Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1004 Security Bulletin: Cúram is vulnerable to cross site scripting attack (CVE-2014-3013) 19 June 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Curam Publisher: IBM Operating System: AIX HP-UX Linux variants Solaris Windows z/OS Impact/Access: Cross-site Scripting -- Remote with User Interaction Unauthorised Access -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2014-3013 CVE-2014-3012 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21675415 http://www-01.ibm.com/support/docview.wss?uid=swg21675454 Comment: This bulletin contains two (2) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Curam is vulnerable to cross site scripting attack (CVE-2014-3013) Document information More support for: Curam Social Program Management Software version: 4.5, 5.0, 5.2.0, 5.2.1, 5.2.4, 5.2.5, 5.2.6, 6.0.2, 6.0.3, 6.0.4, 6.0.5 Operating system(s): AIX, HP-UX, Linux, Solaris, Windows, z/OS Reference #: 1675415 Modified date: 2014-06-09 Security Bulletin Summary Curam is vulnerable to cross site scripting attack. Vulnerability Details CVEID: CVE-2014-3013 DESCRIPTION: Curam is vulnerable to cross site scripting attack caused by improper validation and sanitization of tags in custom JSPs or custom renderers that add text nodes to content that will be rendered onto the screen. A remote attacker could exploit this vulnerability by injecting a malicious code in the text which is being rendered into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. The user's session can be completely compromised, allowing an attacker to perform any action that the user can perform, monitor the session or steal the data viewed by the user. CVSS Base Score: 3.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93011 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N) Affected Products and Versions Curam Social Program Management All products are affected when running code releases 4.5 SP10, 5.0, 5.2, 5.2 SP1, 5.2 SP4, 5.2 SP4 DE, 5.2 SP5, 5.2 SP6, 6.0 SP2, 6.0.3.0, 6.0.4.0, 6.0.4.3, 6.0.4.4, 6.0.4.5, 6.0.5.2, 6.0.5.3, 6.0.5.4. Remediation/Fixes Product VRMF Remediation/First Fix Curam SPM 4.5 SP10 Visit IBM Fix Central and upgrade to EP2 Curam SPM 5.0 Visit IBM Fix Central and upgrade to EP17 Curam SPM 5.2 Visit IBM Fix Central and upgrade to EP3 Curam SPM 5.2 SP1 Visit IBM Fix Central and upgrade to EP17 Curam SPM 5.2 SP4 Visit IBM Fix Central and upgrade to EP24 Curam SPM 5.2 SP4 DE Visit IBM Fix Central and upgrade to EP11 Curam SPM 5.2 SP5 Visit IBM Fix Central and upgrade to EP4 Curam SPM 5.2 SP6 Visit IBM Fix Central and upgrade to EP5 Curam SPM 6.0 SP2 Visit IBM Fix Central and upgrade to EP24 Curam SPM 6.0.3.0 Visit IBM Fix Central and upgrade to iFix 8 Curam SPM 6.0.4.0 Visit IBM Fix Central and upgrade to iFix 13 Curam SPM 6.0.4.3 Visit IBM Fix Central and upgrade to iFix 9 Curam SPM 6.0.4.4 Visit IBM Fix Central and upgrade to iFix 7 Curam SPM 6.0.4.5 Visit IBM Fix Central and upgrade to iFix 5 Curam SPM 6.0.5.2 Visit IBM Fix Central and upgrade to iFix 9 Curam SPM 6.0.5.3 Visit IBM Fix Central and upgrade to iFix 10 Curam SPM 6.0.5.4 Visit IBM Fix Central and upgrade to iFix 3 Workarounds and Mitigations None Important note IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk. References Complete CVSS Guide On-line Calculator V2 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 9 June 2014: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Product Alias/Synonym Curam - ------------------------------------------------------------------------------- Security Bulletin: Curam is vulnerable to CRLF Injection attack (CVE-2014-3012) Document information More support for: Curam Social Program Management Software version: 5.2.1, 5.2.4, 6.0.4, 6.0.5 Operating system(s): AIX, HP-UX, Linux, Solaris, Windows, z/OS Reference #: 1675454 Modified date: 2014-06-09 Security Bulletin Summary Curam is vulnerable to CRLF Injection attack when not deployed on IBM WebSphere. Vulnerability Details CVEID: CVE-2014-3012 DESCRIPTION: IBM Curam Social Program Management, when not deployed on IBM WebSphere Application Server, is vulnerable to CRLF Injection attack caused by improper sanitization of the user supplied code that is output into an http response header field. A remote attacker could inject CRLF combinations into HTTP headers in the custom JSPs using multiple unspecified parameters, which will allow the attacker to take control of a user's session/credentials or in some cases to prepare and make the web application more amenable to future attacks. These come in many forms including cross site scripting and HTTP Response Splitting. CVSS Base Score: 3.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93010 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N) Affected Products and Versions Curam Social Program Management All products are affected when running code releases 5.2 SP1, 5.2 SP4, 6.0.4.4, 6.0.4.5, 6.0.5.2, 6.0.5.3, 6.0.5.4. Remediation/Fixes Product VRMF Remediation/First Fix Curam SPM 5.2 SP1 Visit IBM Fix Central and upgrade to EP17 Curam SPM 5.2 SP4 Visit IBM Fix Central and upgrade to EP24 Curam SPM 6.0.4.4 Visit IBM Fix Central and upgrade to iFix 7 Curam SPM 6.0.4.5 Visit IBM Fix Central and upgrade to iFix 5 Curam SPM 6.0.5.2 Visit IBM Fix Central and upgrade to iFix 9 Curam SPM 6.0.5.3 Visit IBM Fix Central and upgrade to iFix 10 Curam SPM 6.0.5.4 Visit IBM Fix Central and upgrade to iFix 3 Workarounds and Mitigations None Important note IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk. References Complete CVSS Guide On-line Calculator V2 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 9 June 2014: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Product Alias/Synonym Curam - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU6OIARLndAQH1ShLAQKDYw//U2Mtzm2R40RkfZXbmHEr+apMuh7Q4Wju mwLtUAmUAg+tcZqFKwCYH5B19UOCPGusVI2s9eVTTSHHg7m4y1crIp6Paz6qnUpg JhBzrY+L8eNFErRabnwqbLgyNjo15MeXmda7TJSY4rM4IPwjxFwUHZ8ZkfYiuGEI iALS0AQL8EnTrsW77xzJZ7hon9phU15PMD22t1KBwsDpD9dtnY2E/GnltjLrYNNO oe1z+1U5nMJqQKH8khDI4nRpPpbKsnikfPP2TbS4SL1FPuuFIGQFg9hX3OoZ6bw8 FW/99qfe1/NaXK72qcamHizOStenwdPjjt7mFgVGrYTeAMRblpOXNJwk8vmnrZpl FD2kIRvIlcIGVB5qpgAbMqXKtoZulAMKfcOgyuaRk76yq79DOy6gIUf4TT3qBWeX HSXqJ/5/ESqo8CgYT6UozPOyYRQW2CNiqF19f6WSTBG/b78gBEyBmV9Uy6JaJPAK QVlaZbaeF8dOijMPnPNQWHqxuBjEYOPNYU2h3pHEwEVxsU0DoeoPMEzdrzwcyNUY az2BPvvUBvKeyIxkdDSzV7Xp5S37jB7IRiArcRwtEWaVHowwy4n7B7FOAPVbF14k SSOcRPILzKYuf2ki3duqexYvzm7jJrSB9EsrkkbGDt7I1T7T/bzDRt2uhlgPFpRu oLpUZKTKAEs= =ndPW -----END PGP SIGNATURE-----