Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1377
Security Bulletin: Security Vulnerabilities Addressed in
Asset and Service Mgmt
2 October 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Maximo Asset Management
Publisher: IBM
Operating System: AIX
HP-UX
Linux variants
Solaris
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Modify Arbitrary Files -- Existing Account
Delete Arbitrary Files -- Existing Account
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-5395 CVE-2013-5383 CVE-2013-5382
CVE-2013-5381 CVE-2013-5380 CVE-2013-4027
CVE-2013-4021 CVE-2013-4020 CVE-2013-4019
CVE-2013-4018 CVE-2013-4017 CVE-2013-4014
CVE-2013-4013 CVE-2013-3973 CVE-2013-3972
CVE-2013-3971 CVE-2013-3049 CVE-2013-3048
CVE-2013-3047 CVE-2013-0451 CVE-2012-3323
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21651085
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Security Vulnerabilities Addressed in Asset and Service Mgmt
Flash (Alert)
Document information
IBM Maximo Asset Management
Software version:
6.2, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 7.1, 7.1.1,
7.1.2, 7.2, 7.2.1, 7.5
Operating system(s):
Platform Independent
Reference #:
1651085
Modified date:
2013-09-26
Abstract
XSS, Gain Privileges, SQL Injection, and Information Disclosure
vulnerabilities in Maximo Asset Mgmt, Tivoli Asset Mgmt for IT, Tivoli Service
Request Mgr, Change and Configuration Mgmt Database, and SmartCloud Control
Desk. See Vulnerability Details for CVE IDs.
Content
VULNERABILITY DETAILS:
DESCRIPTION:
Customers who have Maximo Asset Management, Maximo Asset Management Essentials,
Maximo Industry Solutions (including Maximo for Government, Maximo for Nuclear
Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and
Gas and Maximo for Utilities), Tivoli Asset Management for IT, Tivoli Service
Request Manager, Maximo Service Desk, Change and Configuration Management
Database, and SmartCloud Control Desk are potentially impacted by these
vulnerabilities, which can cause issues related to confidentiality, integrity,
and availability.
CVE ID APAR DESCRIPTION
CVE-2013-0451 IV24726 SQL Injection
CVSS Base Score: 6.5
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/80967
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
CVE-2013-3047 IV35721 Gain Privileges
CVSS Base Score: 4
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/84844
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N
CVE-2013-3048 IV36375 Cross-site
CVSS Base Score: 3.5 Scripting
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/84845
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N
CVE-2013-3049 IV37599 Security Bypass
CVSS Base Score: 4
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/84847
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N
CVE-2012-3323 IV23506 Gain Privileges
CVSS Base Score: 6.8
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/77920
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2013-3971 IV37459 Security Bypass
CVSS Base Score: 4
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/84848
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N
CVE-2013-3972 IV39089 Information
CVSS Base Score: 3.5 Disclosure
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/84849
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N
CVE-2013-3973 IV39184 SQL Injection
CVSS Base Score: 6
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/84850
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P
CVE-2013-4013 IV39202 Information
CVSS Base Score: 4.3 Disclosure
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/85791
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
CVE-2013-4014 IV39515 Cross-site
CVSS Base Score: 4.3 Scripting
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/85792
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
CVE-2013-4017 IV42682 SQL Injection
CVSS Base Score: 6.5
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/85794
CVSS Environmental Score*: Undefined
CVSS Vector: AV/N:AC/L:Au/S:C/P:I/P:A/P
CVE-2013-4018 IV42684 Information
CVSS Base Score: 3.5 Disclosure
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/85795
