Security Bulletin: Security Vulnerabilities Addressed in Asset and Service Mgmt

Flash (Alert)


Abstract

XSS, Gain Privileges, SQL Injection, and Information Disclosure vulnerabilities in Maximo Asset Mgmt, Tivoli Asset Mgmt for IT, Tivoli Service Request Mgr, Change and Configuration Mgmt Database, and SmartCloud Control Desk. See Vulnerability Details for CVE IDs.

Content

VULNERABILITY DETAILS:
DESCRIPTION:
Customers who have Maximo Asset Management, Maximo Asset Management Essentials, Maximo Industry Solutions (including Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas and Maximo for Utilities), Tivoli Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, Change and Configuration Management Database, and SmartCloud Control Desk are potentially impacted by these vulnerabilities, which can cause issues related to confidentiality, integrity, and availability.

CVE ID APAR DESCRIPTION
CVE-2013-0451
CVSS Base Score: 6.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/80967
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
IV24726 SQL Injection
CVE-2013-3047
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84844 CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N
IV35721 Gain Privileges
CVE-2013-3048
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84845 CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N
IV36375 Cross-site Scripting
CVE-2013-3049
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84847 CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N
IV37599 Security Bypass
CVE-2012-3323
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/77920 CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
IV23506 Gain Privileges
CVE-2013-3971
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84848 CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N
IV37459 Security Bypass
CVE-2013-3972
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84849
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N
IV39089 Information Disclosure
CVE-2013-3973
CVSS Base Score: 6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84850 CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P
IV39184 SQL Injection
CVE-2013-4013
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85791 CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
IV39202 Information Disclosure
CVE-2013-4014
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85792 CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
IV39515 Cross-site Scripting
CVE-2013-4017
CVSS Base Score: 6.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85794 CVSS Environmental Score*: Undefined
CVSS Vector: AV/N:AC/L:Au/S:C/P:I/P:A/P
IV42682 SQL Injection
CVE-2013-4018
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85795 CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N
IV42684 Information Disclosure
CVE-2013-4019
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85796 CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N
IV42664 Cross-site Scripting
CVE-2013-4020
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85825 CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N
IV42775 Security Bypass
CVE-2013-4021
CVSS Base Score: 5.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85826 CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N
IV42816 File Inclusion
CVE-2013-4027
CVSS Base Score: 4.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86064 CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:S/C:P/I:P/A:N
IV43491 Security Bypass
CVE-2013-5380
CVSS Base Score: 1.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86931 CVSS Environmental Score*: Undefined
CVSS Vector: AV:L/AC:M/Au:N/C:P/I:N/A:N
IV33364 Information Disclosure
CVE-2013-5381
CVSS Base Score: 4.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86932 CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:S/C:P/I:P/A:N
IV35394 Gain Privileges
CVE-2013-5382
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86933 CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N
IV40210 Gain Privileges
CVE-2013-5383
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86934 CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N
IV40704 Gain Privileges
CVE-2013-5395
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87157 CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
IV32526 Security Bypass

AFFECTED PRODUCTS:
· Maximo Asset Management 7.5, 7.1, 6.2
· Maximo Asset Management Essentials 7.5, 7.1, 6.2
· Maximo for Government 7.5, 7.1, 6.2
· Maximo for Nuclear Power 7.5, 7.1, 6.2, 6.3
· Maximo for Transportation 7.5, 7.1, 6.2, 6.3
· Maximo for Life Sciences 7.5, 7.1, 6.2, 6.4, 6.5
· Maximo for Oil and Gas 7.5, 7.1, 6.2, 6.3, 6.4
· Maximo for Utilities 7.5, 7.1, 6.2, 6.3
· SmartCloud Control Desk 7.5
· Tivoli Asset Management for IT 7.2, 7.1, 6.2
· Tivoli Service Request Manager 7.2, 7.1, Maximo Service Desk 6.2
· Change and Configuration Management Database 7.2, 7.1

