Operating System:

[AIX]

Published:

04 June 2013

Protect yourself against future threats.

//Service

AusCERT Education

Enhance your knowledge with our exceptional one day training offerings for individuals and organisations

Read more
Resources > Security Bulletins > ESB-2013.0778 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.0778
    Security Bulletin: IBM Smart Analytics System 7600 is affected by a
       privilege escalation vulnerability in the DB2 Audit Facility
                              (CVE-2013-3475)
                                4 June 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Smart Analytics System
Publisher:         IBM
Operating System:  AIX
Impact/Access:     Increased Privileges -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-3475  

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21639194

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: IBM Smart Analytics System 7600 is affected by a privilege 
escalation vulnerability in the DB2 Audit Facility (CVE-2013-3475)

Flash (Alert)

Document information
IBM Smart Analytics System

Software version:
9.7

Operating system(s):
AIX 6.1

Reference #:
1639194

Modified date:
2013-05-31

Abstract

The IBM Smart Analytics System 7600 is shipped with DB2 9.7. This version of 
DB2 contains a security vulnerability in the DB2 Audit Facility which allows 
an attacker to to gain DB2 instance owner level privileges. This vulnerability 
can only be exploited by users through a local system account login.

Content

VULNERABILITY DETAILS

CVE ID: CVE-2013-3475


CVE-2013-3475
CVSS Base Score: 6.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84358 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:S/C:C/I:C/A:C)


AFFECTED PRODUCTS AND VERSIONS: 

IBM Smart Analytics System 7600


REMEDIATION: 
FIXES: 

Find your product in the table below and use the link in the Patch/Fix Pack 
Download Link column to find the patch provided by IBM. Previously supported 
Balanced Warehouse environments not listed below require additional 
investigation to determine vulnerability and the appropriate remediation. 
Access to the patches on the IBM site is restricted and requires a valid IBM 
registration ID. Access to the fix packs on the IBM site requires both a valid 
IBM registration ID and the correct product entitlement in Passport Advantage. 

For more information about IBM registration IDs, see the IBM Registration FAQ 
page. 


Product			IBM Smart Analytics System 7600

Operating System	AIX 6.1

Patch/Fix Pack		DB2 9.7 Fix Pack 8 special build 30703

Versions		DB2 9.7 Fix Pack 8 special build 30703

Patch/Fix Pack 		Contact IBM Support to request the special build.
Download Link	

Installation 		Procedure to install a DB2 special build or fix pack on 
instructions		an IBM Smart Analytics System
					

WORKAROUND(S): 

None. 

MITIGATION(S): 

None. 

REFERENCES:
Complete CVSS Guide
On-line Calculator V2
CVE-2013-3475
X-Force Database: http://xforce.iss.net/xforce/xfdb/84358

RELATED INFORMATION: 
IBM Secure Engineering Web Portal 
IBM Product Security Incident Response Blog 


ACKNOWLEDGEMENT: 
The vulnerability in DB2 was reported to IBM by Bartlomiej Balcerek via Secunia 
SVCRP. 


CHANGE HISTORY: 
31-May-2013: Original version published
*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of 
this vulnerability in their environments by accessing the links in the 
Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), 
the Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY


Cross reference information

Segment		Information Management
Product		IBM Smart Analytics System
Component	IBM Smart Analytics System 7600
Platform	AIX 6.1
Version		9.7
Edition

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUa0xsu4yVqjM2NGpAQKr1RAAr6Vpqw3xlklzMbOcKD9rQh/db/PRb58k
tn86Wme2WfdUCYh0rzK0J7focRiEZPV9HI3/VsJlX8eK6PFMHSjUKfM58YrUXYVQ
frHdM9JDrcE0sL9KIylYYaeXbjpO5kxCgPqBtNrZP8ICsDaKFIfk/o+kPpJubbl/
pWxVmjAZeTImYybeFHkVAmz5K6+2afWMSE6eYCARfMZc/UM3srqyeVjOweNNLZCj
+vJhtaM9672PKOV5x1QFT8b7zfc4N9QUIYm45ogYEulswfh9dQf782WTO4MRS0Bh
3XYDBmQXMCNXi8rjkSIhubyq3CKm87UfZPrhCfAoMU6a5rdEmNQZpZhVd/XQ0vO0
NUqTsmCYUqqCHkE8ss0MDA2QcD/itX+4wYha8NqNSXp3y0smSi/9fjZu69JsQXug
DPmNwR7y1vYbxHq9HDVvMgVXrWfPB/LMb+RJkmK73yE0pty+0I1Kv/YqieH8Gsjb
P538dWJ8areKuYXNgH+5YZoTPKWdN7DunUcg9vquAbNNUGiuEBaamR6YTCfYgmRs
iRa9cddooPjKMg3Uetzo14jC6ednccONiwP+QiaV/57uBnt+mj1n9bzfwruTeu3H
5DfwgwlXoXWTjjLWKdgxiwv1QO0KKY28zUugL4g8JFJxOmBkRxEv79Fa8kJK2G+T
TbXHkvSzJ40=
=3/Is
-----END PGP SIGNATURE-----