Security Bulletin: WebSphere Dashboard Framework contains a vulnerability that allows file access and deletion.

Security Bulletin


Summary

WebSphere Dashboard Framework contains a vulerability in a charting feature
used to access and delete generated images in a temporary folder. A fix has been created
that removes the vulnerability.

Vulnerability Details

WebSphere Dashboard Framework contains a vulnerability in a charting feature used to
access and delete generated images in a temporary folder. In general this charting feature
would be protected by security constraints that limit its use to authenticated users.
However, it is possible that customers may misconfigure these security constraints
allowing unauthenticated access to the feature. It's also possible that an authenticated yet
malicious user could employ the feature to retrieve and delete files.

CVE ID: CVE-2013-6728
Description: WebSphere Dashboard Framework contains a vulnerability that allows file
access and deletion.
CVSS Base Score: 4.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/89283 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:P/A:N)

Affected Products

WebSphere Dashboard Framework versions 6.1.5 and 7.0.1.

Remediation/Fixes

For WDF 6.1.5 install APAR LO78265. For WDF 7.0.1 install APAR LO78266. These
APARs can be obtained from IBM support.

Workarounds/Mitigations

none

References:

Change History

17 January 2014: Original Copy Published
*The CVSS Environment Score is customer environment specific and will ultimately
impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability
in their environments by accessing the links in the References section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to
convey vulnerability severity and help to determine urgency and priority of response."
IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY
KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE
FOR ASSESSING THE IMPACT

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere Dashboard Framework

Software version:

6.1.5, 7.0.1

Operating system(s):

Linux, Windows

Software edition:

All Editions

Reference #:

1663022

Modified date:

2014-02-17

Translate my page

Machine Translation

Content navigation