Security Bulletin: Multiple security vulnerabilities in the IBM InfoSphere Information Server Suite.

Content

SUMMARY:
Security vulnerabilities exist in various versions of IBM Information Server or constituent products.

Note: The same fix may be listed under multiple vulnerabilities. Installing the fix addresses all vulnerabilities to which the fix applies. Also, some fixes require installing both a fix pack and a subsequent patch. While the fix pack must be installed first, any additional patches required may be installed in any order.


VULNERABILITY DETAILS:

CVE ID: CVE-2012-0203

DESCRIPTION: Cross-site scripting vulnerability could lead to unauthorized access to IBM Information Server Metadata Workbench

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73254 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

AFFECTED PRODUCTS:
IBM InfoSphere Information Server Versions 8.1
, 8.5 and 8.7 running on all platforms with Versions 8.1, 8.1.1, 8.1.2, 8.5 or 8.7 of IBM InfoSphere Metadata Workbench installed.

REMEDIATION:
The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.

Fix(es):
Versions 8.1, 8.1.1, 8.1.2:
-- Apply the IBM InfoSphere Information Server version 8.1 Fix Pack 2 if it has not already been installed
-- Apply the IBM InfoSphere Information Server version 8.1.2 Fix Pack 5 if it has not already been installed
--Apply the IBM InfoSphere Information Server Metadata Workbench (MWB) Security Patch

Version 8.5:
--Apply the IBM InfoSphere Information Server version 8.5 Fix Pack 3
--Apply the IBM InfoSphere Information Server Metadata Workbench (MWB) Security Patch

Version 8.7:
--Apply the IBM InfoSphere Information Server version 8.7 Fix Pack 2


Workaround(s):
None known.

Mitigation:
None known.


CVE ID: CVE-2012-0204

DESCRIPTION:

IBM InfoSphere Information Server Import Export Manager is exposed to a DLL preloading attack. Using this attack, a malicious user who has access to a machine with the Import Export Manager installed could execute arbitrary commands in the context of any user who accesses the Import Export Manager application.

CVSS:
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73255 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

AFFECTED PRODUCTS:
IBM InfoSphere Information Server Versions 8.1, 8.5, 8.7 and 9.1 running on all platforms with Versions 8.1, 8.1.1, 8.1.2, 8.5, 8.7 or 9.1 of IBM InfoSphere Import Export Manager installed.

REMEDIATION:
The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.

Fix(es):
Versions 8.1, 8.1.1, 8.1.2:
-- Apply the IBM InfoSphere Information Server version 8.1 Fix Pack 2 if it has not already been installed
-- Apply the IBM InfoSphere Information Server version 8.1.2 Fix Pack 5 if it has not already been installed
--Apply the IBM InfoSphere Information Server MetaBrokers & Bridges (MBB) Security Patch

Version 8.5:
--Apply the IBM InfoSphere Information Server version 8.5 Fix Pack 3
--Apply the IBM InfoSphere Information Server MetaBrokers & Bridges (MBB) Security Patch

Version 8.7:
--Apply the IBM InfoSphere Information Server version 8.7 Fix Pack 2

Version 9.1:
--Apply the IBM InfoSphere Information Server Version 9.1 Fix Pack 1


Workaround(s):
None known

Mitigation:
None known


CVE ID: CVE-2012-0205

DESCRIPTION:
Unrestricted access to troubleshooting functionality may lead to unauthorized access or service interruption of IBM InfoSphere Metadata Workbench.

CVSS:
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73265 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)

AFFECTED PRODUCTS:
IBM InfoSphere Information Server Versions 8.1, 8.5 and 8.7 running on all platforms with Versions 8.1, 8.1, 8.1.1, 8.1.2, 8.5 or 8.7 of IBM InfoSphere Metadata Workbench installed.
REMEDIATION:
The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.

Fix(es):
Versions 8.1, 8.1.1, 8.1.2:
-- Apply the IBM InfoSphere Information Server version 8.1 Fix Pack 2 if it has not already been installed
-- Apply the IBM InfoSphere Information Server version 8.1.2 Fix Pack 5 if it has not already been installed
--Apply the IBM InfoSphere Information Server Metadata Workbench (MWB) Security Patch

Version 8.5:
--Apply the IBM InfoSphere Information Server version 8.5 Fix Pack 3
--Apply the IBM InfoSphere Information Server Metadata Workbench (MWB) Security Patch

Version 8.7:
--Apply the IBM InfoSphere Information Server version 8.7 Fix Pack 2

Workaround(s):
None known.