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N
CVE-2013-4019 IV42664 Cross-site
CVSS Base Score: 3.5 Scripting
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/85796
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N
CVE-2013-4020 IV42775 Security Bypass
CVSS Base Score: 3.5
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/85825
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N
CVE-2013-4021 IV42816 File Inclusion
CVSS Base Score: 5.5
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/85826
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N
CVE-2013-4027 IV43491 Security Bypass
CVSS Base Score: 4.9
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/86064
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:S/C:P/I:P/A:N
CVE-2013-5380 IV33364 Information
CVSS Base Score: 1.9 Disclosure
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/86931
CVSS Environmental Score*: Undefined
CVSS Vector: AV:L/AC:M/Au:N/C:P/I:N/A:N
CVE-2013-5381 IV35394 Gain Privileges
CVSS Base Score: 4.9
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/86932
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:S/C:P/I:P/A:N
CVE-2013-5382 IV40210 Gain Privileges
CVSS Base Score: 3.5
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/86933
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N
CVE-2013-5383 IV40704 Gain Privileges
CVSS Base Score: 3.5
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/86934
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N
CVE-2013-5395 IV32526 Security Bypass
CVSS Base Score: 4.3
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/87157
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
AFFECTED PRODUCTS:
- - Maximo Asset Management 7.5, 7.1, 6.2
- - Maximo Asset Management Essentials 7.5, 7.1, 6.2
- - Maximo for Government 7.5, 7.1, 6.2
- - Maximo for Nuclear Power 7.5, 7.1, 6.2, 6.3
- - Maximo for Transportation 7.5, 7.1, 6.2, 6.3
- - Maximo for Life Sciences 7.5, 7.1, 6.2, 6.4, 6.5
- - Maximo for Oil and Gas 7.5, 7.1, 6.2, 6.3, 6.4
- - Maximo for Utilities 7.5, 7.1, 6.2, 6.3
- - SmartCloud Control Desk 7.5
- - Tivoli Asset Management for IT 7.2, 7.1, 6.2
- - Tivoli Service Request Manager 7.2, 7.1, Maximo Service Desk 6.2
- - Change and Configuration Management Database 7.2, 7.1
Products Listed Above
CVE APAR 7.5 7.1 / 7.2 6.2
CVE-2013-0451 IV24726 N/A Fix pending Fix pending
CVE-2013-3047 IV35721 Fixed Fixed N/A
CVE-2013-3048 IV36375 Fixed Fix pending Fix pending
CVE-2013-3049 IV37599 Fixed Fix pending N/A
CVE-2012-3323 IV23506 Fixed Fixed Fixed
CVE-2013-3971 IV37459 Fixed Fix pending N/A
CVE-2013-3972 IV39089 Fixed Fixed N/A
CVE-2013-3973 IV39184 Fixed Fixed N/A
CVE-2013-4013 IV39202 Fixed Fix pending Fix pending
CVE-2013-4014 IV39515 Fixed Fixed Fix pending
CVE-2013-4017 IV42682 N/A Fixed N/A
CVE-2013-4018 IV42684 Fixed Fixed Fix pending
CVE-2013-4019 IV42664 N/A Fixed Fix pending
CVE-2013-4020 IV42775 Fixed Fix pending Fix pending
CVE-2013-4021 IV42816 Fixed Fixed Fix pending
CVE-2013-4027 IV43491 Fixed Fix pending Fix pending
CVE-2013-5380 IV33364 Fixed Fixed Fix pending
CVE-2013-5381 IV35394 Fixed Fix pending Fix pending
CVE-2013-5382 IV40210 Fixed Fixed Fix pending
CVE-2013-5383 IV40704 Fixed Fixed Fix pending
CVE-2013-5395 IV32526 Fixed Fixed Fix pending
N/A in this table means that the vulnerability does not exist in that release
It is likely that earlier versions of affected products are also affected by
these vulnerabilities. Remediation is not provided for product versions that
are no longer supported. IBM recommends that customers upgrade to the latest
supported version of products in order to obtain remediation for the
vulnerabilities.
REMEDIATION:
VENDOR FIXES:
The recommended solution is to download the appropriate Interim Fix or Fix
Pack from Fix Central (What is Fix Central?) and apply for each affected
product as soon as possible. Please see below for information on the fixes
available for each product, version, and release. Follow the installation
instructions in the ‘readme’ documentation provided with each fix pack or
interim fix.