Products Listed Above
CVE APAR 7.5 7.1 / 7.2 6.2
CVE-2013-0451 IV24726 N/A Fix pending Fix pending
CVE-2013-3047 IV35721 Fixed Fixed N/A
CVE-2013-3048 IV36375 Fixed Fix pending Fix pending
CVE-2013-3049 IV37599 Fixed Fix pending N/A
CVE-2012-3323 IV23506 Fixed Fixed Fixed
CVE-2013-3971 IV37459 Fixed Fix pending N/A
CVE-2013-3972 IV39089 Fixed Fixed N/A
CVE-2013-3973 IV39184 Fixed Fixed N/A
CVE-2013-4013 IV39202 Fixed Fix pending Fix pending
CVE-2013-4014 IV39515 Fixed Fixed Fix pending
CVE-2013-4017 IV42682 N/A Fixed N/A
CVE-2013-4018 IV42684 Fixed Fixed Fix pending
CVE-2013-4019 IV42664 N/A Fixed Fix pending
CVE-2013-4020 IV42775 Fixed Fix pending Fix pending
CVE-2013-4021 IV42816 Fixed Fixed Fix pending
CVE-2013-4027 IV43491 Fixed Fix pending Fix pending
CVE-2013-5380 IV33364 Fixed Fixed Fix pending
CVE-2013-5381 IV35394 Fixed Fix pending Fix pending
CVE-2013-5382 IV40210 Fixed Fixed Fix pending
CVE-2013-5383 IV40704 Fixed Fixed Fix pending
CVE-2013-5395 IV32526 Fixed Fixed Fix pending
N/A in this table means that the vulnerability does not exist in that release

It is likely that earlier versions of affected products are also affected by these vulnerabilities. Remediation is not provided for product versions that are no longer supported. IBM recommends that customers upgrade to the latest supported version of products in order to obtain remediation for the vulnerabilities.

REMEDIATION:

VENDOR FIXES:
The recommended solution is to download the appropriate Interim Fix or Fix Pack from Fix Central (What is Fix Central?) and apply for each affected product as soon as possible. Please see below for information on the fixes available for each product, version, and release. Follow the installation instructions in the ‘readme’ documentation provided with each fix pack or interim fix.

For Maximo Asset Management and Maximo Asset Management Essentials 7.5, 7.1, 6.2:

VRMF Fix Pack or Interim Fix Vulnerability APARs Download
7.5.0.5 Maximo 7.5.0.5 Fix Pack:
7.5.0.5-TIV-MAM-FP005
IV35721, IV36375, IV37599, IV23506, IV37459, IV39089, IV39184, IV39202, IV39515, IV42684, IV42775, IV42816, IV43491, IV33364, IV40210, IV40704, IV32526 FixCentral
7.5.0.4 Maximo 7.5.0.4 Fix Pack:
7.5.0.4-TIV-MAM-IFIX005 or latest Interim Fix available
IV23506 FixCentral
7.5.0.3 Maximo 7.5.0.3 Interim Fix:
7.5.0.3-TIV-MAM-IFIX006 or latest Interim Fix available
IV36375, IV23506, IV42775, IV35394 FixCentral
7.5.0.2 Maximo 7.5.0.2 Interim Fix:
7.5.0.2-TIV-MAM-IFIX023 or latest Interim Fix available
IV39202 FixCentral
7.1.1.12 7.1.1.12 Interim Fix:
MBS_71112_LAFIX.20130903-1142 or latest Interim Fix available
IV35721, IV23506, IV39089, IV33364, IV32526 Contact IBM Support
6.2.8 6.2.8 Interim Fix:
Maximo_6.2.8_LAFix_20120725-1611 or latest Interim Fix available
Note: Maximo 6.2 IFs can be applied to Maximo Industry Solutions 6.2 – 6.5
IV35721, IV23506 Contact IBM Support

For SmartCloud Control Desk 7.5:
VRMF Fix Pack or Interim Fix Vulnerability APARs Download
7.5.0.3 SmartCloud Control Desk 7.5.0.3 Fix Pack:
7.5.0.3-TIV-SCCD-AIX-FP0003
7.5.0.3-TIV-SCCD-Linux-FP0003
7.5.0.3-TIV-SCCD-Windows-FP0003
IV35721, IV36375, IV37599, IV23506, IV37459, IV39089, IV39184, IV39202, IV39515, IV42684, IV42775, IV42816, IV43491, IV33364, IV40210, IV40704, IV32526 FixCentral
when available
7.5.1.1 SmartCloud Control Desk 7.5.1.1 Release IV35721, IV36375, IV37599, IV23506, IV37459, IV39089, IV39184, IV39202, IV39515, IV42684, IV42775, IV42816, IV43491, IV33364, IV40210, IV40704, IV32526 Passport Advantage

