Flashes (Alerts)
Abstract
Security Bulletin: Multiple security vulnerabilities in the IBM InfoSphere Information Server Suite.
Content
SUMMARY:
Security vulnerabilities exist in various versions of IBM Information Server or constituent products.
Note: The same fix may be listed under multiple vulnerabilities. Installing the fix addresses all vulnerabilities to which the fix applies. Also, some fixes require installing both a fix pack and a subsequent patch. While the fix pack must be installed first, any additional patches required may be installed in any order.
VULNERABILITY DETAILS:
CVE ID: CVE-2012-0203
DESCRIPTION: Cross-site scripting vulnerability could lead to unauthorized access to IBM Information Server Metadata Workbench
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73254 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
AFFECTED PRODUCTS:
IBM InfoSphere Information Server Versions 8.1
, 8.5 and 8.7 running on all platforms with Versions 8.1, 8.1.1, 8.1.2, 8.5 or 8.7 of IBM InfoSphere Metadata Workbench installed.
REMEDIATION:
The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.
Fix(es):
Versions 8.1, 8.1.1, 8.1.2:
-- Apply the IBM InfoSphere Information Server version 8.1 Fix Pack 2 if it has not already been installed
-- Apply the IBM InfoSphere Information Server version 8.1.2 Fix Pack 5 if it has not already been installed
--Apply the IBM InfoSphere Information Server Metadata Workbench (MWB) Security Patch
Version 8.5:
--Apply the IBM InfoSphere Information Server version 8.5 Fix Pack 3
--Apply the IBM InfoSphere Information Server Metadata Workbench (MWB) Security Patch
Version 8.7:
--Apply the IBM InfoSphere Information Server version 8.7 Fix Pack 2
Workaround(s):
None known.
Mitigation:
None known.
CVE ID: CVE-2012-0204
DESCRIPTION:
IBM InfoSphere Information Server Import Export Manager is exposed to a DLL preloading attack. Using this attack, a malicious user who has access to a machine with the Import Export Manager installed could execute arbitrary commands in the context of any user who accesses the Import Export Manager application.
CVSS:
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73255 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
AFFECTED PRODUCTS:
IBM InfoSphere Information Server Versions 8.1, 8.5, 8.7 and 9.1 running on all platforms with Versions 8.1, 8.1.1, 8.1.2, 8.5, 8.7 or 9.1 of IBM InfoSphere Import Export Manager installed.
REMEDIATION:
The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.
Fix(es):
Versions 8.1, 8.1.1, 8.1.2:
-- Apply the IBM InfoSphere Information Server version 8.1 Fix Pack 2 if it has not already been installed
-- Apply the IBM InfoSphere Information Server version 8.1.2 Fix Pack 5 if it has not already been installed
--Apply the IBM InfoSphere Information Server MetaBrokers & Bridges (MBB) Security Patch
Version 8.5:
--Apply the IBM InfoSphere Information Server version 8.5 Fix Pack 3
--Apply the IBM InfoSphere Information Server MetaBrokers & Bridges (MBB) Security Patch
Version 8.7:
--Apply the IBM InfoSphere Information Server version 8.7 Fix Pack 2
Version 9.1:
--Apply the IBM InfoSphere Information Server Version 9.1 Fix Pack 1
Workaround(s):
None known
Mitigation:
None known
CVE ID: CVE-2012-0205
DESCRIPTION:
Unrestricted access to troubleshooting functionality may lead to unauthorized access or service interruption of IBM InfoSphere Metadata Workbench.
CVSS:
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73265 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)
AFFECTED PRODUCTS:
IBM InfoSphere Information Server Versions 8.1, 8.5 and 8.7 running on all platforms with Versions 8.1, 8.1, 8.1.1, 8.1.2, 8.5 or 8.7 of IBM InfoSphere Metadata Workbench installed.
REMEDIATION:
The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.
Fix(es):
Versions 8.1, 8.1.1, 8.1.2:
-- Apply the IBM InfoSphere Information Server version 8.1 Fix Pack 2 if it has not already been installed
-- Apply the IBM InfoSphere Information Server version 8.1.2 Fix Pack 5 if it has not already been installed
--Apply the IBM InfoSphere Information Server Metadata Workbench (MWB) Security Patch
Version 8.5:
--Apply the IBM InfoSphere Information Server version 8.5 Fix Pack 3
--Apply the IBM InfoSphere Information Server Metadata Workbench (MWB) Security Patch
Version 8.7:
--Apply the IBM InfoSphere Information Server version 8.7 Fix Pack 2
Workaround(s):
None known.
