Security Bulletin
Summary
Some scripts in the help system used by IBM DB2 Information Center are vulnerable to cross-site scripting attacks.
This security bulletin only applies to the locally installed DB2 Information Center and not the core DB2 product. If you do not have an information center installed on a local or intranet system, then this security bulletin is not applicable.
Vulnerability Details
CVE ID: CVE-2013-5449
DESCRIPTION: The DB2 Information Center is vulnerable to cross-site scripting. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/88056 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Affected Products and Versions
The following locally installed IBM DB2 Information Center editions running on Linux, and Windows are affected by this security bulletin:
IBM® DB2® 9.7 Information Center Network package
IBM® DB2® 9.7 Information Center Workstation package
• Network version (installable) of the DB2 Information Center
This is the same DB2 Information Center that is distributed with DB2 database products. It comes with an installer and other programs that let you install the Information Center on your computer. The install program requires that you have administrative authority on your computer to complete the installation.
• The Workstation version (stand-alone) of the DB2 Information Center
This package allows you to run the DB2 Information Center on your computer if you do not have administrator or root authority. The Workstation version of the DB2 Information Center runs in "stand-alone" mode. There are no services or daemons associated with this type of DB2 Information Center, therefore you must start and stop it manually. It also differs from the regular DB2 Information Center because it determines the locale from the computer's system locale, not from the browser.
Remediation/Fixes
The fix for this vulnerability is available for download for DB2 Information Center release V9.7
The package for the Workstation version includes the latest version of all the content for that release and a fully patched version of the information center. The package for the Network version of the information center only includes the patch for the base information center code. An updated install package for the Network version of the information centers will be available in the future.
Information Center Package | URL |
Network version (installable) | http://download.boulder.ibm.com/ibmdl/pub/software/data/db2/luw/info/icpatches |
Workstation version (stand-alone) | http://www.ibm.com/support/docview.wss?rs=71&uid=swg27009474 |
Workarounds and Mitigations
Workarounds: If applying the fix if not possible or feasible, then uninstall the locally installed information center and use the information center(s) available at http://www.ibm.com/software/data/db2/linux-unix-windows/library.html#Information%20centers.
Mitigations: None known
Get Notified about Future Security Bulletins
References
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21657369