System Packages Update Required to fix CVE-2012-2955 Vulnerability

Flash (Alert)


Abstract

A vulnerability has been detected in the management interface of the affected products. The vulnerability is listed under CVE-2012-2955. An update has been created by IBM Security Systems that addresses the vulnerabilities.

Content

A vulnerability has been detected in the management interface of the affected products.
The vulnerability consists of two parts.
First "Reflected XSS" allowing the execution of external code as part of the management interface page displayed.
Second an "Arbitrary File Read" which allows plain text read access to all files the web server process has authorization to.

The vulnerability is listed under CVE-2012-2955.



Mitigating Factors:

Both attacks are post-authentication and require the attacker to have valid login credentials for the admin UI.
The end user interface is not affected by these vulnerabilities.


Solving the issue:

An update has been created by IBM Security Systems that addresses the vulnerabilities.
Depending on the Firmware your system is running on there are several options to proceed.


Firmware 2.8 or newer:
- If you have enabled automatic System Package Updates no further action is necessary. The system will download install the update automatically.
- If you do manual System Package Updates:
- Log in to the Management Console
- Go to "Updates" -> "Updates & Licensing"
- Install all pending System Package Updates


Firmware 2.5:
- The update must be installed manually
- SSH to the system (log in as 'root')
- Run "wget http://upload.cobion.com/download/pnmss/repotools-1.1.3-16059.i586.rpm"
- Run "rpm -ihv repotools-1.1.3-16059.i586.rpm"

Cross reference information
Segment Product Component Platform Version Edition
Security Proventia Network Mail Security System Not Applicable Firmware 2.5, 2.5.1, 2.6, 2.5.0.2, 2.8 All Editions

Rate this page:

(0 users)Average rating

Document information


More support for:

Lotus Protector for Mail Security

Software version:

2.5, 2.5.1, 2.8

Operating system(s):

Linux

Software edition:

All Editions

Reference #:

1605172

Modified date:

2013-04-30

Translate my page

Machine Translation

Content navigation