-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0069
         Cross-site Scripting vulnerability in WebSphere Appliance
            Management Center V5 in-product help documentation
                              17 January 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM WebSphere Appliance Management Center
Publisher:         IBM
Operating System:  AIX
                   Linux variants
                   Windows
Impact/Access:     Cross-site Scripting -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-5442  

Reference:         ESB-2013.1604

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21660930

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin : Cross-site Scripting vulnerability in WebSphere Appliance
Management Center V5 in-product help documentation (CVE-2013-5442)

Document information

More support for:

WebSphere Appliance Management Center

Software version:

5.0

Operating system(s):

AIX, Linux, Windows

Reference #:

1660930

Modified date:

2014-01-06

Security Bulletin

Summary

Knowledge Center Local Edition, a component used in WebSphere Appliance 
Management Center V5 to display in-product help documentation, is open to a 
cross-site scripting attack that could allow an attacker to impersonate a 
legitimate user.

Vulnerability Details

CVE ID : CVE-2013-5442

DESCRIPTION:

Knowledge Center Local Edition (KCLE) is a web application that WebSphere 
Appliance Management Center V5 uses to display in-product help documentation.
This documentation can be found using the button marked '?' in the top right 
corner of the WebSphere Appliance Management Center user interface and 
selecting Help from the menu that appears.

A vulnerability exists in Knowledge Center Local Edition that allows an 
attacker to carry out a cross-site scripting attack. By making use of the 
vulnerability, an attacker may be able to impersonate a legitimate user 
allowing the attacker to view or modify data as if they were that user.

CVSS:

CVSS Base Score: 4.3

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87818 for the 
current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products

This vulnerability affects WebSphere Appliance Management Center for WebSphere
Appliances V5. The vulnerability is present in updates of WebSphere Appliance
Management Center that were released before March 27, 2013 (2013-03-27). Any 
updates that were released on or after March 27, 2013 are not exposed to the 
vulnerability as Knowledge Center Local Edition was replaced with the IBM 
Eclipse Help System as of March 2013.

To determine if you are affected by this vulnerability, log in to your 
WebSphere Appliance Management Center user interface, open the '?' menu and 
choose the 'About' option :

* If the Release field shows a 2012-11-30 or an earlier date, your 
installation of WebSphere Appliance Management Center is exposed to this 
vulnerability.

* If the Release field shows 2013-03-21 or a later date, your installation of
WebSphere Appliance Management Center is not exposed to this vulnerability.

Remediation/Fixes

If your installation of WebSphere Appliance Management Center is affected by 
this vulnerability you should upgrade to the latest currently available 
update. The upgrade feature of WebSphere Appliance Management Center can be 
used to migrate your existing configuration to the updated version. 
Information on the upgrade process can be found in the Information Center 
topic Upgrading to a later release of WebSphere Appliance Management Center 
for WebSphere Appliances

If for any reason you are not able to upgrade your WebSphere Appliance 
Management Center installation or if you generally require further assistance,
you should contact IBM Support.

References:

Complete CVSS Guide

On-line Calculator V2

On-line Calculator V2

X-Force Vulnerability Database : http://xforce.iss.net/xforce/xfdb/87818

WebSphere Appliance Management Center Information Center : 
http://pic.dhe.ibm.com/infocenter/wamcinfo/v5r0m0/index.jsp

Upgrading to a later release of WebSphere Appliance Management Center for 
WebSphere Appliances (Information Center topic) : 
http://pic.dhe.ibm.com/infocenter/wamcinfo/v5r0m0/topic/com.ibm.wamc.doc/upgrading_2.html

Related information

IBM Secure Engineering Portal

Change History

January 2014 : Original Document Published

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the 
Reference section of this Security Bulletin.

Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUtiy7RLndAQH1ShLAQLE8w/+JToQcailO7YYmsA3HN5/U7VnvXC+HdN3
mkax17H56p1J9t7n0L58B5Lk1/59h2Pi+RfL/Os2aMIsnFrygt0RyxCXvt1d6Dxf
utWcH4fSVw4PCKzuP9HCb91eT0FlnUv4uQ8DMa7GvwI4+k4JUvHBHfyBZ6Ks9uBf
VIpLyTDuQevSP4L33DhsWcJ4ECMv8Un2Ytn9fHXnjK2sCXpSy5QVtxcPKUfiJsuZ
jtjmeAi3G9ScTpDakVlCFbIrZwbx4t1hHu+p40PiI4tn2HECLvUjQBB396ORMnDV
k2cpkd4XKpvcOTGl247ayEn/0wmb8bCT7cXeZG64+pM2zQJ2TArwCxbwLTyvzhYL
P7Mf5hyjjCDRh4flazeOEw1c907WndSg9gUVlyeCawTdaBShYc5Y4j78GbG6vkrk
myFnjyq3mse8ZpIlr1wrU9Eus6GB7TGLyWyr4VyWzO253gRBVNPrRWm8mqiEUPYX
3AS7je5RH+hj6D95YW+IcwPfqIu7eQnfBxCou/IjdCpjeE3C0/TlKp6HcQWBWwgy
BtCnlMtcmdwIcmjimSUh03/Dyzbp1kXMzGjDHN7VM8gjJLBxUj2hge2h92DTrurC
XdTC3oZ01PjdeFAiKLF9V6zwNbizvOuK0IsOHx/ICg7qzaAbWxh+j/dnMeJ1ATQX
NL0I6doNP+M=
=VfU9
-----END PGP SIGNATURE-----