Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0409
Security Bulletin: Multiple security vulnerabilities - IBM Sterling Order
Management (CVE-2013-0505, CVE-2013-0506)
20 March 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Sterling Order Management
Publisher: IBM
Operating System: AIX
HP-UX
Solaris
Linux variants
Windows
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-0506 CVE-2013-0505
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg27027082
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Multiple security vulnerabilities - IBM Sterling Order
Management (CVE-2013-0505, CVE-2013-0506)
Document information
Sterling Selling and Fulfillment Suite
Maintenance
Software version:
8.0, 8.5, 9.0
Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows
Software edition:
All Editions
Reference #:
1631302
Modified date:
2013-03-18
Flash (Alert)
Abstract
IBM Sterling Order Management is vulnerable to cross-site scripting and XPath
injections.
Content
VULNERABILITY DETAILS:
CVE ID: CVE-2013-0505
Description: IBM Sterling Order Management is vulnerable to XPath
injection, caused by the improper validation of input prior to using it in a
XPath (XML Path Language) query. By injecting arbitrary XPath code, a
malicious user could exploit this vulnerability to read arbitrary XML files.
CVSS:
CVSS Base Score: 5.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82339 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:N)
AFFECTED PRODUCTS AND VERSIONS:
IBM Sterling Selling and Fulfillment Foundation 9.2.0
IBM Sterling Selling and Fulfillment Foundation 9.1.0
IBM Sterling Selling and Fulfillment Foundation 9.0
IBM Sterling Selling and Fulfillment Foundation 8.5
IBM Sterling Multi-Channel Fulfillment Solution 8.0
REMEDIATION:
Fix* VRMF APAR How to acquire fix
9.2.0-FP13 9.2.0.13 http://www-933.ibm.com/support/fixcentral/options
Select appropriate VRMF ie., 9.2.0.13 to access the FixPack
9.1.0-FP41 9.1.0.41 ID358571 http://www-933.ibm.com/support/fixcentral/options
Select appropriate VRMF ie., 9.1.0.41 to access the FixPack
9.0-HF69 9.0.0.69 https://www14.software.ibm.com/webapp/iwm/web/reg/signup.do?source=swg-SterlngLegacyreq&lang=en_US
8.5-HF89 8.5.0.89 https://www14.software.ibm.com/webapp/iwm/web/reg/signup.do?source=swg-SterlngLegacyreq&lang=en_US
8.0-HF127 8.0.0127 https://www14.software.ibm.com/webapp/iwm/web/reg/signup.do?source=swg-SterlngLegacyreq&lang=en_US
Workaround(s):
None known, apply fixes
Mitigation(s):
None known
CVE ID: CVE-2013-0506
Description: IBM Sterling Order Management is vulnerable to cross-site
scripting which could lead to unauthorized access through the injected scripts.
CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82341 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
AFFECTED PRODUCTS AND VERSIONS:
IBM Sterling Selling and Fulfillment Foundation 9.2.0
IBM Sterling Selling and Fulfillment Foundation 9.1.0
IBM Sterling Selling and Fulfillment Foundation 9.0
IBM Sterling Selling and Fulfillment Foundation 8.5
IBM Sterling Multi-Channel Fulfillment Solution 8.0
REMEDIATION:
Fix* VRMF APAR How to acquire fix
9.2.0-FP13 9.2.0.13 http://www-933.ibm.com/support/fixcentral/options
Select appropriate VRMF ie., 9.2.0.13 to access the FixPack
9.1.0-FP41 9.1.0.41 IC90858 http://www-933.ibm.com/support/fixcentral/options
Select appropriate VRMF ie., 9.1.0.41 to access the FixPack
9.0-HF69 9.0.0.69 https://www14.software.ibm.com/webapp/iwm/web/reg/signup.do?source=swg-SterlngLegacyreq&lang=en_US
8.5-HF89 8.5.0.89 https://www14.software.ibm.com/webapp/iwm/web/reg/signup.do?source=swg-SterlngLegacyreq&lang=en_US
8.0-HF127 8.0.0127 https://www14.software.ibm.com/webapp/iwm/web/reg/signup.do?source=swg-SterlngLegacyreq&lang=en_US
Workaround(s):
None known, apply fixes
Mitigation(s):
None known
REFERENCES:
Complete CVSS Guide
On-line Calculator V2
CVE-2013-0506
CVE-2013-0505
X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/82341
X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/82339
RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Cross reference information
Segment Product Component Platform Version Edition
Commerce Sterling Order Management AIX, HP-UX, Linux, 9.2, 9.1
Solaris, Windows
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines
Corp., registered in many jurisdictions worldwide. Other product and service
names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark information" at
www.ibm.com/legal/copytrade.shtml.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUUkSPO4yVqjM2NGpAQKjug//Z3DgcH8kL4AC9/k6ncVQf4uE104HyxuR
xxtxV+8hlK6T22eFldlDbiq8vWd4GHkNVktWnppmuhv8xz7SooT1QqLa27z1qw6u
iwyjhXyN4Bg26fnWil3y7vfSDrsQVX9P4+o8+k+rWMcHs0nKpa+Ki5rKSG34FVyr
51pt9/wQF/pMLibJXsyQrD82AxkV0tHPD7rOGKzhLzZHoGhwh7LYiUJc82R4o+Qp
e/C0wYxe26xTxd0MZN1502Tr5coGymb7b52KJoBrSZNgFvBtIj4hVqCo8qqay9fO
CaD9g/2400lsTXZP4Qb/8xpkMvesUDM757vufJUnIhjVs+hx6KC6gGCX+JBWRRje
p3bfXFjjNTliCkmBN/aebyvHs2rW87IuFlCgcm5lHAX3xugcgQa1bNGZBcUVFXuw
5cMqzEYlcW+4haPDxWcd49kwQ3F3IUD5rTPdhdc9Wi2HcpiBdfCUc2FBQu9KI9w5
DSXLyKhHyzpAqzWnFlmzAnJbPHtdJLprjAX7kxkLD/jmf5dcutpyGZAHrCl2nGeJ
zuCvMnVDJwvgwTDyXMMVRenFbvUTxARJsK9aZsBzKwKUc+3m1V82r3zW8gz7labA
Wr6/eQDrFDhRoAPeeXnDx2HaWXyDK5c9vn/y8WShsTVm5YpxKzfH1bwyjAY8Jhr3
HfnlmZ9021A=
=/qT+
-----END PGP SIGNATURE-----