PM95817: SECURITY RISKS AS A RESULT OF PSIRT SCANS.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Here is a listing of some of the security issues that may be
    seen:
    
    - A remote attacker (unauthenticated) can send one HTTP request
    to retrieve the content of the application log files.
    
    - An attacker who is able to trick a user into clicking on a
    link may be able to execute a script of their choosing.  This
    might be used to allow the attacker to steal or manipulate
    customer session and cookies, which might be used to impersonate
    a legitimate user, allowing the hacker to view or alter user
    records, and to perform transactions as that user.
    
    - An attacker who is able to trick a user into clicking on a
    link may be able to steal the credentials from the legitimate
    user.
    
    - A remote attacker can instruct the Eclipse Business
    Intelligence Reporting Tool ViewerServlet to parse a rogue XML
    file residing on the adjacent network (e.g. Windows share on the
    same LAN). Because the XML parser used is misconfigured, the
    <DOCTYPE> directive is allowed, and external XML entities can be
    defined and referenced. This allows the remote attacker to reach
    internal services behind the firewall, or to retrieve files from
    the server.
    
    - A remote attacker can retrieve system information, including
    File System paths, release number, environment variables and
    encrypted passwords with a simple URL. Because the passwords are
    encrypted with a hard-coded key (identical to every SPSS
    installations) there is the potential risk that the passwords
    can be decrypted. The encryption key can be found in the
    com/spss/crypto/common/GenericAlgorithm.class entry inside the
    C:\qatest\ws8\profiles\AppSrv01\installedApps\w2k8nonr2Node01Cel
    l\IBM_SPSS_Collaboration_and_Deployment_Services_6.0.ear\lib\cry
    pto.jar file.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * SECURITY RISKS AS A RESULT OF PSIRT SCANS.                   *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * Here is a listing of some of the security issues that may be *
    * seen:                                                        *
    *                                                              *
    * - A remote attacker (unauthenticated) can send one HTTP      *
    * request                                                      *
    * to retrieve the content of the application log files.        *
    *                                                              *
    * - An attacker who is able to trick a user into clicking on a *
    * link may be able to execute a script of their choosing.      *
    * This                                                         *
    * might be used to allow the attacker to steal or manipulate   *
    * customer session and cookies, which might be used to         *
    * impersonate                                                  *
    * a legitimate user, allowing the hacker to view or alter user *
    * records, and to perform transactions as that user.           *
    *                                                              *
    * - An attacker who is able to trick a user into clicking on a *
    * link may be able to steal the credentials from the           *
    * legitimate                                                   *
    * user.                                                        *
    *                                                              *
    * - A remote attacker can instruct the Eclipse Business        *
    * Intelligence Reporting Tool ViewerServlet to parse a rogue   *
    * XML                                                          *
    * file residing on the adjacent network (e.g. Windows share on *
    * the                                                          *
    * same LAN). Because the XML parser used is misconfigured, the *
    * <DOCTYPE> directive is allowed, and external XML entities    *
    * can be                                                       *
    * defined and referenced. This allows the remote attacker to   *
    * reach                                                        *
    * internal services behind the firewall, or to retrieve files  *
    * from                                                         *
    * the server.                                                  *
    *                                                              *
    * - A remote attacker can retrieve system information,         *
    * including                                                    *
    * File System paths, release number, environment variables and *
    * encrypted passwords with a simple URL. Because the passwords *
    * are                                                          *
    * encrypted with a hard-coded key (identical to every SPSS     *
    * installations) there is the potential risk that the          *
    * passwords                                                    *
    * can be decrypted. The encryption key can be found in the     *
    * com/spss/crypto/common/GenericAlgorithm.class entry inside   *
    * the                                                          *
    * C:\qatest\ws8\profiles\AppSrv01\installedApps\w2k8nonr2Node0 *
    * 1Cel                                                         *
    * l\IBM_SPSS_Collaboration_and_Deployment_Services_6.0.ear\lib *
    * \cry                                                         *
    * pto.jar file.                                                *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Apply C&DS 4.2.1.3 IF003 or C&DS 5.0 Fix Pack 3.             *
    ****************************************************************
    

Problem conclusion

  • Apply C&DS 4.2.1.3 IF003 or C&DS 5.0 Fix Pack 3.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM95817

  • Reported component name

    SPSS CADS

  • Reported component ID

    5725A72CD

  • Reported release

    500

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-08-26

  • Closed date

    2013-12-10

  • Last modified date

    2013-12-16

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    SPSS CADS

  • Fixed component ID

    5725A72CD

Applicable component levels

  • R500 PSY

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

SPSS Collaboration and Deployment Services

Software version:

5.0

Reference #:

PM95817

Modified date:

2013-12-16

Translate my page

Machine Translation

Content navigation