System Packages Update Required to fix CVE-2012-2955/CVE-2012-2202 Vulnerabilities

Two vulnerabilities have been detected in the management interface of the affected products.
The vulnerabilities are:

1. CVE-2012-2955: "Reflected XSS" allowing the execution of Javascript code as part of the management interface page displayed.
2. CVE-2012-2202: An "Arbitrary File Read" which allows access to files the web server process has authorization to read/

Mitigating Factors:

Both attacks are post-authentication and require the attacker to have valid login credentials for the admin UI. The end user interface is not affected by these vulnerabilities.


Resolving the Issue:

An update has been created by IBM Security Systems that addresses the vulnerabilities.
Depending on the Firmware your system is running on, there are several options to proceed.


Firmware 2.8 or newer:

• If you have enabled automatic System Package Updates no further action is necessary. The system will download install the update automatically.
• If you do manual System Package Updates:
  - Log in to the Management Console
  - Go to "Updates" -> "Updates & Licensing"
  - Install all pending System Package Updates
  

Firmware 2.5:

• The update must be installed manually
• SSH to the system (log in as 'root')
• Run "wget http://upload.cobion.com/download/pnmss/repotools-1.1.3-16059.i586.rpm"
• Run "rpm -ihv --nodeps repotools-1.1.3-16059.i586.rpm"