For Maximo Asset Management and Maximo Asset Management Essentials 7.5, 7.1,
6.2:
VRMF Fix Pack or Interim Fix Vulnerability APARs Download
7.5.0.5 Maximo 7.5.0.5 Fix Pack: IV35721, IV36375, IV37599, FixCentral
7.5.0.5-TIV-MAM-FP005 IV23506, IV37459, IV39089,
IV39184, IV39202, IV39515,
IV42684, IV42775, IV42816,
IV43491, IV33364, IV40210,
IV40704, IV32526
7.5.0.4 Maximo 7.5.0.4 Fix Pack: IV23506 FixCentral
7.5.0.4-TIV-MAM-IFIX005 or
latest Interim Fix available
7.5.0.3 Maximo 7.5.0.3 Interim Fix: IV36375, IV23506, IV42775, FixCentral
7.5.0.3-TIV-MAM-IFIX006 or IV35394
latest Interim Fix available
7.5.0.2 Maximo 7.5.0.2 Interim Fix: IV39202 FixCentral
7.5.0.2-TIV-MAM-IFIX023 or
latest Interim Fix available
7.1.1.127.1.1.12 Interim Fix: IV35721, IV23506, IV39089, Contact
MBS_71112_LAFIX.20130903-1142 IV33364, IV32526 IBM Support
or latest Interim Fix available
6.2.8 6.2.8 Interim Fix: IV35721, IV23506 Contact
Maximo_6.2.8_LAFix_20120725-1611 IBM Support
or latest Interim Fix available
Note: Maximo 6.2 IFs can be
applied to Maximo Industry
Solutions 6.2 – 6.5
For SmartCloud Control Desk 7.5:
VRMF Fix Pack or Interim Fix Vulnerability APARs Download
7.5.0.3 SmartCloud Control Desk IV35721, IV36375, IV37599, FixCentral
7.5.0.3 Fix Pack: IV23506, IV37459, IV39089, when
7.5.0.3-TIV-SCCD-AIX-FP0003 IV39184, IV39202, IV39515, available
7.5.0.3-TIV-SCCD-Linux-FP0003 IV42684, IV42775, IV42816,
7.5.0.3-TIV-SCCD-Windows-FP0003 IV43491, IV33364, IV40210,
IV40704, IV32526
7.5.1.1 SmartCloud Control Desk IV35721, IV36375, IV37599, Passport
7.5.1.1 Release IV23506, IV37459, IV39089, Advantage
IV39184, IV39202, IV39515,
IV42684, IV42775, IV42816,
IV43491, IV33364, IV40210,
IV40704, IV32526
For Tivoli IT Asset Management for IT, Tivoli Service Request Manager,
Maximo Service Desk, and Change and Configuration Management Database
7.2, 7.1, 6.2
VRMF Fix Pack or Interim Fix Vulnerability APARs Download
7.1.1.12 7.1.1.12 Interim Fix: IV35721, IV23506, IV39089, Contact
MBS_71112_LAFIX.20130903-1142 IV33364, IV32526 IBM Support
or latest Interim Fix available
Note: MBS 7.1 IFs can be
applied to 7.1 or 7.2
6.2.8 6.2.8 Interim Fix: IV35721, IV23506 Contact
Maximo_6.2.8_LAFix_20120725-1611 IBM Support
or latest Interim Fix available
If assistance is needed in determining the appropriate Fix Pack or Interim Fix
level, contact IBM Technical Support. It is recommended that you always
request the latest available Fix Pack or Interim Fix.
Due to the threat posed by a successful attack, IBM strongly recommends that
customers apply fixes as soon as possible.
WORKAROUNDS AND MITIGATIONS:
Until you apply the fixes, it may be possible to reduce the risk of successful
attack by restricting network protocols required by an attack. For attacks
that require certain privileges or access to certain packages, removing the
privileges or the ability to access the packages from unprivileged users may
help reduce the risk of successful attack. Both approaches may break
application functionality, so IBM strongly recommends that customers test
changes on non-production systems. Neither approach should be considered a
long-term solution as neither corrects the underlying problem.
