Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0766 Security Bulletin: Multiple security vulnerabilities in IBM Sales Center for WebSphere Commerce (CVE-2008-7271, CVE-2010-4647, CVE-2012-0186, CVE-2012-0191, CVE-2012-2159, CVE-2012-2161) 3 June 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Sales Center for WebSphere Commerce Publisher: IBM Operating System: Windows Impact/Access: Cross-site Request Forgery -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-2161 CVE-2012-2159 CVE-2012-0191 CVE-2012-0186 CVE-2010-4647 CVE-2008-7271 Reference: ESB-2013.0515 ESB-2013.0470 ESB-2013.0324 ESB-2013.0221 ESB-2013.0220 ESB-2012.1194 ESB-2012.1189 ESB-2012.1101 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21635863 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Multiple security vulnerabilities in IBM Sales Center for WebSphere Commerce (CVE-2008-7271, CVE-2010-4647, CVE-2012-0186, CVE-2012-0191, CVE-2012-2159, CVE-2012-2161) Flash (Alert) Document information IBM Sales Center for WebSphere Commerce Security Software version: 6.0, 7.0 Operating system(s): Windows Software edition: All Editions Reference #: 1635863 Modified date: 2013-05-30 Abstract Multiple security vulnerabilities have been identified in IBM Sales Center for WebSphere Commerce V6.0 and V7.0 Content VULNERABILITY DETAILS – Directory Traversal CVE ID: CVE-2012-0186 DESCRIPTION: Specially crafted URLs can be sent to the Eclipse Help component of IBM Sales Center for WebSphere Commerce V6.0 and V7.0 to disclose the location of private resources (files). CVSS: Using the Common Vulnerability Scoring System (CVSS) Version 2, the security ratings for these issues are: CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72096 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) VULNERABILITY DETAILS – Flawed Access Control Checks for Remote requests to Web Container CVE ID: CVE-2012-0191 DESCRIPTION: Malicious users can spoof request headers sent to the IBM Sales Center for WebSphere Commerce V7.0 web container exploiting a flaw in access control checking to make it appear that the request came from localhost. CVSS: Using the Common Vulnerability Scoring System (CVSS) Version 2, the security ratings for these issues are: CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72156 for the current score CVSS Environmental Score*: Undefined CVSS String: (AV:N/AC:L/Au:N/C:N/I:P/A:N) VULNERABILITY DETAILS – Multiple cross-site scripting issues in the Help Contents CVE IDs: CVE-2008-7271 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents of IBM Sales Center for WebSphere Commerce V6.0 and V7.0, allow remote attackers to inject arbitrary web script or HTML. CVSS: Using the Common Vulnerability Scoring System (CVSS) Version 2, the security ratings for these issues are: CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/64834 for the current score. CVSS Environmental Score*: Undefined CVSS String: (AV:N/AC:M/Au:N/C:N/I:P/A:N) VULNERABILITY DETAILS – Multiple cross-site scripting issues in the Help Contents CVE IDs: CVE-2010-4647 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents of IBM Sales Center for WebSphere Commerce V6.0 and V7.0, allow remote attackers to inject arbitrary web script or HTML. CVSS: Using the Common Vulnerability Scoring System (CVSS) Version 2, the security ratings for these issues are: CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/64833 for the current score. CVSS Environmental Score*: Undefined CVSS String: (AV:N/AC:M/Au:N/C:N/I:P/A:N) VULNERABILITY DETAILS – Cross-site Scripting issue in Help Contents CVE IDs: CVE-2012-2161 DESCRIPTION: Cross-site scripting (XSS) vulnerability in the Help Contents of IBM Sales Center for WebSphere Commerce V6.0 and V7.0, allow remote attackers to inject arbitrary web script or HTML. CVSS: Using the Common Vulnerability Scoring System (CVSS) Version 2, the security ratings for these issues are: CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/74833 for the current score. CVSS Environmental Score*: Undefined CVSS String: (AV:N/AC:M/Au:N/C:N/I:P/A:N) VULNERABILITY DETAILS: Eclipse Help System Open Redirect CVE ID: CVE-2012-2159 DESCRIPTION: A remote unauthenticated attacker could exploit a security vulnerability in IBM Eclipse Help server of IBM Sales Center for WebSphere Commerce V6.0 and V7.0 to redirect to a specified URL. CVSS: Using the Common Vulnerability Scoring System (CVSS) Version 2, the security ratings for these issues are: CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79232 for the current score. CVSS Environmental Score: Undefined CVSS String: (AV:N/AC:M/Au:N/C:N/I:P/A:N) AFFECTED PRODUCTS: IBM Sales Center for WebSphere Commerce V6.0 (CVE-2008-7271, CVE-2010-4647, CVE-2012-0186, CVE-2012-2159, CVE-2012-2161) IBM Sales Center for WebSphere Commerce V7.0 (CVE-2008-7271, CVE-2010-4647, CVE-2012-0186, CVE-2012-2159, CVE-2012-2161, CVE-2012-0191) REMEDIATION: VENDOR FIX(ES): For IBM Sales Center for WebSphere Commerce V7.0: Apply IBM Lotus Expeditor 6.2 Client for Desktop Security Interim Fix 3. For IBM Sales Center for WebSphere Commerce V6.0: A fix is not available. Please see the WORKAROUND section for instructions to disable the Help. WORKAROUND(S): For IBM Sales Center for WebSphere Commerce V6.0: 1) Uninstall Sales Center Help functionality and access the online Information Center. Any custom information you have added to the Help needs to be manually exported to a PDF or other desired format. Instructions to uninstall Help: i) Navigate to the following directory: <Sales_Center_Install_dir>\rcp\eclipse\plugins ii) Backup the following plugins and then delete them: com.ibm.pvc.wct.platform.help_6.0.0.20050921 com.ibm.eswe.help.webapp_6.0.0.20050921 com.ibm.eswe.help.appserver_6.0.0.20050921 iii) If you ever need to revert the environment, copy the plugins back to the following directory: <Sales_Center_Install_dir>\rcp\eclipse\plugins OR 2) Upgrade to WebSphere Commerce V7.0 and Sales Center for WebSphere Commerce V7.0 For IBM Sales Center for WebSphere Commerce V7.0: None known. MITIGATION(S): None known. REFERENCES: Complete CVSS Guide On-line Calculator V2 X-Force Vulnerability 64834 X-Force Vulnerability 64833 X-Force Vulnerability 74833 X-Force Vulnerability 72096 X-Force Vulnerability 72191 X-Force Vulnerability 79232 CVE-2008-7271 CVE-2010-4647 CVE-2012-0186 CVE-2012-0191 CVE-2012-2159 CVE-2012-2161 RELATED INFORMATION: IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog CHANGE HISTORY: *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUav9OO4yVqjM2NGpAQIQxQ/+ODXXYXr8v9kjRrp4646P4R+LXp01xzmQ KU05tbgSGOjrAiD4KdLbxyaO2JA7g+CpIkQ943yUvqFLhV+u2K9XRO9X6IiQItN9 KJMiuEWtOWyfRIFa5tNLriyMu9IpXhDZbi2fXxJ2yjO3xfwBUG9oDLZBCQHjk3om G/pHLm1krR4BdtfKnwFt+P9TOdcF5miphgOmQzl4w9Satc7WFjs7VNDNf1JcGFu8 usjSDWekJm3uNaw/gdBM0dI6GPocAPkKSlgGbK/6dR573o+lCWgsY9vdOtMdOHGe QyN/xyJT9dGg/2eHbbBKVdJo8JcTYGs5ezSUH4f2UXyihJF5Jlo4sfJDsvS+0R5r DYVDWAngdA1h+dP666kA7jgc5/1LoF3q8xTISNiEKHfWYKCTI3sRg0eKm91y9uP6 GMiCGWImPkFg6TzTyoyHuI5ZBE0xvYn1JZw4rHoN9KDaJd1omSrRHZq49yHX8os6 djAam8UonGH/xr1bzvfvzdESvJr6PWi6m4mLilWHoR0MZag4oW/5bB37tUN0Obc9 o/Dyhw0ygBuB5tmvASTHFISNsvOtCftAkBFUNh69gldb2M6BhYu+oP6NBqytJfa3 2HoKcOTV5YNs2QPKRHWKK2nxf9gba04/YRjDnD/me4ptAyipKq4HusbKcg39+I9p K6wfyqECz38= =HZ2a -----END PGP SIGNATURE-----