Mitigation:
None known.
CVE ID: CVE-2012-0501
DESCRIPTION: Unspecified vulnerability in the Java Runtime Environment (JRE) component allows remote attackers to affect availability via unknown vectors. Authenticated access to IBM InfoSphere Information Server is required.
CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73195 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
AFFECTED PRODUCTS:
Versions 8.5 and 8.7 of IBM Information Server running on all platforms are affected.
REMEDIATION:
The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.
Fix:
For version 8.5:
--Apply the IBM Information Server version 8.5 Fix Pack 3
For version 8.7:
--Apply the IBM InfoSphere Information Server version 8.7 Fix Pack 2
Workaround(s):
None known.
Mitigation:
None known.
CVE ID: CVE-2012-0700
DESCRIPTION:
Insecure storage of user credentials in the IBM InfoSphere Information Server FastTrack client can lead to unauthorized access to IBM InfoSphere Information Server functionality.
CVSS:
CVSS Base Score: 1.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73266 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:N)
AFFECTED PRODUCTS:
IBM InfoSphere Information Server Versions 8.1, 8.5 and 8.7 running on all platforms with Versions 8.1, 8.1.1, 8.1.2, 8.5 or 8.7 of IBM InfoSphere FastTrack installed.
REMEDIATION:
The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.
Fix(es):
Versions 8.1, 8.1.1, 8.1.2:
-- Apply the IBM InfoSphere Information Server version 8.1 Fix Pack 2 if it has not already been installed
-- Apply the IBM InfoSphere Information Server version 8.1.2 Fix Pack 5 if it has not already been installed
--Apply the IBM InfoSphere Information Server Fast Track Security Patch
Version 8.5:
--Apply the IBM InfoSphere Information Server 8.5 Fix Pack 3
Version 8.7:
--Apply the IBM InfoSphere Information Server version 8.7 Fix Pack 2
Workaround(s):
None known.
Mitigation:
None known.
CVE ID: CVE-2012-0701
DESCRIPTION:
Reliance on client side controls allows for privilege escalation within the IBM Information Server DataStage Administrator client.
CVSS:
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73285 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)
AFFECTED PRODUCTS:
IBM InfoSphere DataStage client applications of IBM InfoSphere Information Server Versions 8.1, 8.5 and 8.7 running on Windows.
REMEDIATION:
The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.
Fix(es):
Versions 8.1:
-- Apply the IBM InfoSphere Information Server version 8.1 Fix Pack 2 if it has not already been installed
--Apply the IBM InfoSphere Information Server Information DS Client Security Patch
Version 8.5:
--Apply the IBM Information Server 8.5 Fix Pack 3
Version 8.7:
--Apply the IBM InfoSphere Information Server version 8.7 Fix Pack 2
Workaround(s):
None known.
Mitigation:
None known.
CVE ID: CVE-2012-0702
DESCRIPTION:
Insecure authorization controls allow for privilege escalation within IBM InfoSphere Information Server.
CVSS:
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73287 for the current score
CVSS Environmental Score: undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)
AFFECTED PRODUCTS:
IBM InfoSphere Information Server Versions 8.1, 8.5 and 8.7 running on all platforms.
REMEDIATION:
The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.
Fix(es):
Versions 8.1:
-- Apply the IBM InfoSphere Information Server version 8.1 Fix Pack 2 if it has not already been installed
--Apply the IBM InfoSphere Information Server Information Services Framework (ISF) Security Patch
Version 8.5:
--Apply the IBM InfoSphere Information Server version 8.5 Fix Pack 3
--Apply the IBM InfoSphere Information Server Information Services Framework (ISF) Security Patch
Version 8.7:
--Apply the IBM InfoSphere Information Server version 8.7 Fix Pack 2
Workaround(s):
None known.
Mitigation:
None known.
CVE ID: CVE-2012-0703
DESCRIPTION:
Open URL redirection vulnerability may lead to unauthorized access to all the Information Server web browser applications.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73289 for the current score
CVSS Environmental Score: undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
AFFECTED PRODUCTS:
IBM InfoSphere Information Server Versions 8.1, 8.5 and 8.7 running on all platforms.
REMEDIATION:
The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.
