Operating System:

[Win]

Published:

26 March 2013

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.0432
 Security Bulletin: Multiple vulnerabilities in IBM Rational Policy Tester
(CVE-2013-0532, CVE-2013-0512, CVE-2012-4431, CVE-2013-0513, CVE-2008-4033,
               CVE-2013-0474, CVE-2013-0473, CVE-2012-5081)
                               26 March 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Rational Policy Tester
Publisher:         IBM
Operating System:  Windows
Impact/Access:     Increased Privileges       -- Existing Account            
                   Cross-site Request Forgery -- Remote with User Interaction
                   Denial of Service          -- Remote/Unauthenticated      
                   Cross-site Scripting       -- Remote with User Interaction
                   Access Confidential Data   -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-0532 CVE-2013-0513 CVE-2013-0512
                   CVE-2013-0511 CVE-2013-0474 CVE-2013-0473
                   CVE-2012-5081 CVE-2012-4431 CVE-2008-4033

Reference:         ESB-2013.0412
                   ESB-2013.0386
                   ESB-2013.0356
                   ASB-2012.0144
                   ASB-2012.0143

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21631304

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Multiple vulnerabilities in IBM Rational Policy Tester
(CVE-2013-0532, CVE-2013-0512, CVE-2012-4431, CVE-2013-0513, CVE-2008-4033,
CVE-2013-0474, CVE-2013-0473, CVE-2012-5081)

Document information
Rational Policy Tester

Software version:
5.6, 8.0, 8.5

Operating system(s):
Windows

Reference #:
1631304

Modified date:
2013-03-25

Abstract

Previous releases of IBM Rational Policy Tester are affected by multiple
vulnerabilities reported in 3rd party components bundled with the product as
well as in proprietary IBM code. These vulnerabilities include Cross-site
Scripting, SQL injection, code execution, stack overflow, Cross-Site
Request Forgery, and Information disclosure vulnerabilities.
Content

VULNERABILITY DETAILS:
Cross-Site Request Forgery vulnerability in Policy Tester

CVE ID: CVE-2013-0532

DESCRIPTION: 
A remote attacker could exploit this vulnerability by creating a request
that would cause a denial of service attack against Policy Tester. Specific
knowledge of Policy Tester is necessary to conduct the attack. The attack
can be conducted over the internet. No authentication is required for the
attack. 

CVSS: 

CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82595 for the
current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:P/A:N)


AFFECTED PLATFORMS: 
Running on Microsoft Windows:
· Versions 5.6 through 8.5.0.3 of Rational Policy Tester 
REMEDIATION:
The recommended solution is to apply the fix for each named product as soon
as practical. Please see below for information about the fixes available.

Vendor Fix(es): 
For version 5.6 to 8.5.0.3 of Policy Tester
· Upgrade to version 8.5.0.4

If you are unable to upgrade, contact IBM Technical Support.

Workaround(s): 
Not applicable; upgrade to version 8.5.0.4 for Policy Tester

Mitigation(s): 
None

Stack overflow vulnerability in Firefox manual explore plug-in

CVE ID: CVE-2013-0512

DESCRIPTION: 
An attacker could cause the Firefox manual explore browser plug-in used by
Policy Tester to crash using a specially crafted page. Other than causing the
crash, the attacker will not be able to execute any code. Specific knowledge
of Policy Tester is necessary to conduct the attack. The attack can be
conducted over the internet. No authentication is required for the attack. 

CVSS: 

CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82593 for the
current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:N/A:P)


AFFECTED PLATFORMS: 
Running on Microsoft Windows:
· Versions 8.0 through 8.5.0.3 of Rational Policy Tester/ Rational Policy
Tester
REMEDIATION:
The recommended solution is to apply the fix for each named product as soon
as practical. Please see below for information about the fixes available.

Vendor Fix(es): 
For version 8.0 to 8.5.0.3 of Policy Tester
· Upgrade to version 8.5.0.4

If you are unable to upgrade to version 8.5.0.4, contact IBM Technical
Support.


Workaround(s): 
Not applicable; upgrade to version 8.5.0.4 for Policy Tester

Mitigation(s): 
None

Tomcat 7.0.25 CSRF filter bypass vulnerability

CVE ID: CVE-2012-4431

DESCRIPTION: 
An error exists in Tomcat that can allow cross-site request forgery (CSRF)
attacks to bypass internal filtering. This could allow an attacker to access
protected resources without a session identifier. Specific knowledge of
Tomcat is necessary to conduct the attack. The attack can be conducted
over the internet. No authentication is required for this attack.


CVSS: 

CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/80518 for the
current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:P/A:N)


AFFECTED PLATFORMS: 
Running on Microsoft Windows:
· Versions 8.5.0.1 to 8.5.0.3 of Rational Policy Tester
Running Linux:
· Versions 8.5.0.1 to 8.5.0.3 of Rational Policy Tester

REMEDIATION:
The recommended solution is to apply the fix for each named product as soon
as practical. Please see below for information about the fixes available.