Mitigation:
None known.


CVE ID: CVE-2012-0501

DESCRIPTION: Unspecified vulnerability in the Java Runtime Environment (JRE) component allows remote attackers to affect availability via unknown vectors. Authenticated access to IBM InfoSphere Information Server is required.

CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73195 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

AFFECTED PRODUCTS:
Versions 8.5 and 8.7 of IBM Information Server running on all platforms are affected.

REMEDIATION:
The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.

Fix:
For version 8.5:
--Apply the IBM Information Server version 8.5 Fix Pack 3

For version 8.7:
--Apply the IBM InfoSphere Information Server version 8.7 Fix Pack 2

Workaround(s):
None known.

Mitigation:
None known.


CVE ID: CVE-2012-0700

DESCRIPTION:
Insecure storage of user credentials in the IBM InfoSphere Information Server FastTrack client can lead to unauthorized access to IBM InfoSphere Information Server functionality.

CVSS:
CVSS Base Score: 1.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73266 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:N)

AFFECTED PRODUCTS:
IBM InfoSphere Information Server Versions 8.1, 8.5 and 8.7 running on all platforms with Versions 8.1, 8.1.1, 8.1.2, 8.5 or 8.7 of IBM InfoSphere FastTrack installed.

REMEDIATION:
The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.

Fix(es):
Versions 8.1, 8.1.1, 8.1.2:
-- Apply the IBM InfoSphere Information Server version 8.1 Fix Pack 2 if it has not already been installed
-- Apply the IBM InfoSphere Information Server version 8.1.2 Fix Pack 5 if it has not already been installed
--Apply the IBM InfoSphere Information Server Fast Track Security Patch

Version 8.5:
--Apply the IBM InfoSphere Information Server 8.5 Fix Pack 3

Version 8.7:
--Apply the IBM InfoSphere Information Server version 8.7 Fix Pack 2


Workaround(s):
None known.

Mitigation:
None known.


CVE ID: CVE-2012-0701

DESCRIPTION:
Reliance on client side controls allows for privilege escalation within the IBM Information Server DataStage Administrator client.

CVSS:
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73285 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)

AFFECTED PRODUCTS:
IBM InfoSphere DataStage client applications of IBM InfoSphere Information Server Versions 8.1, 8.5 and 8.7 running on Windows.
REMEDIATION:
The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.

Fix(es):
Versions 8.1:
-- Apply the IBM InfoSphere Information Server version 8.1 Fix Pack 2 if it has not already been installed
--Apply the IBM InfoSphere Information Server Information DS Client Security Patch

Version 8.5:
--Apply the IBM Information Server 8.5 Fix Pack 3

Version 8.7:
--Apply the IBM InfoSphere Information Server version 8.7 Fix Pack 2

Workaround(s):
None known.

Mitigation:
None known.


CVE ID: CVE-2012-0702

DESCRIPTION:
Insecure authorization controls allow for privilege escalation within IBM InfoSphere Information Server.

CVSS:
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73287 for the current score

CVSS Environmental Score: undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

AFFECTED PRODUCTS:
IBM InfoSphere Information Server Versions 8.1, 8.5 and 8.7 running on all platforms.
REMEDIATION:
The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.

Fix(es):
Versions 8.1:
-- Apply the IBM InfoSphere Information Server version 8.1 Fix Pack 2 if it has not already been installed
--Apply the IBM InfoSphere Information Server Information Services Framework (ISF) Security Patch

Version 8.5:
--Apply the IBM InfoSphere Information Server version 8.5 Fix Pack 3
--Apply the IBM InfoSphere Information Server Information Services Framework (ISF) Security Patch

Version 8.7:
--Apply the IBM InfoSphere Information Server version 8.7 Fix Pack 2

Workaround(s):
None known.

Mitigation:
None known.


CVE ID: CVE-2012-0703

DESCRIPTION:
Open URL redirection vulnerability may lead to unauthorized access to all the Information Server web browser applications.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73289 for the current score
CVSS Environmental Score: undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

AFFECTED PRODUCTS:
IBM InfoSphere Information Server Versions 8.1, 8.5 and 8.7 running on all platforms.
REMEDIATION:
The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.