Fix(es):
Version 8.1:
-- Apply the IBM InfoSphere Information Server version 8.1 Fix Pack 2 if it has not already been installed
--Apply the IBM InfoSphere Information Server Information Services Framework (ISF) Security Patch
Version 8.5:
--Apply the IBM InfoSphere Information Server version 8.5 Fix Pack 3
--Apply the IBM InfoSphere Information Server Information Services Framework (ISF) Security Patch
Version 8.7:
--Apply the IBM InfoSphere Information Server version 8.7 Fix Pack 2
Workaround(s):
None known.
Mitigation:
None known.
CVE ID: CVE-2012-0705
DESCRIPTION:
Lack of input validation in the Import Export Manager allows arbitrary command execution.
CVSS:
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73292 for the current score
CVSS Environmental Score: undefined
CVSS Vector: (AV:N/AC:H/Au:S/C:C/I:C/A:C)
AFFECTED PRODUCTS:
IBM InfoSphere Information Server Versions 8.1, 8.5, 8.7 and 9.1 running on all platforms.
REMEDIATION:
The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.
Fix(es):
Version 8.1:
--Apply the IBM InfoSphere Information Server version 8.1 Fix Pack 2 if it has not already been installed
-- Apply the IBM InfoSphere Information Server version 8.1.2 Fix Pack 5 if it has not already been installed
--Apply the IBM InfoSphere Information Server MetaBrokers & Bridges (MBB) Security Patch
Version 8.5:
--Apply the IBM InfoSphere Information Server version 8.5 Fix Pack 3
--Apply the IBM InfoSphere Information Server MetaBrokers & Bridges (MBB) Security Patch
Version 8.7:
--Apply the IBM InfoSphere Information Server version 8.7 Fix Pack 2
Version 9.1:
--Apply the IBM InfoSphere Information Server Version 9.1 Fix Pack 1
Workaround(s):
None known.
Mitigation:
None known.
CVE ID: CVE-2012-2159
DESCRIPTION:
The IBM Eclipse Help System contains Open Redirect vulnerabilities. Some scripts used by the help system are vulnerable to redirects from trusted to un-trusted web sites when users click a malicious link.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/74832 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
AFFECTED PRODUCTS:
IBM InfoSphere Information Server Versions 8.1, 8.5 and 8.7 running on all platforms.
REMEDIATION:
The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.
Fix(es):
Version 8.1:
-- Apply the IBM InfoSphere Information Server version 8.1 Fix Pack 2 if it has not already been installed
--Apply the IBM InfoSphere Information Server Information Services Framework (ISF) Security Patch
Version 8.5:
--Apply the IBM InfoSphere Information Server version 8.5 Fix Pack 3
Version 8.7:
--Apply the IBM InfoSphere Information Server version 8.7 Fix Pack 2
Workaround(s):
None known
Mitigation:
None known
CVE ID: CVE-2012-2161
DESCRIPTION:
The IBM Eclipse Help System contains Cross-Site Scripting vulnerabilities. The user needs to be tricked into inserting mal-formed URL addresses into the browser, or click on a mal-formed URL link.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/74833 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
AFFECTED PRODUCTS:
IBM InfoSphere Information Server Versions 8.1, 8.5 and 8.7 running on all platforms.
REMEDIATION:
The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.
Fix(es):
Version 8.1:
-- Apply the IBM InfoSphere Information Server version 8.1 Fix Pack 2 if it has not already been installed
--Apply the IBM InfoSphere Information Server Information Services Framework (ISF) Security Patch
Version 8.5:
--Apply the IBM InfoSphere Information Server version 8.5 Fix Pack 3
Version 8.7:
--Apply the IBM InfoSphere Information Server version 8.7 Fix Pack 2
Workaround(s):
The IBM Eclipse Help System can be removed from the Information Server installation. On-line help will not be available any longer but the vulnerability will also be removed. Contact IBM technical support for the details of the removal procedure.
Mitigation:
None known.
CVE ID: CVE-2012-4819
DESCRIPTION:
A cross-site scripting security vulnerability has been identified in several Information Server web interfaces (IBM InfoSphere Business Glossary, IBM InfoSphere DataStage Operation Console, IBM InfoSphere Administration, Reporting and Repository Management Web Console) that may lead to unauthorized access through phishing attacks to each of these web interfaces.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/78666 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
AFFECTED PRODUCTS:
IBM InfoSphere Information Server Versions 8.1, 8.5 and 8.7 and IBM InfoSphere Business Glossary Versions 8.1.1 and 8.1.2 running on all platforms.