Vendor Fix(es): 

For version 8.5.0.1 to 8.5.0.3 of Policy Tester
· Upgrade to version 8.5.0.4

If you are unable to upgrade to version 8.5.0.4, contact IBM Technical
Support.

Workaround(s): 
Contact IBM Technical Support for further information on workarounds for
this issue.

Mitigation(s): 
None

Cross-Site Scripting vulnerabilities in Policy Tester

CVE ID: CVE-2013-0473

DESCRIPTION: 
A remote attacker could exploit this vulnerability using a report to inject
malicious script into the application, which would be executed in a victim's
Web browser once the page is viewed. An attacker could potentially obtain
temporary access to the user’s session. Specific knowledge of Policy Tester
is necessary to conduct the attack. The attack can be conducted over an
adjacent network. No authentication is required for this attack.


CVSS: CVE-2013-0473

CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81337 for the
current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:P/A:N)


AFFECTED PLATFORMS: 
Running on Microsoft Windows:
· Versions 5.6 through 8.5.0.3 of Rational Policy Tester

REMEDIATION:
The recommended solution is to apply the fix for each named product as soon
as practical. Please see below for information about the fixes available.

Vendor Fix(es): 
For version 5.6 to 8.5.0.3 of Policy Tester
· Upgrade to version 8.5.0.4

If you are unable to upgrade to version 8.5.0.4, contact IBM Technical
Support.


Workaround(s): 
Not applicable; upgrade to version 8.5.0.4 for Policy Tester


Mitigation(s): 
None

Service is installed without a quoted service path

CVE ID: CVE-2013-0513

DESCRIPTION: 
A service created during install does not constrain the service path in
quotes and leaves it vulnerable to Microsoft Windows Unquoted Service Path
Enumeration issue. An attacker could gain elevated privileges using the
service. No specialized knowledge is necessary to conduct this attack. The
attacker will need local access to the Policy Tester machine in order to
conduct the attack. Authentication is not a requirement.

CVSS: 

CVSS Base Score: 7.2
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82594 for the
current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:L/AC:L/Au:N/C:C/I:C/A:C)


AFFECTED PLATFORMS: 
Running on Microsoft Windows:
· Versions 5.6 through 8.5.0.3 of Rational Policy Tester

REMEDIATION:
The recommended solution is to apply the fix for each named product as soon
as practical. Please see below for information about the fixes available.

Vendor Fix(es): 
For version 5.6 to 8.5.0.3 of Policy Tester
· Upgrade to version 8.5.0.4

If you are unable to upgrade to version 8.5.0.4, contact IBM Technical
Support.

Workaround(s): 
Contact IBM Technical Support for further information on workarounds for
this issue.

Mitigation(s): 
IBM Policy Tester users are instructed to use a limited user account as
the service account.


Cross-domain vulnerability in Microsoft XML Core Services dll


CVE ID: CVE-2008-4033

DESCRIPTION: 
The Microsoft XML Core Services dll file that is installed allows remote
attackers to obtain sensitive information from another domain and corrupt
the session state via HTTP request header fields. No specialized knowledge
of Policy Tester is necessary to conduct this attack. The attack can be
conducted over the internet. No authentication is required for this attack.


CVSS: 

CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/45555 for the
current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:P/I:N/A:N)


AFFECTED PLATFORMS: 
Running on Microsoft Windows:
· Versions 5.6 through 8.5.0.3 of Rational Policy Tester

REMEDIATION:
The recommended solution is to apply the fix for each named product as soon
as practical. Please see below for information about the fixes available.

Vendor Fix(es): 
For version 5.6 to 8.5.0.3 of Policy Tester
· Upgrade to version 8.5.0.4

If you are unable to upgrade to version 8.5.0.4, contact IBM Technical
Support.


Workaround(s): 
Not applicable; upgrade to version 8.5.0.4 for Policy Tester


Mitigation(s): 
None

AppScan Manual Explore browser sends Platform Authentication credentials
to unauthenticated server

CVE ID: CVE-2013-0474

DESCRIPTION: 
An attacker could specially craft a page to capture platform credentials
upon visiting the page with the manual explore browser plug-in. This could
lead to takeover of the test account being used for scanning. Specific
knowledge of Policy Tester along with the ability to modify the site being
tested is necessary to conduct the attack. The attack can be conducted
over the internet. No authentication is required for this attack.

CVSS: 

CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81338 for the
current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:P/A:N)


AFFECTED PLATFORMS: 
Running on Microsoft Windows:
· Versions 5.6 through 8.5.0.3 of Rational Policy Tester/ Rational Policy
Tester

REMEDIATION:
The recommended solution is to apply the fix for each named product as soon
as practical. Please see below for information about the fixes available.

Vendor Fix(es): 
For version 5.6 to 8.5.0.3 of Policy Tester
· Upgrade to version 8.5.0.4

If you are unable to upgrade to version 8.5.0.4, contact IBM Technical
Support.


