IBM Support

Security Bulletin: Cross-Site Scripting Vulnerabilities in the locally installable IBM DB2 Information Center (CVE-2013-5449)

Security Bulletin


Summary

Some scripts in the help system used by IBM DB2 Information Center are vulnerable to cross-site scripting attacks.

This security bulletin only applies to the locally installed DB2 Information Center and not the core DB2 product. If you do not have an information center installed on a local or intranet system, then this security bulletin is not applicable.

Vulnerability Details


CVE ID: CVE-2013-5449

DESCRIPTION: The DB2 Information Center is vulnerable to cross-site scripting. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/88056 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions


The following locally installed IBM DB2 Information Center editions running on Linux, and Windows are affected by this security bulletin:

IBM® DB2® 9.7 Information Center Network package
IBM® DB2® 9.7 Information Center Workstation package


• Network version (installable) of the DB2 Information Center


    This is the same DB2 Information Center that is distributed with DB2 database products. It comes with an installer and other programs that let you install the Information Center on your computer. The install program requires that you have administrative authority on your computer to complete the installation.

• The Workstation version (stand-alone) of the DB2 Information Center

    This package allows you to run the DB2 Information Center on your computer if you do not have administrator or root authority. The Workstation version of the DB2 Information Center runs in "stand-alone" mode. There are no services or daemons associated with this type of DB2 Information Center, therefore you must start and stop it manually. It also differs from the regular DB2 Information Center because it determines the locale from the computer's system locale, not from the browser.

Remediation/Fixes

The fix for this vulnerability is available for download for DB2 Information Center release V9.7

The package for the Workstation version includes the latest version of all the content for that release and a fully patched version of the information center. The package for the Network version of the information center only includes the patch for the base information center code. An updated install package for the Network version of the information centers will be available in the future.



Information Center PackageURL
Network version (installable)http://download.boulder.ibm.com/ibmdl/pub/software/data/db2/luw/info/icpatches
Workstation version (stand-alone)http://www.ibm.com/support/docview.wss?rs=71&uid=swg27009474

Workarounds and Mitigations

Workarounds: If applying the fix if not possible or feasible, then uninstall the locally installed information center and use the information center(s) available at http://www.ibm.com/software/data/db2/linux-unix-windows/library.html#Information%20centers.

Mitigations: None known

Get Notified about Future Security Bulletins

References

Off
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Security \/ Plug-Ins - Security Vulnerability","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"9.7","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
16 June 2018

UID

swg21657369