REMEDIATION:
The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.
Fix(es):
Versions 8.1, 8.1.1, 8.1.2:
-- Apply the IBM InfoSphere Information Server version 8.1 Fix Pack 2 if it has not already been installed
--Apply the IBM InfoSphere Information Server Repository Management (RM) Security Patch
--Apply the IBM InfoSphere Information Server Information Services Framework (ISF) Security Patch
If IBM InfoSphere Business Glossary is installed:
-- Apply the IBM InfoSphere Information Server version 8.1 Fix Pack 2 if it has not already been installed
-- Apply the IBM InfoSphere Information Server version HYPERLINK "http://www-01.ibm.com/support/docview.wss?uid=swg24030326"8.1.2 Fix Pack 5 if it has not already been installed
--Apply the IBM InfoSphere Business Glossary (BG) Security Patch
Version 8.5:
--Apply the IBM InfoSphere Information Server version 8.5 Fix Pack 3
--Apply the IBM InfoSphere Information Server Repository Management (RM) Security Patch
--Apply the IBM InfoSphere Information Server Information Services Framework (ISF) Security Patch
If IBM InfoSphere Business Glossary is installed
--Apply the IBM InfoSphere Business Glossary (BG) Security Patch
Version 8.7:
--Apply the IBM InfoSphere Information Server version 8.7 Fix Pack 2
Workaround(s):
None known.
Mitigation:
None known.
CVE ID: CVE-2012-4832
DESCRIPTION:
Password field with auto-complete enabled could allow unauthorized access to IBM InfoSphere Information Server functionality.
CVSS:
CVSS Base Score: 1.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/78906 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:N/A:N)
AFFECTED PRODUCTS:
IBM InfoSphere Information Server Versions 8.1, 8.5 and 8.7 and IBM InfoSphere Business Glossary Versions 8.1.1 and 8.1.2 running on all platforms.
REMEDIATION:
The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.
Fix(es):
Versions 8.1, 8.1.1, 8.1.2:
-- Apply the IBM InfoSphere Information Server version 8.1 Fix Pack 2 if it has not already been installed
--Apply the IBM InfoSphere Information Server Information Services Framework (ISF) Security Patch
If IBM InfoSphere Business Glossary is installed
-- Apply the IBM InfoSphere Information Server version 8.1 Fix Pack 2 if it has not already been installed
-- Apply the IBM InfoSphere Information Server version HYPERLINK "http://www-01.ibm.com/support/docview.wss?uid=swg24030326"8.1.2 Fix Pack 5 if it has not already been installed
--Apply the IBM InfoSphere Business Glossary (BG) Security Patch
Version 8.5:
--Apply the IBM InfoSphere Information Server version 8.5 Fix Pack 3
--Apply the IBM InfoSphere Information Server Information Services Framework (ISF) Security Patch
If IBM InfoSphere Business Glossary is installed
--Apply the IBM InfoSphere Business Glossary (BG) Security Patch
Version 8.7:
--Apply the IBM InfoSphere Information Server version 8.7 Fix Pack 2
Workaround(s):
None known.
Mitigation:
None known.
REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2
· X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/73254
· CVE-2012-0203
· X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/73255
· CVE-2012-0204
· X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/73265
· CVE-2012-0205
· X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/73195
· CVE-2012-0501
· X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/73266
· CVE-2012-0700
· X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/73285
· CVE-2012-0701
· X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/73287
· CVE-2012-0702
· X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/73289
· CVE-2012-0703
· X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/73292
· CVE-2012-0705
· X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/74832
· CVE-2012-2159
· X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/74833
· CVE-2012-2161
· X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/78666
· CVE-2012-4819
· X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/78906
· CVE-2012-4832
RELATED INFORMATION:
· IBM Secure Engineering Web Portal
· IBM Product Security Incident Response Blog
ACKNOWLEDGEMENT:
Some of these vulnerabilities were discovered by and reported to IBM by National Australia Bank’s Security Assurance team.
CHANGE HISTORY:
· 11 January 2013: Original copy published
· 13 March 2013: Added version 8.7 remediation details
· 28 March 2013: Added version 8.1 remediation details
· 29 April 2013: Added version 9.1 remediation details
· 09 September 2015: Updated link to CVSS Guide
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Was this topic helpful?
Document Information
Modified date:
25 September 2022
UID
swg21623501