Security Bulletin: Fixes available for Security Vulnerabilities in IBM WebSphere Portal

Security Bulletin


Summary

Fixes are available for multiple security vulnerabilities in IBM WebSphere Portal.

Vulnerability Details

CVEID: CVE-2013-6328
DESCRIPTION:
A Cross Site Scripting (XSS) and IFrame Injection vulnerability in the IBM Web Content Manager (WCM) UI has been identified.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88909 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)


AFFECTED PRODUCTS AND VERSIONS:
WebSphere Portal 8
WebSphere Portal 7
WebSphere Portal 6.1.5
WebSphere Portal 6.1.0

REMEDIATION:
The recommended solution is to apply PM96345 as soon as practical.
Fix: Apply an Interim Fix or a Cumulative Fix containing PM96345 .

For 8.0.0 through 8.0.0.1
▪ Upgrade to Fix Pack 8.0.0.1 with Cumulative Fix 9 (CF09)
(Combined Cumulative Fixes for WebSphere Portal 8.0.0.1: http://www-01.ibm.com/support/docview.wss?uid=swg24034497)

For 7.0.0 through 7.0.0.2
▪ Upgrade to Fix Pack 7.0.0.2 with Cumulative Fix 26 (CF26) and then apply Interim Fix PM96345
(Combined Cumulative fixes for WebSphere Portal 7.0.0.2: http://www.ibm.com/support/docview.wss?uid=swg24029452)

For 6.1.5.0 through 6.1.5.3
▪ Upgrade to Fix Pack 6.1.5.3 with Cumulative Fix 27 (CF27) and then apply Interim Fix PM96345
(Cumulative fixes for WebSphere Portal 6.1.5.3: http://www-01.ibm.com/support/docview.wss?uid=swg24023835)

For 6.1.0.0 through 6.1.0.6
▪ Upgrade to Fix Pack 6.1.0.6 with Cumulative Fix 27 (CF27) and then apply Interim Fix PM96345
(Cumulative fixes for WebSphere Portal 6.1.0.6: http://www-01.ibm.com/support/docview.wss?uid=swg24023835)


Workaround(s): None
Mitigation(s): None





CVEID: CVE-2013-6316
DESCRIPTION:
In some specific situations, when using WCM context processors in combination with rendering Taxonomy components, the access control restrictions on individual categories in the taxonomy are not always enforced correctly. This occurs if the context processor changes the effective content selection. Properties of WCM content could be displayed to users, who do not have access rights to see them.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88597 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)


AFFECTED PRODUCTS AND VERSIONS:
WebSphere Portal 8
WebSphere Portal 7


REMEDIATION:
The recommended solution is to apply PI04897 as soon as practical.
Fix: Apply a Cumulative Fix containing PI04897.

For 8.0.0 through 8.0.0.1
▪ Upgrade to Fix Pack 8.0.0.1 with Cumulative Fix 9 (CF09)
(Combined Cumulative Fixes for WebSphere Portal 8.0.0.1: http://www-01.ibm.com/support/docview.wss?uid=swg24034497)

For 7.0.0 through 7.0.0.2
▪ Upgrade to Fix Pack 7.0.0.2 with Cumulative Fix 26 (CF26)
(Combined Cumulative fixes for WebSphere Portal 7.0.0.2: http://www.ibm.com/support/docview.wss?uid=swg24029452)

Workaround(s): None
Mitigation(s): None





CVEID: CVE-2013-6723
DESCRIPTION:
In some specific situations, when using WCM navigator components that reference other WCM components and in addition specify the compute=”always” option, access control restrictions on individual components are not always enforced correctly. The access control check for the referenced components works not correctly, if the navigator contains more than one entry. Referenced WCM components could be displayed to users, who do not have access to see them.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/89278 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)


AFFECTED PRODUCTS AND VERSIONS:
WebSphere Portal 8 (Fix Pack level 8.0.0.1 only)


REMEDIATION:
The recommended solution is to apply PI05684 as soon as practical.
Fix: Apply a Cumulative Fix containing PI05684.

For 8.0.0.1
▪ Apply Cumulative Fix 9 (CF09)
(Combined Cumulative Fixes for WebSphere Portal 8.0.0.1: http://www-01.ibm.com/support/docview.wss?uid=swg24034497)


Workaround(s): None
Mitigation(s): None





CVEID: CVE-2013-4012
DESCRIPTION:
If 'IBM Content Template Catalog 4.0 for WebSphere Portal v8.0' is installed on WebSphere Portal 8 , PAAs can be installed and executed with less than administrator rights.

CVSS:
CVSS Base Score: 3.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85618 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:S/C:N/I:P/A:P)


AFFECTED PRODUCTS AND VERSIONS:
WebSphere Portal 8


REMEDIATION:
The recommended solution is to apply PM93172 as soon as practical.
Fix: Apply a Cumulative Fix containing PM93172.

For 8.0.0 through 8.0.0.1
▪ Upgrade to Fix Pack 8.0.0.1 with Cumulative Fix 9 (CF09)
(Combined Cumulative Fixes for WebSphere Portal 8.0.0.1: http://www-01.ibm.com/support/docview.wss?uid=swg24034497)


Workaround(s): None
Mitigation(s): None

Affected Products

Various - see above.

Remediation/Fixes

Various - see above.

Workarounds/Mitigations

Various - see above.

Important note:

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References:

Change History

20 December 2013: Original Copy Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere Portal

Software version:

6.1, 7.0, 8.0

Operating system(s):

AIX, HP-UX, IBM i, Linux, Solaris, Windows, i5/OS, z/OS

Reference #:

1660011

Modified date:

2013-12-20

Translate my page

Machine Translation

Content navigation