For Tivoli IT Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database 7.2, 7.1, 6.2
VRMF Fix Pack or Interim Fix Vulnerability APARs Download
7.1.1.12 7.1.1.12 Interim Fix:
MBS_71112_LAFIX.20130903-1142 or latest Interim Fix available
Note: MBS 7.1 IFs can be applied to 7.1 or 7.2
IV35721, IV23506, IV39089, IV33364, IV32526 Contact IBM Support
6.2.8 6.2.8 Interim Fix:
Maximo_6.2.8_LAFix_20120725-1611 or latest Interim Fix available
IV35721, IV23506 Contact IBM Support

If assistance is needed in determining the appropriate Fix Pack or Interim Fix level, contact IBM Technical Support. It is recommended that you always request the latest available Fix Pack or Interim Fix.

Due to the threat posed by a successful attack, IBM strongly recommends that customers apply fixes as soon as possible.

WORKAROUNDS AND MITIGATIONS:
Until you apply the fixes, it may be possible to reduce the risk of successful attack by restricting network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from unprivileged users may help reduce the risk of successful attack. Both approaches may break application functionality, so IBM strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.


REFERENCES:
Complete CVSS Guide
On-line Calculator V2
X-Force Vulnerability Database

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note:
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

RELATED INFORMATION:
IBM Product Security Incident Reporting Team

ACKNOWLEDGEMENTS:
None



Change History
25 Sep 2013 Flash published

CROSS REFERENCE INFORMATION:
Segment Product Component/Platform Version
Systems and Asset Management Maximo Asset Management All 6.2.0 – 6.2.8
7.1.1.0 – 7.1.1.11
7.5.0.0 – 7.5.0.5
Systems and Asset Management Maximo Asset Management Essentials All 7.1.1.0 – 7.1.1.11
7.5.0.0 – 7.5.0.5
Systems and Asset Management Maximo for Government All 6.1.0.0
7.1.0.0
7.5.0.0
Systems and Asset Management Maximo for Nuclear Power All 6.3.0
7.1.0.0 – 7.1.1.0
7.5.0.0 – 7.5.1.0
Systems and Asset Management Maximo for Transportation All 6.3.0
7.1.0.0 – 7.1.1.0
7.5.0.0 – 7.5.1.0
Systems and Asset Management Maximo for Life Sciences All 6.4.0 – 6.5.0
7.1.0.0 – 7.1.2.0
7.5.0.0
Systems and Asset Management Maximo for Oil and Gas All 6.3.0 – 6.4.0
7.1.0.0 – 7.1.2.0
7.5.0.0 – 7.5.1.0
Systems and Asset Management Maximo for Utilities All 6.3.0
7.1.0.0 – 7.1.2.0
7.5.0.0 – 7.5.0.1
Systems and Asset Management Tivoli Service Request Manager

Maximo Service Desk
All 7.1.0.0 – 7.1.1.11
7.2.0.0 – 7.2.1.4
6.2.0 – 6.2.8
Systems and Asset Management Tivoli Asset Management for IT All 6.2.0 – 6.2.8
7.1.0.0 – 7.1.1.11
7.2.0.0 – 7.2.2.1
Systems and Asset Management Change and Configuration Management Database All 7.1.0.0 – 7.1.1.11
7.2.0.0 – 7.2.1.3
Systems and Asset Management SmartCloud Control Desk All 7.5.0.0 – 7.5.0.3
7.5.1.0 – 7.5.1.1


Cross reference information
Segment Product Component Platform Version Edition
Systems and Asset Management IBM Maximo Asset Management Essentials
Systems and Asset Management IBM Maximo for Government
Systems and Asset Management IBM Maximo for Nuclear Power
Systems and Asset Management IBM Maximo for Transportation
Systems and Asset Management IBM Maximo for Life Sciences
Systems and Asset Management IBM Maximo for Oil and Gas
Systems and Asset Management IBM Maximo for Utilities
Systems and Asset Management Tivoli Service Request Manager
Systems and Asset Management Tivoli Asset Management for IT
Systems and Asset Management Tivoli Change and Configuration Management Database
Systems and Asset Management IBM SmartCloud Control Desk

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Maximo Asset Management

Software version:

6.2, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 7.1, 7.1.1, 7.1.2, 7.2, 7.2.1, 7.5

Operating system(s):

Platform Independent

Reference #:

1651085

Modified date:

2013-09-26

Translate my page

Machine Translation

Content navigation