Security Bulletin: Vulnerability in IBM SPSS Data Collection due to issues in Eclipse Help System (CVE-2013-0464, CVE-2013-0467)

Flash (Alert)


Abstract

The version of IBM Eclipse Help System that is shipped with IBM SPSS Data Collection versions 6.0, 6.0.1 ("Data Collection") and 7.0 has multiple security vulnerabilities. These vulnerabilities allow attackers to perform cross-site scripting and source code disclosure attacks.

Content


VULNERABILITY DETAILS:

    DESCRIPTION:
    Cross-Site Scripting vulnerabilities may enable malicious scripts to be injected into a victim's context.
    CVE IDs: CVE-2013-0464
    CVSS Base Score: 4.3
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81060 for the current score.
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
    DESCRIPTION:
    A source code disclosure vulnerability may allow an attacker to retrieve the source code of some resources located on the server.
    CVE IDs: CVE-2013-0467
    CVSS Base Score: 4
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81102 for the current score.
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)


AFFECTED PRODUCTS AND VERSIONS:
IBM SPSS Data Collection Developer Library 6.0 (DDL 6.0) using IEHS 3.4.3
IBM SPSS Data Collection Developer Library 6.0.1 (DDL 6.0.1) using IEHS 3.4.3
IBM SPSS Data Collection Developer Library 7.0 (DDL 7.0) using IEHS 3.6.2


REMEDIATION:

Fix VRMF IEHS PMR How to acquire fix
IEHS Security Issue Fix 7.0-IM-DC7DDL-WIN32_64-IF001 P001620 / P001643 http://www-933.ibm.com/support/fixcentral/swg/quickorder?parent=SPSS&product=ibm/Information+Management/SPSS+Data+Collection&release=7.0.0.0&platform=All&function=fixId&fixids=7.0-IM-DC7DDL-WIN32_64-IF001
6.0.1-IM-DC6DDL-WIN32_64-IF001 http://www-933.ibm.com/support/fixcentral/swg/quickorder?parent=SPSS&product=ibm/Information+Management/SPSS+Data+Collection&release=6.0.1.0&platform=All&function=fixId&fixids=6.0.1-IM-DC6DDL-WIN32_64-IF001
6.0-IM-DC6DDL-WIN32_64-IF001 http://www-933.ibm.com/support/fixcentral/swg/quickorder?parent=SPSS&product=ibm/Information+Management/SPSS+Data+Collection&release=6.0.0.0&platform=All&function=fixId&fixids=6.0-IM-DC6DDL-WIN32_64-IF001


Vendor fixes
These 2 issues can be fixed by installing the fix pack for IBM® Eclipse Help System (IEHS) 3.4.3 and 3.6.2.


Steps to apply the fix pack

  1. Back up the files in your <IEHS>directory. The default directory is "C:\Program Files\Common Files\IBM\SPSS\DataCollection\<Data Collection Version>\Documentation\ibm_help

  2. Download the right version fix patches for issue P001620 (source code disclosure issue) and P001643 (XSS in Search control box and performance issue in banner or welcome page in doc.zip)

  3. Extract them to your <IEHS>directory. The default directory is "C:\Program Files\Common Files\IBM\SPSS\DataCollection\<Data Collection Version>\Documentation\ibm_help", and override all the files.


Workaround(s): none – apply the patches above

Mitigation(s): none


REFERENCES:


RELATED INFORMATION:

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog


CHANGE HISTORY
May 30, 2013: Originally published.
July 18, 2013: Updated download links and steps to apply fix pack.


*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Document information


More support for:

SPSS Data Collection

Software version:

6.0, 6.0.1, 7.0

Operating system(s):

AIX, HP-UX, Linux, Platform Independent, Solaris, Windows

Reference #:

1637954

Modified date:

2013-07-18

Translate my page

Machine Translation

Content navigation