0.2 Interim Fix: IV27329 FixCentral
7.5.0.2-TIV-MAM-IFIX004 or
latest Interim Fix available
7.5.0.1 Maximo 7.5.0.1 Interim Fix: IV23511 FixCentral
7.5.0.1-TIV-MBS-IFIX004 or
latest Interim Fix available
7.1.1.12 7.1.1.12 Fix Pack: IV20823, IV23838, IV24609, FixCentral
7.1.1.12-TIV-MBS-FP012 IV30384, and IEHS 3.4.2 (when
JR43170 available)
7.1.1.11 7.1.1.11 Fix Pack: IV22698 FixCentral
7.1.1.11-TIV-MBS-FP011
6.2.8 6.2.8 Interim Fix: IV22698, IV23838, IV24609, Contact
Maximo_6.2.8_LAFix_20120725-1611 IV30384 IBM
or latest Interim Fix available Support
For SmartCloud Control Desk:
VRMF Fix Pack or Interim Fix Vulnerability APARs Download
7.5.0.2 SmartCloud Control Desk 7.5.0.2 Fix IV20590, IV22698, FixCentral
Pack: IV23511, IV23838,
7.5.0.2-TIV-SCCD-AIX-FP0002 IV24609, IV25198,
7.5.0.2-TIV-SCCD-Linux-FP0002 IV27329, IV30384 and
7.5.0.2-TIV-SCCD-Windows-FP0002 IEHS 3.4.2 JR43170
7.5.1.0 SmartCloud Control Desk 7.5.1.0 Release IV20590, IV22698, Passport
IV23511, IV23838, Advantage
IV24609, IV25198,
IV27329, IV30384 and
IEHS 3.4.2 JR43170
For Tivoli IT Asset Management for IT, Tivoli Service Request Manager, Maximo
Service Desk, and Change and Configuration Management Database
VRMF Fix Pack or Interim Fix Vulnerability APARs Download
7.1.1.12 7.1.1.12 Fix Pack: IV20823, IV23838, FixCentral
7.1.1.12-TIV-MBS-FP012 IV24609, IV30384 and (when
IEHS 3.4.2 JR43170 available)
7.1.1.11 7.1.1.11 Fix Pack: IV22698 FixCentral
7.1.1.11-TIV-MBS-FP011
6.2.8 6.2.8 Interim Fix: IV22698, IV23838, Contact
Maximo_6.2.8_LAFix_20120725-1611 or IV24609, IV30384 IBM
latest Interim Fix available Support
If assistance is needed in determining the appropriate Fix Pack or Interim Fix
level, contact IBM Technical Support. It is recommended that you always
request the latest available Fix Pack or Interim Fix.
Due to the threat posed by a successful attack, IBM strongly recommends that
customers apply fixes as soon as possible.
WORKAROUND:
Until you apply the fixes, it may be possible to reduce the risk of successful
attack by restricting network protocols required by an attack. For attacks
that require certain privileges or access to certain packages, removing the
privileges or the ability to access the packages from unprivileged users may
help reduce the risk of successful attack. Both approaches may break
application functionality, so IBM strongly recommends that customers test
changes on non-production systems. Neither approach should be considered a
long-term solution as neither corrects the underlying problem.
MITIGATION: None
REFERENCES:
Complete CVSS Guide
On-line Calculator V2
X-Force Vulnerability Database
CVE-2012-2159
CVE-2012-2161
CVE-2012-3316
CVE-2012-3321
CVE-2012-3322
CVE-2012-3327
CVE-2012-3328
CVE-2012-6355
CVE-2012-6356
CVE-2012-6357
CVE-2013-0457
* The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Change History
15 Feb 2013 Flash published
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUSMZs+4yVqjM2NGpAQKfDQ/+JFi/AUNDeOzz+4VRwooO/M4iPZkVshb5
wdwhsSU/UBjWibGql+A9yO+JPsn/zHxRsSInW8uB6Huhm4ACS6aOwPu+j2xBNDK0
Bzp/Cj3phcTVWlte0BQoZqDZZN8NTm+pAtJPK/jHIAvTzUtouMZujQND+XQy6IbA
ZuUMAlep6v5yKH5xRnWtdscWlv718aFOfaO7I6e+p7EgeOLw+OA1xM/JSrFUykgC
Wy1NtlsTL/MaK+xi2s3XNgk6zvici0WZY9JO9Usi+mu/Db9cOnW1F5QNvVDBvR2Z
JTZbUTLZl+GrrAu6yUj8CtjkKqDf/TACbf6hZwxmiEw6+3ESabpHBuCvrpWhq83Q
8/rApeDFEcAV7432adajh5WnL049IGS8lcpXVGGnNnJvEZaC3Gulygl8YXfSkXnI
AZDa7doCJVX+MM9zNlONaa8copW5C09V5IKrfJWB/4W/yXddUPGcROKKyorTrpXE
VE+ze+UTwaM6KWfKED6wmox9TyRj7BlrcMRrmdgtsJnUObXekmCOieAP8DzXCBen
cdiMn167VLG55zxPlL3nESRYUqMnn2xRBkwc7FFLsl8UbPBVJGmdJxhmvsY8InNT
c6H6EYcw3LM4xh9yGa1CPsm1VaeYpnpEEBMzvx6Gon8tV+IgmQlMY7attGBJ8n8o
f55x8cX5DMY=
=dhsC
-----END PGP SIGNATURE-----