REFERENCES:
Complete CVSS Guide
On-line Calculator V2
X-Force Vulnerability Database
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
RELATED INFORMATION:
IBM Product Security Incident Reporting Team
ACKNOWLEDGEMENTS:
None
Change History
25 Sep 2013 Flash published
CROSS REFERENCE INFORMATION:
Segment Product Component Version
/Platform
Systems and Asset Management Maximo Asset Management All 6.2.0 – 6.2.8
7.1.1.0 – 7.1.1.11
7.5.0.0 – 7.5.0.5
Systems and Asset Management Maximo Asset Management All 7.1.1.0 – 7.1.1.11
Essentials
7.5.0.0 – 7.5.0.5
Systems and Asset Management Maximo for Government All 6.1.0.0
7.1.0.0
7.5.0.0
Systems and Asset Management Maximo for Nuclear All 6.3.0
Power 7.1.0.0 – 7.1.1.0
7.5.0.0 – 7.5.1.0
Systems and Asset Management Maximo for All 6.3.0
Transportation 7.1.0.0 – 7.1.1.0
7.5.0.0 – 7.5.1.0
Systems and Asset Management Maximo for Life All 6.4.0 – 6.5.0
Sciences 7.1.0.0 – 7.1.2.0
7.5.0.0
Systems and Asset Management Maximo for Oil and Gas All 6.3.0 – 6.4.0
7.1.0.0 – 7.1.2.0
7.5.0.0 – 7.5.1.0
Systems and Asset Management Maximo for Utilities All 6.3.0
7.1.0.0 – 7.1.2.0
7.5.0.0 – 7.5.0.1
Systems and Asset Management Tivoli Service Request All 7.1.0.0 – 7.1.1.11
Manager 7.2.0.0 – 7.2.1.4
Maximo Service Desk 6.2.0 – 6.2.8
Systems and Asset Management Tivoli Asset Management All 6.2.0 – 6.2.8
for IT 7.1.0.0 – 7.1.1.11
7.2.0.0 – 7.2.2.1
Systems and Asset Management Change and ConfigurationAll 7.1.0.0 – 7.1.1.11
Management Database 7.2.0.0 – 7.2.1.3
Systems and Asset Management SmartCloud Control Desk All 7.5.0.0 – 7.5.0.3
7.5.1.0 – 7.5.1.1
Cross reference information
Segment Product Component Platform Version Edition
Systems and Asset Management IBM Maximo Asset Management Essentials
Systems and Asset Management IBM Maximo for Government
Systems and Asset Management IBM Maximo for Nuclear Power
Systems and Asset Management IBM Maximo for Transportation
Systems and Asset Management IBM Maximo for Life Sciences
Systems and Asset Management IBM Maximo for Oil and Gas
Systems and Asset Management IBM Maximo for Utilities
Systems and Asset Management Tivoli Service Request Manager
Systems and Asset Management Tivoli Asset Management for IT
Systems and Asset Management Tivoli Change and Configuration Management Database
Systems and Asset Management IBM SmartCloud Control Desk
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUkuDRBLndAQH1ShLAQKaxBAAqhNSNzgVyQQcZTR/MRWWyzBJMynXelGM
uV3VarlS4jkP2J3Il14wYBkpTUnIaUul2lct37o3cgpsUiH0GEdL5Ro+F2i8V7oG
aEgnRhbRDiCY0ckE+4N3ODENstIQQaIodRLs6lXQ/IBPIGsRTd9a3LDvWgWEFQEb
UEBsZToLVbXrwREE/mPWjHnX5OwJd7FPJtYPUJeuzqUOZawIFGBxkItS0m5ewo4M
mzvonBMr5UXbbm0KtMAOhANEy0haXQPJtNGPtljzNARRnbY2eXFZ0hPNMBptrvdq
tE0E+tRCEnCtr053tjz23FHnyUzUnCwhqTRRDzoqISz5fCJ8mZkzMFgjE+m3ZfTO
LnRao3L9fatgVWbMoHgSAZGxmy48h81M25yQlAZMSpJ07Y5HRNlNbb0bt5vnzIpv
RiENjVOTuEkJ89NO2UbEn2LJiHZvkl1s92nQjPP2RiQyd/ZEX0QBKNtAaD+M4B12
0AzZ6cT12ThLtJEF6BjvHLFqTUToz7f4sXt5dNnvE4+3GXh91j7GEQACT6TTmL3L
wEDc688bC8+z8bg6OoP+2ZkxHapKx42hIYL4zZbgPfeF6lt1J1WeaiducHZPNDuc
YSTdTlu+YTbl14QXMcDqnSvUocWlUowaHMhHhLpyox08HPmQGuzOTdFZj5Noi9Zy
h+NbA1FeECI=
=fLd+
-----END PGP SIGNATURE-----