Workaround(s): 
Not applicable; upgrade to version 8.5.0.4 for Policy Tester

Mitigation(s): 
None


SQL Injection vulnerability in AppScan Enterprise

CVE ID: CVE-2013-0511

DESCRIPTION: 
A Blind SQL injection attack on certain parameters can be used to access the
information stored in the AppScan Enterprise database. Specific knowledge of
Policy Tester is necessary to conduct the attack. The attacker can conduct
the attack over an adjacent network. Single authentication to the Policy
Tester console is required for this attack.


CVSS: 

CVSS Base Score: 6.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82344 for the
current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:L/Au:S/C:P/I:P/A:P)


AFFECTED PLATFORMS: 
Running on Microsoft Windows:
· Versions 5.6 through 8.5.0.3 of Rational Policy Tester

REMEDIATION:
The recommended solution is to apply the fix for each named product as soon
as practical. Please see below for information about the fixes available.

Vendor Fix(es): 
For version 5.6 to 8.5.0.3 of Policy Tester
· Upgrade to version 8.5.0.4

If you are unable to upgrade to version 8.5.0.4, contact IBM Technical
Support.


Workaround(s): 
Not applicable; upgrade to version 8.5.0.4 for Policy Tester


Mitigation(s): 
None

CVSS5 TLS Issue Disclosed in the Summary Advisory for the Oracle October
2012 CPU

CVE ID: CVE-2012-5081

DESCRIPTION: 
A vulnerability in the JDK's TLS implementation can impact the availability
of the Jazz server bundled with Policy Tester preventing users from
logging in. The flaw does not impact Policy Tester installations that use
Windows authentication. The attack can be conducted over the internet. No
authentication is required for this attack. No specialized knowledge of
Policy Tester is necessary to conduct this attack.

CVSS: 

CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79435 for the
current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:L/Au:N/C:N/I:N/A:P)


AFFECTED PLATFORMS: 
Running on Microsoft Windows:
· Versions 8.5 through 8.5.0.3 of Rational Policy Tester
REMEDIATION:
The recommended solution is to apply the fix for each named product as
soon as practical. Please see below for 
information about the fixes available.

Vendor Fix(es): 
For version 8.5 to 8.5.0.3 of Policy Tester
· Upgrade to version 8.5.0.4
If you are unable to upgrade to version 8.5.0.4, contact IBM Technical
Support.

Workaround(s): 
Not applicable; upgrade to version 8.5.0.4 for Policy Tester

Mitigation(s): 
None

REFERENCES: 

Complete CVSS Guide 
On-line Calculator V2
CVE-2012-4431
CVE-2008-4033
CVE-2013-0474
CVE-2013-0473
CVE-2012-5081
CVE-2013-0532
CVE-2013-0511
CVE-2013-0512
CVE-2013-0513
http://xforce.iss.net/xforce/xfdb/82595
http://xforce.iss.net/xforce/xfdb/82593
http://xforce.iss.net/xforce/xfdb/80518
http://xforce.iss.net/xforce/xfdb/81337
http://xforce.iss.net/xforce/xfdb/82594
http://xforce.iss.net/xforce/xfdb/45557
http://xforce.iss.net/xforce/xfdb/81338
http://xforce.iss.net/xforce/xfdb/82344
http://xforce.iss.net/xforce/xfdb/79435

RELATED INFORMATION: 
IBM Secure Engineering Web Portal 
IBM Product Security Incident Response Blog


*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this alert. 

Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUVD0m+4yVqjM2NGpAQLGbg/8D66hEY+UwTwtwp6CfCkG5R8xlIQMQ/iY
Roh+mMl1yZnKMG/VR6EwFdYHOtYnyQpadVnv1Rc0H58Yq5QW8ihjPEPHXTChI1Cl
8V5jtei3sA6dIKzhMJ7nTS1oz32c6FMHe+Ma0iKzcP+/MHevevB9FzGH3Pb0+pY/
RGIfZD1HMG/7wEsAAjNWjssBMANHNgMNuUfr2cg6s46/BWJ1Pmm624wq1RFN5qWh
EmblpJ+7+8vt+Q+iVTuK3mNTFYuFpcVD9Upf9TYhJv4dSpMFP5DnkQuB3LWgX9F8
azMNieJ2XZ2qv6ovg1//NjUzycOlprTrIJAC6s++2pXxUp20ufIIIki4ES8ycLce
1MOhA/gfTkI7F7ywluktmCQaO1pgrghO8zr+yuzhkTa97Kp0eybHuUUXt2LgY15M
1CtBzXW3tNA7Xcl8a5UVGcSj6EgSRVfNZW6cm+DobGUbzvzTuyDL8fUEhfss1nGO
N/lV0v34gELb4ZglHUmAk0WFyiNzpimjLsLzcc+mbRXfbTqRGBwl173pLUh8RdNt
eyRE6nLR+7dZcWM2VW1skPp/7XcqMBEyUwOXn8XIv+0DyA7rlVPlwdikrq3J+ndc
4FUnGz3+kP5yvD5JDCd0OnAP1JvEakV586SK7mbg5gBVQh6iVvVE07qYetX8KMI9
A5pvRBRciy0=
=JKGb
-----END PGP SIGNATURE-----