Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.2307
Security vulnerabilities in IBM Eclipse Help System bundled
with WebSphere Transformation Extender
5 December 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM WebSphere Transformation Extender
Publisher: IBM
Operating System: Windows
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2013-0599 CVE-2013-0467 CVE-2013-0464
Reference: ESB-2014.1465
ESB-2014.0781
ESB-2014.0717
ESB-2013.1625
ESB-2013.0736
ESB-2013.0324
ESB-2013.0221
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=swg21640363
- --------------------------BEGIN INCLUDED TEXT--------------------
Security vulnerabilities in IBM Eclipse Help System bundled with WebSphere
Transformation Extender
Document information
More support for:
WebSphere Transformation Extender
Design Studio
Software version:
8.4, 8.4.0.0, 8.4.0.1, 8.4.0.2, 8.4.0.3
Operating system(s):
Windows
Reference #:
1640363
Modified date:
2014-12-04
Flash (Alert)
Abstract
Security vunlerabilities in IBM Eclipse Help System bundled with WebSphere
Transformation Center Design Tools
Content
CVE-2013-0599
A security vulnerability in IBM Eclipse Help System could allow remote
attackers to obtain sensitive information by providing a crafted parameter
path and then reading the debug information associated with the 500 HTTP
status code.
More details are available at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0599
CVE-2013-0464
Multiple cross-site scripting (XSS) vulnerabilities in IBM Eclipse Help
System (IEHS) 3.4.3 and 3.6.2, as used in IBM SPSS Data Collection 6.0,
6.0.1, and 7.0, allow remote attackers to inject arbitrary web script or
HTML via a crafted URL.
More details are available at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0464
CVE-2013-0467
IBM Eclipse Help System (IEHS), as used in IBM Data Studio 3.1 and 3.1.1
and other products, allows remote authenticated users to read source code
via a crafted URL
More details are available at:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0467
Recommended action:
Install Websphere Transformation Extender release 8.4.0.4 or
download the replacement IBM Eclipse Help System modules from:
http://submit.boulder.ibm.com/infocenter/idwb/v3r8m4/index.jsp?topic=/com.ibm.iehs.home/doc/fixes.html
Related information
IEHS Interim fix distributions
CVE Database entry
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVIE4JxLndAQH1ShLAQLLiRAArtHG8V9gu9tSLN8lAkbrxb/QjDb36zJD
i8LBYIBw38Po8x17YjLRU1kPM6KyMeHmvXA18tlXuxDgKYR2QMlt1in7mF9TNQ0x
hNRBpR1KoFEKfkX3VmHTJhvdabv7Fsn3cr5g6chEXpXUvwYz2zdFeKJF2c5IV8ah
d5lngZps0/0JrNOvgLRBHotuaE+MVuHiKp9WiGbXF81vjqb5B8l5f7DXAhN2SLjP
No0Muj25V/VhLL5jPaXzTgMLI3hVpxHjJwXoU45ox3TbiyZfVMCtxHAeqpy7Vo/W
HoOykgd/gL+EBBgrbA/VjOIYb8fWlTR8qupQH1+ZMQs07qslVW8SalzlJuJrGpHE
L6CfqaXCp5YFwrYYiWYXHagVHgY/n+6g0Hma9/qzRYwJUTujCdGoaGHuOz7cWOb1
qW4qJk2VBYqqVlVgMUY7YKSxchPBm6ANhL8WP31GntHAEh2oeSTLEafqQ/y8OKbs
1B0Pnjgbf9uiAH3zdU4Zzx3VTBtjXPxf+GbSAcsYxWvcQAJ+3NEx68Bq5rHMdpLJ
2YULiQdZyR0OEF1HwnbtRNHKJGVKhYaARRWPOwqQ6YLVzdRwg+CPQiprf0LF5TcF
ZzWhEI2Ps80tJHVk/i6wUMr1EIvubJU5gEPQqjlsgZ9QArPLlcubo8MrT4EhwQN7
Y1GAJWn1oBQ=
=Yyno
-----END PGP SIGNATURE-----