System Packages Update Required to fix CVE-2012-2955 Vulnerability
A vulnerability has been detected in the management interface of the affected products. The vulnerability is listed under CVE-2012-2955. An update has been created by IBM Security Systems that addresses the vulnerabilities.
A vulnerability has been detected in the management interface of the affected products.
The vulnerability consists of two parts.
First "Reflected XSS" allowing the execution of external code as part of the management interface page displayed.
Second an "Arbitrary File Read" which allows plain text read access to all files the web server process has authorization to.
The vulnerability is listed under CVE-2012-2955.
Both attacks are post-authentication and require the attacker to have valid login credentials for the admin UI.
The end user interface is not affected by these vulnerabilities.
Solving the issue:
An update has been created by IBM Security Systems that addresses the vulnerabilities.
Depending on the Firmware your system is running on there are several options to proceed.
Firmware 2.8 or newer:
- If you have enabled automatic System Package Updates no further action is necessary. The system will download install the update automatically.
- If you do manual System Package Updates:
- Log in to the Management Console
- Go to "Updates" -> "Updates & Licensing"
- Install all pending System Package Updates
- The update must be installed manually
- SSH to the system (log in as 'root')
- Run "wget http://upload.cobion.com/download/pnmss/repotools-1.1.3-16059.i586.rpm"
- Run "rpm -ihv repotools-1.1.3-16059.i586.rpm"
|Security||Proventia Network Mail Security System||Not Applicable||Firmware||2.5, 2.5.1, 2.6, 126.96.36.199, 2.8||All Editions|
More support for:
Lotus Protector for Mail Security
Software version: 2.5, 2.5.1, 2.8
Operating system(s): Linux
Software edition: All Editions
Reference #: 1605172
Modified date: 2013-04-30