Fix(es):
Version 8.1:
-- Apply the IBM InfoSphere Information Server version 8.1 Fix Pack 2 if it has not already been installed
--Apply the IBM InfoSphere Information Server Information Services Framework (ISF) Security Patch

Version 8.5:
--Apply the IBM InfoSphere Information Server version 8.5 Fix Pack 3
--Apply the IBM InfoSphere Information Server Information Services Framework (ISF) Security Patch

Version 8.7:
--Apply the IBM InfoSphere Information Server version 8.7 Fix Pack 2

Workaround(s):
None known.

Mitigation:
None known.


CVE ID: CVE-2012-0705

DESCRIPTION:
Lack of input validation in the Import Export Manager allows arbitrary command execution.

CVSS:
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73292 for the current score
CVSS Environmental Score: undefined
CVSS Vector: (AV:N/AC:H/Au:S/C:C/I:C/A:C)

AFFECTED PRODUCTS:
IBM InfoSphere Information Server Versions 8.1, 8.5, 8.7 and 9.1 running on all platforms.
REMEDIATION:
The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.

Fix(es):
Version 8.1:
--Apply the IBM InfoSphere Information Server version 8.1 Fix Pack 2 if it has not already been installed
-- Apply the IBM InfoSphere Information Server version 8.1.2 Fix Pack 5 if it has not already been installed
--Apply the IBM InfoSphere Information Server MetaBrokers & Bridges (MBB) Security Patch

Version 8.5:
--Apply the IBM InfoSphere Information Server version 8.5 Fix Pack 3
--Apply the IBM InfoSphere Information Server MetaBrokers & Bridges (MBB) Security Patch

Version 8.7:
--Apply the IBM InfoSphere Information Server version 8.7 Fix Pack 2

Version 9.1:
--Apply the IBM InfoSphere Information Server Version 9.1 Fix Pack 1


Workaround(s):
None known.

Mitigation:
None known.


CVE ID: CVE-2012-2159

DESCRIPTION:
The IBM Eclipse Help System contains Open Redirect vulnerabilities. Some scripts used by the help system are vulnerable to redirects from trusted to un-trusted web sites when users click a malicious link.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/74832 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

AFFECTED PRODUCTS:
IBM InfoSphere Information Server Versions 8.1, 8.5 and 8.7 running on all platforms.
REMEDIATION:
The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.

Fix(es):
Version 8.1:
-- Apply the IBM InfoSphere Information Server version 8.1 Fix Pack 2 if it has not already been installed
--Apply the IBM InfoSphere Information Server Information Services Framework (ISF) Security Patch

Version 8.5:
--Apply the IBM InfoSphere Information Server version 8.5 Fix Pack 3

Version 8.7:
--Apply the IBM InfoSphere Information Server version 8.7 Fix Pack 2

Workaround(s):
None known

Mitigation:
None known


CVE ID: CVE-2012-2161

DESCRIPTION:
The IBM Eclipse Help System contains Cross-Site Scripting vulnerabilities. The user needs to be tricked into inserting mal-formed URL addresses into the browser, or click on a mal-formed URL link.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/74833 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

AFFECTED PRODUCTS:
IBM InfoSphere Information Server Versions 8.1, 8.5 and 8.7 running on all platforms.
REMEDIATION:
The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.

Fix(es):
Version 8.1:
-- Apply the IBM InfoSphere Information Server version 8.1 Fix Pack 2 if it has not already been installed
--Apply the IBM InfoSphere Information Server Information Services Framework (ISF) Security Patch

Version 8.5:
--Apply the IBM InfoSphere Information Server version 8.5 Fix Pack 3

Version 8.7:
--Apply the IBM InfoSphere Information Server version 8.7 Fix Pack 2

Workaround(s):
The IBM Eclipse Help System can be removed from the Information Server installation. On-line help will not be available any longer but the vulnerability will also be removed. Contact IBM technical support for the details of the removal procedure.

Mitigation:
None known.


CVE ID: CVE-2012-4819

DESCRIPTION:
A cross-site scripting security vulnerability has been identified in several Information Server web interfaces (IBM InfoSphere Business Glossary, IBM InfoSphere DataStage Operation Console, IBM InfoSphere Administration, Reporting and Repository Management Web Console) that may lead to unauthorized access through phishing attacks to each of these web interfaces.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/78666 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

AFFECTED PRODUCTS:
IBM InfoSphere Information Server Versions 8.1, 8.5 and 8.7 and IBM InfoSphere Business Glossary Versions 8.1.1 and 8.1.2 running on all platforms.

