Security Bulletin: Multiple vulnerabilities in IBM InfoSphere Optim Data Growth for Oracle E-Business Suite (CVE-2013-2953, CVE-2013-2954, CVE-2013-2955, CVE-2013-2956, CVE-2013-2957, CVE-2013-2959)

Flash (Alert)


Abstract

Multiple vulnerabilities have been identified in the Optim E-Business Console making the product vulnerable to phishing attacks, the interception of credentials and the bypass of login entirely.

Content

VULNERABILITY DETAILS:

CVE ID: CVE-2013-2953

DESCRIPTION: Use of MD5 as SSL Certificate Signature Algorithm –
The signature algorithm used to sign the certificate used for secure communication is MD5. The signature algorithm is obsolete and using it may allow elaborate phishing attacks.

CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83662 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:S/C:N/I:P/A:N)

CVE ID: CVE-2013-2954

DESCRIPTION: Inadequate Account Lockout – The Optim for E-Business Console login page is not restricting users after repeatedly entering incorrect login credentials.

CVSS:
CVSS Base Score: 4.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83663 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/AU:S/C:C/I:N/A:N)

CVE ID: CVE-2013-2955

DESCRIPTION: Stored Cross-Site Scripting - inserting a mal-formed URL address into their browser or clicking on a mal-formed URL link could allow an attacker to collect sensitive data.

CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83664 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:S/C:N/I:P/A:N)

AFFECTED PRODUCTS:
Versions 6.0 through 9.1 of IBM InfoSphere Optim Data Growth for Oracle E-Business Suite are affected.

CVE ID: CVE-2013-2956

DESCRIPTION: Authentication Bypass Using SQL Injection - When logging into the Optim E-Business Console authentication can be bypassed using SQL injection. An exploit will not impact accessibility of system resources but both the confidentiality of information and the integrity of data could be compromised.


CVSS:
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83665 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:P/A:P)

CVE ID: CVE-2013-2957

DESCRIPTION: Cross-Site Scripting - inserting a mal-formed URL address into their browser or clicking on a mal-formed URL link could allow an attacker to collect sensitive data.

CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83666 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:S/C:N/I:P/A:N)

CVE ID: CVE-2013-2959

DESCRIPTION: Unencrypted Login Request - Credentials used for logging into the Optim E-Business Console are not encrypted and are thus subject to compromise. Exploitation requires local network access and the use of specialized knowledge and techniques. An exploit will not impact accessibility of system resources but both the confidentiality of information and the integrity of data could be compromised.

CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83668 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:N/A:N)


AFFECTED PRODUCTS:
Versions 6.0 through 9.1 of IBM InfoSphere Optim Data Growth for Oracle E-Business Suite are affected.

REMEDIATION: The recommended solution is to apply Fix Pack 9.1.0.3 as soon as possible.

Fix(es):
For version 9.1:
- Apply Fix Pack 9.1.0.3

For other versions contact technical support for assistance.

Workaround(s):
None known

Mitigation(s):
None known

REFERENCES:

· Complete CVSS Guide
· On-line Calculator V2
· X-Force Vulnerability Database
· CVE-2013-2953
· CVE-2013-2954
· CVE-2013-2955
· CVE-2013-2956
· CVE-2013-2957
· CVE-2013-2959

CHANGE HISTORY:

13-May-2013: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


Rate this page:

(0 users)Average rating

Document information


More support for:

Optim
Data Growth Solution for Oracle E-business Suite

Software version:

6.0, 6.1, 7.1.0, 7.1.1, 7.1.2, 9.1

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

1637444

Modified date:

2013-05-14

Translate my page

Machine Translation

Content navigation