Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1605
A number of vulnerabilities have been identified in IBM WebSphere Portal
12 November 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM WebSphere Portal
Publisher: IBM
Operating System: AIX
HP-UX
Linux variants
Solaris
Windows
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-5454 CVE-2013-5379 CVE-2013-5378
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21655634
http://www-01.ibm.com/support/docview.wss?uid=swg21655635
http://www-01.ibm.com/support/docview.wss?uid=swg21655656
Comment: This bulletin contains three (3) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Cross site scripting vulnerability related to IBM
Connections integration in WebSphere Portal (CVE-2013-5378)
Flash (Alert)
Document information
WebSphere Portal
Software version:
8.0, 8.0.0.1
Operating system(s):
AIX, HP-UX, IBM i, Linux, Solaris, Windows, i5/OS, z/OS
Reference #:
1655634
Modified date:
2013-11-08
Abstract
A Cross Site Scripting (XSS) vulnerability in WebSphere Portal related to IBM
Connections integration has been identified.
Content
VULNERABILITY DETAILS:
DESCRIPTION:
A Cross Site Scripting (XSS) vulnerability in WebSphere Portal related to IBM
Connections integration has been identified.
CVEID: CVE-2013-5378
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86929 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
AFFECTED PRODUCTS AND VERSIONS:
WebSphere Portal Version 8
REMEDIATION:
The recommended solution is to apply the APARs PM95802, PM95881, and PM97593
as soon as practical.
Fix: Apply a Cummulative Fix containing PM95802, PM95881, and PM97593 .
For 8.0.0 through 8.0.0.1
Apply Cummulative Fix 8 (CF8) on top of Fix Pack 8.0.0.1 (Combined Cumulative
Fixes for WebSphere Portal 8.0.0.1:
http://www-01.ibm.com/support/docview.wss?uid=swg24034497)
Workaround(s): None.
Mitigation(s): None.
REFERENCES:
Complete CVSS Guide
On-line Calculator V2
CVE-2013-5378
X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/86929
RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
CHANGE HISTORY
08 November 2013: Original Copy Published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------------------------------------------------------------
Security Bulletin: Cross Site Scripting vulnerability related to tagging in
WebSphere Portal (CVE-2013-5379)
Flash (Alert)
Document information
WebSphere Portal
Software version:
7.0, 8.0
Operating system(s):
AIX, HP-UX, IBM i, Linux, Solaris, Windows, i5/OS, z/OS
Reference #:
1655635
Modified date:
2013-11-08
Abstract
A Cross Site Scripting (XSS) vulnerability in WebSphere Portal related to
tagging has been identified.
Content
VULNERABILITY DETAILS:
DESCRIPTION:
A Cross Site Scripting (XSS) vulnerability in WebSphere Portal related to
tagging has been identified.
CVEID: CVE-2013-5379
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86930 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
AFFECTED PRODUCTS AND VERSIONS:
WebSphere Portal Version 7
WebSphere Portal Version 8
REMEDIATION:
The recommended solution is to apply PM96047 as soon as practical.
Fix: Apply a Cummulative Fix containing PM96047.
For 7.0.0 through 7.0.0.2
Apply Cummulative Fix 25 (CF25) on top of Fix Pack 7.0.0.2 (Combined
Cumulative fixes for WebSphere Portal 7.0.0.2:
http://www.ibm.com/support/docview.wss?uid=swg24029452)
For 8.0.0 through 8.0.0.1
Apply Cummulative Fix 8 (CF8) on top of Fix Pack 8.0.0.1 (Combined Cumulative
Fixes for WebSphere Portal 8.0.0.1:
http://www-01.ibm.com/support/docview.wss?uid=swg24034497)
Workaround(s):
None.
Mitigation(s):
None.
REFERENCES:
Complete CVSS Guide
On-line Calculator V2
CVE-2013-5379
X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/86930
RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
CHANGE HISTORY
08 November 2013: Original Copy Published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------------------------------------------------------------
Security Bulletin: IBM WebSphere Portal vulnerable to URL Manipulation
CVE-2013-5454 PM99205
Flash (Alert)
Document information
WebSphere Portal
Software version:
6.0.1, 6.1, 6.1.5, 7.0, 8.0
Operating system(s):
AIX, HP-UX, IBM i, Linux, Solaris, Windows, i5/OS, z/OS
Reference #:
1655656
Modified date:
2013-11-11
Abstract
An URL Manipulation vulnerability has been identified in IBM WebSphere Portal.
Content
VULNERABILITY DETAILS:
CVEID: CVE-2013-5454
DESCRIPTION:
An URL Manipulation vulnerability has been identified in IBM WebSphere Portal.
A remote attacker could view arbitrary files and directory content and obtain
sensitive information from the system. The attacker could use this information
to launch further attacks against the affected system.
