Security Bulletin: Vulnerabilities in AppScan Source

News


Abstract

Following an advanced ethical hacking activity conducted by IBM security experts, part of product testing mandated by the IBM Secure Engineering Framework, a series of security flaws in IBM Security Appscan Source for Analysis (previously known as IBM Rational Appscan Source Edition for Security) in versions 7.0 through 8.5.0.1 were uncovered. These vulnerabilities are addressed in a recently released product version: 8.6.

Content

VULNERABILITY DETAILS

CVE ID: CVE-2012-2173

DESCRIPTION: When AppScan Source Core and AppScan Source clients connect to a solidDB database, the ODBC driver sends the connection password to the database with SHA-1 hashing.

CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/75242 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

NOTE: Solaris customers please contact support for the fix details for that platform.

CVE ID: CVE-2012-0732

DESCRIPTION: Source clients currently ignore the certificate when connecting to the ASE server. This opens the door for a man-in-the-middle attack. All Source clients should verify the authenticity of the certificate returned by the server, and if its authenticity cannot be validated, the user should be given the option of how to proceed.

CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/74389 for the current score
CVSS Environmental Score*:
CVSS String: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE ID: CVE-2012-2161

DESCRIPTION: The IEHS (IBM Eclipse Help System) component has a cross-site scripting vulnerability

CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/74833 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE ID: CVE-2012-2159

DESCRIPTION: The IEHS (IBM Eclipse Help System) component has an open redirect vulnerability.

CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/74832 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE ID(s): CVE-2011-3547, CVE-2011-3546, CVE-2011-3548, CVE-2011-3549, CVE-2011-3516, CVE-2011-3550, CVE-2011-3551, CVE-2011-3552, CVE-2011-3553, CVE-2011-3544, CVE-2011-3545, CVE-2011-3521, CVE-2011-3554, CVE-2011-3555, CVE-2011-3558, CVE-2011-3556, CVE-2011-3557, CVE-2011-3389, CVE-2011-3560, CVE-2011-3561

DESCRIPTION: Summary advisory describing multiple CVEs addressed in latest IBM Java release 6 SR10

CVE-2011-3547
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70846 for the current score
CVSS Environmental Score*: 3.7
CVSS String: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-2011-3546
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70847 for the current score
CVSS Environmental Score*: 4.3
CVSS String: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVE-2011-3548
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70845 for the current score
CVSS Environmental Score*: 7.4
CVSS String: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-2011-3549
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70844 for the current score
CVSS Environmental Score*: 7.4
CVSS String: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-2011-3516
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70851 for the current score
CVSS Environmental Score*: 6.9
CVSS String: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-2011-3550
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70843 for the current score
CVSS Environmental Score*: 5.6
CVSS String: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

CVE-2011-3551
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70842 for the current score
CVSS Environmental Score*: 6.9
CVSS String: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-2011-3552
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70841 for the current score
CVSS Environmental Score*: 1.9
CVSS String: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

CVE-2011-3553
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70840 for the current score
CVSS Environmental Score*: 2.6
CVSS String: (AV:N/AC:M/Au:S/C:P/I:N/A:N)

CVE-2011-3544
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70849 for the current score
CVSS Environmental Score*: 8.3
CVSS String: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-2011-3545
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70848 for the current score
CVSS Environmental Score*: 7.4
CVSS String: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-2011-3545
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70848 for the current score
CVSS Environmental Score*: 7.4
CVSS String: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-2011-3554
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70839 for the current score
CVSS Environmental Score*: 7.4
CVSS String: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-2011-3555
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70838 for the current score
CVSS Environmental Score*: 3
CVSS String: (AV:N/AC:H/Au:N/C:N/I:P/A:P)

CVE-2011-3558
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70835 for the current score
CVSS Environmental Score*: 3.7
CVSS String: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-2011-3556
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70837 for the current score
CVSS Environmental Score*: 5.5
CVSS String: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2011-3557
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70836 for the current score
CVSS Environmental Score*: 5
CVSS String: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVE-2011-3389
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70069 for the current score
CVSS Environmental Score*: 3.2
CVSS String: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE-2011-3560
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70834 for the current score
CVSS Environmental Score*: 4.7
CVSS String: (AV:N/AC:L/Au:N/C:P/I:P/A:N)

CVE-2011-3561
CVSS Base Score: 1.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70833 for the current score
CVSS Environmental Score*: 1.3
CVSS String: (AV:A/AC:H/Au:N/C:P/I:N/A:N)

CVE ID(s): CVE-2012-0502, CVE-2012-0503, CVE-2012-0506, CVE-2012-0507, CVE-2011-3563, CVE-2012-0500, CVE-2012-0497, CVE-2012-0498, CVE-2012-0499, CVE-2012-0500, CVE-2012-0501, CVE-2012-0505, CVE-2011-5035, CVE-2012-0504

DESCRIPTION: Summary advisory describing multiple CVEs addressed in latest IBM Java release 6 SR10-FP1

CVE-2012-0502
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73193 for the current score
CVSS Environmental Score*: 4.7
CVSS String: (AV:N/AC:L/Au:N/C:P/I:N/A:P)

CVE-2012-0503
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73191 for the current score
CVSS Environmental Score*: 5.5
CVSS String: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2012-0506
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73196 for the current score
CVSS Environmental Score*: 3.2
CVSS String: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE-2012-0507
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72513 for the current score
CVSS Environmental Score*: 7.7
CVSS String: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-2011-3563
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73194 for the current score
CVSS Environmental Score*: 4.7
CVSS String: (AV:N/AC:L/Au:N/C:P/I:N/A:P)

CVE-2012-0500
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73188 for the current score
CVSS Environmental Score*: 8.3
CVSS String: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-2012-0497
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73185 for the current score
CVSS Environmental Score*: 7.4
CVSS String: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-2012-0498
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73186 for the current score
CVSS Environmental Score*: 7.4
CVSS String: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-2012-0499
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73187 for the current score
CVSS Environmental Score*: 6.9
CVSS String: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-2012-0501
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73195 for the current score
CVSS Environmental Score*: 3.7
CVSS String: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-2012-0505
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73192 for the current score
CVSS Environmental Score*: 5.5
CVSS String: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2011-5035
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72015 for the current score
CVSS Environmental Score*: 4.1
CVSS String: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-2012-0504
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73190 for the current score
CVSS Environmental Score*: 6.9
CVSS String: (AV:N/AC:M/Au:N/C:C/I:C/A:C)



AFFECTED PLATFORMS: Versions 7.0 through 8.5.0.1 of IBM Security Appscan Source (previously known as IBM Rational Appscan Source Edition) are affected.

REMEDIATION: The recommended solution is to apply the fix for each named product as soon as practical. Please see below for information about the fixes available.

Fix:For IBM Security Appscan Source version 7.0 to version 8.5.0.1

    · Upgrade to version 8.6
    · If you are unable to upgrade to version 8.6, contact IBM Technical Support.

Workaround:Not applicable; upgrade to version 8.6.

REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this alert.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Security AppScan Source
General Support Issues

Software version:

7.0, 8.0, 8.0.0.1, 8.0.0.2, 8.5, 8.5.0.1

Operating system(s):

Linux, Solaris, Windows

Reference #:

1598423

Modified date:

2012-08-27

Translate my page

Machine Translation

Content navigation