System Packages Update Required to fix CVE-2012-2955/CVE-2012-2202 Vulnerabilities

Flash (Alert)


Abstract

Two vulnerabilities have been detected in the management interface of the affected products. The vulnerabilities are listed under CVE-2012-2955 and CVE-2012-2202. An update has been created by IBM Security Systems that addresses the vulnerabilities.

Content

Two vulnerabilities have been detected in the management interface of the affected products.
The vulnerabilities are:

  1. CVE-2012-2955: "Reflected XSS" allowing the execution of Javascript code as part of the management interface page displayed.
  2. CVE-2012-2202: An "Arbitrary File Read" which allows access to files the web server process has authorization to read/

Mitigating Factors:

Both attacks are post-authentication and require the attacker to have valid login credentials for the admin UI. The end user interface is not affected by these vulnerabilities.


Resolving the Issue:


An update has been created by IBM Security Systems that addresses the vulnerabilities.
Depending on the Firmware your system is running on, there are several options to proceed.


Firmware 2.8 or newer:
  • If you have enabled automatic System Package Updates no further action is necessary. The system will download install the update automatically.
  • If you do manual System Package Updates:
    - Log in to the Management Console
    - Go to "Updates" -> "Updates & Licensing"
    - Install all pending System Package Updates
Firmware 2.5:

Cross reference information
Segment Product Component Platform Version Edition
Security Proventia Network Mail Security System Firmware 2.5, 2.5.1, 2.6, 2.5.0.2, 2.8 All Editions

Rate this page:

(0 users)Average rating

Document information


More support for:

Lotus Protector for Mail Security

Software version:

2.5, 2.5.1, 2.8

Operating system(s):

Linux

Software edition:

All Editions

Reference #:

1605199

Modified date:

2012-07-18

Translate my page

Machine Translation

Content navigation