CVSS Base Score: 7.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88253 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:N/A:N)
AFFECTED PRODUCTS AND VERSIONS:
WebSphere Portal 8
WebSphere Portal 7
WebSphere Portal 6.1.5
WebSphere Portal 6.1.0
WebSphere Portal 6.0.1
REMEDIATION:
The recommended solution is to apply PM99205 as soon as practical.
Fix: Apply Interim Fix PM99205.
For 8.0.0 through 8.0.0.1
Upgrade to Fix Pack 8.0.0.1 with Cumulative Fix 8 (CF08) and then apply
Interim Fix PM99205 (Combined Cumulative Fixes for WebSphere Portal 8.0.0.1:
http://www-01.ibm.com/support/docview.wss?uid=swg24034497)
For 7.0.0 through 7.0.0.2
Upgrade to Fix Pack 7.0.0.2 with Cumulative Fix 25 (CF25) and then apply
Interim Fix PM99205 (Combined Cumulative fixes for WebSphere Portal 7.0.0.2:
http://www.ibm.com/support/docview.wss?uid=swg24029452)
For 6.1.5.0 through 6.1.5.3
Upgrade to Fix Pack 6.1.5.3 with Cumulative Fix 27 (CF27) and then apply
Interim Fix PM99205 (Cumulative fixes for WebSphere Portal 6.1.5.3:
http://www-01.ibm.com/support/docview.wss?uid=swg24023835)
For 6.1.0.0 through 6.1.0.6
Upgrade to Fix Pack 6.1.0.6 with Cumulative Fix 27 (CF27) and then apply
Interim Fix PM99205 (Cumulative fixes for WebSphere Portal 6.1.0.6:
http://www-01.ibm.com/support/docview.wss?uid=swg24023835)
For 6.0.1.0 through 6.0.1.7
Upgrade to Fix Pack 6.0.1.7 and then apply Interim Fix PM99205
Note: If you encounter any problems with these Fix Central links,
cut-and-paste the following URL into the address bar of your browser as an
alternative:
http://www.ibm.com/eserver/support/fixes/fixcentral/swg/quickorder?productid=WebSphere%20Portal&brandid=5&apar=PM99205
Workaround(s) & Mitigation(s):
None
Important note: IBM strongly suggests that all System z customers be
subscribed to the System z Security Portal to receive the latest critical
System z security and integrity service. If you are not subscribed, see the
instructions on the System z Security web site. Security and integrity APARs
and associated fixes will be posted to this portal. IBM suggests reviewing the
CVSS scores and applying all security or integrity fixes as soon as possible
to minimize any potential risk.
REFERENCES:
Complete CVSS Guide
On-line Calculator V2
Interim Fix PM99205
RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
ACKNOWLEDGEMENT
The vulnerability was reported to IBM by Drazen Popovic of INFIGO IS.
CHANGE HISTORY
08 November 2013: Original Copy Published
11 November 2013: Corrected Fix Central Links
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUoG6kRLndAQH1ShLAQJRsg//dWKOgibM+E+5BbfQvUuhLnjxowrf8xVc
xbkKo2CtyEruf8h4SDjIvpvEMwMaboEb7Mh/WOXGEz5xmd43rYdqQvTuDxpefCo1
hJR2lQ4TVVvcRyVnhZyLh+K5eaXRrH9sYZFV8+Sog0xKbS2BiHsk+4SshqrRo1Cn
GpNs3aHU5QUm34azfdViwUPfB78/a2fStDzMSoQb2SRdA3d7dN7r+yLfLPe+SUEv
uwgtyQotQmx2YX5KHu7A3xA4I0V0XMy08iqnGVvXTWM1PJjZTBbl53ChLaNcieAp
CKRkzlNZxwHRHXzrochw0mecYkHgQdjairWGWgRUZL3iih2Y1XaHkWvkdrTUh7K0
/8tRnUwlnNDywjkayHyDaEo4Sr1p5WSo9MwewKugfwmFYIqQIHuAd6T4s/oAwyfU
k2hfDS69EmlhBJVa+CI1TcXZ/yftA6kHZtKKAQH3hYm2A8P6UKbDacZG1lJ9W7mA
doW+z4vXfVnzgnQLLjxt5fSQ9INsSEaOrF8YPci7sVStY/M1nPrglxgqQUcDoS98
6o9qRJXx544pkQOjvxCEKy/4Jk/uWGg69S3hyvcjBrU7tpQriBw2ckW2wZmx5UhN
wUeXwgSb5b+frkp6+iqQuIF+eAeN8jd2mLoMCYsGSkKnQdraAAf22jMi4T1Ro0jZ
wmhyyuDF5yE=
=9B4X
-----END PGP SIGNATURE-----