APAR status
Closed as program error.
Error description
Here is a listing of some of the security issues that may be seen: - A remote attacker (unauthenticated) can send one HTTP request to retrieve the content of the application log files. - An attacker who is able to trick a user into clicking on a link may be able to execute a script of their choosing. This might be used to allow the attacker to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user. - An attacker who is able to trick a user into clicking on a link may be able to steal the credentials from the legitimate user. - A remote attacker can instruct the Eclipse Business Intelligence Reporting Tool ViewerServlet to parse a rogue XML file residing on the adjacent network (e.g. Windows share on the same LAN). Because the XML parser used is misconfigured, the <DOCTYPE> directive is allowed, and external XML entities can be defined and referenced. This allows the remote attacker to reach internal services behind the firewall, or to retrieve files from the server. - A remote attacker can retrieve system information, including File System paths, release number, environment variables and encrypted passwords with a simple URL. Because the passwords are encrypted with a hard-coded key (identical to every SPSS installations) there is the potential risk that the passwords can be decrypted. The encryption key can be found in the com/spss/crypto/common/GenericAlgorithm.class entry inside the C:\qatest\ws8\profiles\AppSrv01\installedApps\w2k8nonr2Node01Cel l\IBM_SPSS_Collaboration_and_Deployment_Services_6.0.ear\lib\cry pto.jar file.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * SECURITY RISKS AS A RESULT OF PSIRT SCANS. * **************************************************************** * PROBLEM DESCRIPTION: * * Here is a listing of some of the security issues that may be * * seen: * * * * - A remote attacker (unauthenticated) can send one HTTP * * request * * to retrieve the content of the application log files. * * * * - An attacker who is able to trick a user into clicking on a * * link may be able to execute a script of their choosing. * * This * * might be used to allow the attacker to steal or manipulate * * customer session and cookies, which might be used to * * impersonate * * a legitimate user, allowing the hacker to view or alter user * * records, and to perform transactions as that user. * * * * - An attacker who is able to trick a user into clicking on a * * link may be able to steal the credentials from the * * legitimate * * user. * * * * - A remote attacker can instruct the Eclipse Business * * Intelligence Reporting Tool ViewerServlet to parse a rogue * * XML * * file residing on the adjacent network (e.g. Windows share on * * the * * same LAN). Because the XML parser used is misconfigured, the * * <DOCTYPE> directive is allowed, and external XML entities * * can be * * defined and referenced. This allows the remote attacker to * * reach * * internal services behind the firewall, or to retrieve files * * from * * the server. * * * * - A remote attacker can retrieve system information, * * including * * File System paths, release number, environment variables and * * encrypted passwords with a simple URL. Because the passwords * * are * * encrypted with a hard-coded key (identical to every SPSS * * installations) there is the potential risk that the * * passwords * * can be decrypted. The encryption key can be found in the * * com/spss/crypto/common/GenericAlgorithm.class entry inside * * the * * C:\qatest\ws8\profiles\AppSrv01\installedApps\w2k8nonr2Node0 * * 1Cel * * l\IBM_SPSS_Collaboration_and_Deployment_Services_6.0.ear\lib * * \cry * * pto.jar file. * **************************************************************** * RECOMMENDATION: * * Apply C&DS 4.2.1.3 IF003 or C&DS 5.0 Fix Pack 3. * ****************************************************************
Problem conclusion
Apply C&DS 4.2.1.3 IF003 or C&DS 5.0 Fix Pack 3.
Temporary fix
Comments
APAR Information
APAR number
PM95817
Reported component name
SPSS CADS
Reported component ID
5725A72CD
Reported release
500
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2013-08-26
Closed date
2013-12-10
Last modified date
2013-12-16
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SPSS CADS
Fixed component ID
5725A72CD
Applicable component levels
R500 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS69YH","label":"IBM SPSS Collaboration and Deployment Services"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Document Information
Modified date:
16 December 2013