Security Bulletin: WebSphere DataPower XC10 Appliance Vulnerabilities in Administrative Access and Web Logoff (CVE-2013-5428, CVE-2013-5446)

Flash (Alert)


Abstract

A security vulnerability in the appliance might allow unauthenticated access to certain administrative operations. The appliance also has a separate vulnerability in log-off processing.

Content

VULNERABILITY DETAILS:


CVEID: CVE-2013-5428
DESCRIPTION:
Certain administrative operations for the appliance can be accessed without authentication, creating a risk of a denial of service.

CVSS Base Score: 4.3
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/87560 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)



CVEID: CVE-2013-5446
DESCRIPTION:
The WebSphere DataPower XC10 Appliance console has a vulnerability because of a logoff handling weakness.

CVSS Base Score: 5.8
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/87910 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)



AFFECTED PRODUCTS AND VERSIONS:

WebSphere DataPower XC10 Appliance 2.1.0 and 2.5.0. CVE-2013-5428 only applies to WebSphere DataPower XC10 Appliance 2.5.0.

REMEDIATION:
.

      Product
VRMF APARS
      Link to Interim Fix or Fix Pack
WebSphere DataPower XC10 Appliance Version 2.5.0 IC96617, IC93164 http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+DataPower+XC10+Appliance&release=All&platform=All&function=fixId&fixids=2.5.0-WS-DPXC10-7199-FP0000002&includeSupersedes=0
WebSphere DataPower XC10 Virtual Image Version 2.5.0 IC96617, IC93164 http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+DataPower+XC10+Appliance&release=All&platform=All&function=fixId&fixids=2.5.0-WS-DPXC10-VIRT-FP0000002&includeSupersedes=0
WebSphere DataPower XC10 Appliance for appliance 9235-92X Version 2.1.0 IC96617, IC93164 http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+DataPower+XC10+Appliance&release=All&platform=All&function=fixId&fixids=2.1.0.3-WS-DPXC10-9235-IC96617-IC93164&includeSupersedes=0
WebSphere DataPower XC10 Appliance for appliance 7199-92X Version 2.1.0 IC96617, IC93164 http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+DataPower+XC10+Appliance&release=All&platform=All&function=fixId&fixids=2.1.0.3-WS-DPXC10-7199-IC96617-IC93164&includeSupersedes=0



Workaround(s) & Mitigation(s):

For CVE-2013-5428, the following workaround can be used. Unless unauthenticated access to grid data is required in the deployment, the device can be configured, using collective settings in the console, to require authentication for all data grid operations, which provides complete protection for this vulnerability.

There is no workaround for CVE-2013-5446.


REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2



RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog


ACKNOWLEDGEMENT

None.

CHANGE HISTORY
18 October 2013 Original Copy Published


*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere DataPower XC10 Appliance
General

Software version:

2.1, 2.5

Operating system(s):

Firmware

Reference #:

1653546

Modified date:

2013-10-18

Translate my page

Machine Translation

Content navigation