Security Bulletin: Open redirect and cross-site scripting vulnerabilities in the IBM Data Studio help system (CVE-2012-2159, CVE-2012-2161, CVE-2013-0467)

Flash (Alert)


Abstract

The Eclipse components that display the help content in IBM Data Studio version 3.1 and 3.1.1 are vulnerable to redirect and cross-site scripting attacks.

Content

AFFECTED PRODUCTS:

IBM Data Studio version 3.1 and 3.1.1 running on Microsoft Windows or Linux operating systems.


Common Vulnerabilities and Exposures (CVE)
ID Description CVSS
CVE-2012-2159 The IBM Data Studio Help system contains an open redirect vulnerability. A Data Studio user needs to be tricked into inserting a mal-formed URL address into the browser or click on a mal-formed URL link. For more information, see http://xforce.iss.net/xforce/xfdb/74832. CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/74832 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE-2012-2161 The IBM Data Studio Help system contains a Cross-Site Scripting vulnerability. A Data Studio user needs to be tricked into inserting a mal-formed URL address into the browser or click on a mal-formed URL link. For more information, see http://xforce.iss.net/xforce/xfdb/74833. CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/74833 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE-2013-0467 The IBM Data Studio Help system contains a vulnerability that could allow disclosure of source code on the help system server. For more information, see http://xforce.iss.net/xforce/xfdb/81102. CVSS Base Score: 4 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81102 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

REMEDIATION:

Fix:

Upgrade to IBM Data Studio 3.2:

http://www.ibm.com/developerworks/downloads/im/data/

Workaround:

Access the IBM Data Studio Information Center on the web:

http://pic.dhe.ibm.com/infocenter/dstudio/v3r2/index.jsp

Mitigation:

Do not use URLs or click on links to the Data Studio help system that are provided to you by untrusted sources. You should not use a URL that contain extra parameters or text that are unrelated to the Data Studio help system.


REFERENCES:


· Complete CVSS Guide
· On-line Calculator V2
· X-Force Vulnerability Database (74832)
· X-Force Vulnerability Database (74833)
· X-Force Vulnerability Database (81102)
· CVE-2012-2159
· CVE-2012-2161
· CVE-2013-0467


RELATED INFORMATION:


IBM Secure Engineering Web Portal
IBM Product Security Incident Response Program

CHANGE HISTORY:

15 February 2013: Original publication.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Data Studio
General

Software version:

3.1, 3.1.1

Operating system(s):

Linux, Windows

Software edition:

IBM Data Studio

Reference #:

1625573

Modified date:

2014-04-14

Translate my page

Machine Translation

Content navigation