REMEDIATION:
The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.

Fix(es):
Versions 8.1, 8.1.1, 8.1.2:
-- Apply the IBM InfoSphere Information Server version 8.1 Fix Pack 2 if it has not already been installed
--Apply the IBM InfoSphere Information Server Repository Management (RM) Security Patch
--Apply the IBM InfoSphere Information Server Information Services Framework (ISF) Security Patch

If IBM InfoSphere Business Glossary is installed:
-- Apply the IBM InfoSphere Information Server version 8.1 Fix Pack 2 if it has not already been installed
-- Apply the IBM InfoSphere Information Server version HYPERLINK "http://www-01.ibm.com/support/docview.wss?uid=swg24030326"8.1.2 Fix Pack 5 if it has not already been installed
--Apply the IBM InfoSphere Business Glossary (BG) Security Patch

Version 8.5:
--Apply the IBM InfoSphere Information Server version 8.5 Fix Pack 3
--Apply the IBM InfoSphere Information Server Repository Management (RM) Security Patch
--Apply the IBM InfoSphere Information Server Information Services Framework (ISF) Security Patch

If IBM InfoSphere Business Glossary is installed
--Apply the IBM InfoSphere Business Glossary (BG) Security Patch

Version 8.7:
--Apply the IBM InfoSphere Information Server version 8.7 Fix Pack 2


Workaround(s):
None known.

Mitigation:
None known.


CVE ID: CVE-2012-4832

DESCRIPTION:
Password field with auto-complete enabled could allow unauthorized access to IBM InfoSphere Information Server functionality.

CVSS:
CVSS Base Score: 1.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/78906 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:N/A:N)

AFFECTED PRODUCTS:
IBM InfoSphere Information Server Versions 8.1, 8.5 and 8.7 and IBM InfoSphere Business Glossary Versions 8.1.1 and 8.1.2 running on all platforms.
REMEDIATION:
The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.

Fix(es):
Versions 8.1, 8.1.1, 8.1.2:
-- Apply the IBM InfoSphere Information Server version 8.1 Fix Pack 2 if it has not already been installed
--Apply the IBM InfoSphere Information Server Information Services Framework (ISF) Security Patch

If IBM InfoSphere Business Glossary is installed
-- Apply the IBM InfoSphere Information Server version 8.1 Fix Pack 2 if it has not already been installed
-- Apply the IBM InfoSphere Information Server version HYPERLINK "http://www-01.ibm.com/support/docview.wss?uid=swg24030326"8.1.2 Fix Pack 5 if it has not already been installed
--Apply the IBM InfoSphere Business Glossary (BG) Security Patch

Version 8.5:
--Apply the IBM InfoSphere Information Server version 8.5 Fix Pack 3
--Apply the IBM InfoSphere Information Server Information Services Framework (ISF) Security Patch

If IBM InfoSphere Business Glossary is installed
--Apply the IBM InfoSphere Business Glossary (BG) Security Patch

Version 8.7:
--Apply the IBM InfoSphere Information Server version 8.7 Fix Pack 2

Workaround(s):
None known.

Mitigation:
None known.



REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2
· X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/73254
· CVE-2012-0203
· X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/73255
· CVE-2012-0204
· X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/73265
· CVE-2012-0205
· X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/73195
· CVE-2012-0501
· X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/73266
· CVE-2012-0700
· X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/73285
· CVE-2012-0701
· X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/73287
· CVE-2012-0702
· X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/73289
· CVE-2012-0703
· X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/73292
· CVE-2012-0705
· X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/74832
· CVE-2012-2159
· X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/74833
· CVE-2012-2161
· X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/78666
· CVE-2012-4819
· X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/78906
· CVE-2012-4832

RELATED INFORMATION:
· IBM Secure Engineering Web Portal
· IBM Product Security Incident Response Blog

ACKNOWLEDGEMENT:
Some of these vulnerabilities were discovered by and reported to IBM by National Australia Bank’s Security Assurance team.

CHANGE HISTORY:
· 11 January 2013: Original copy published
· 13 March 2013: Added version 8.7 remediation details
· 28 March 2013: Added version 8.1 remediation details
· 29 April 2013: Added version 9.1 remediation details
· 09 September 2015: Updated link to CVSS Guide

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.