Security Bulletin: IBM Algo One Security Vulnerabilities in MetaData Management Tools (addressed in UDS) and ACSWeb (addressed in Algo Security Access Control Manager/AlgoWebApps)

Security Bulletin


Summary

Cross Site Scripting, Blind SQL Injection, Unencrypted Login request, Path Traversal vulnerabilities affecting the UDS component of IBM Algo One Core ("UDS"). Security Bypass, Cross Site Scripting vulnerabilities affecting the Algo Security Access Control Manager/AlgoWebApps components of IBM Algo One Core ("Algo Security Access Control Manager/AlgoWebApps"). See Vulnerability Details for CVE IDs.

Vulnerability Details

DESCRIPTION:
Customers who have UDS and Algo Security Access Control Manager/AlgoWebApps are potentially impacted by these vulnerabilities. Note that severity is typically limited as these are administrative utilities normally deployed behind a firewall with restricted access.

CVE ID DESCRIPTION
CVE-2013-6319
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88602
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N
Security Bypass
Due to insufficient server-side validation, a malicious user may be able to retrieve content on the server that they should not have access to.
CVE-2013-6318
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88599 CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Cross-site Scripting
An attacker that is able to trick a legitimate user into clicking a malicious link or visiting a malicious web page is able to run scripts of their choosing in the context of the victim.
CVE-2013-5468
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88382 CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N
Unencrypted Login Request
Insufficient encryption could allow an attacker that is able to intercept traffic to gain users' credentials
CVE-2013-6301
CVSS Base Score: 3.5
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/88527
CVSS Vector:
AV:N/AC:M/Au:S/C:N/I:P/A:N
Cross Site Scripting
An attacker that is able to trick a legitimate user into clicking a malicious link or visiting a malicious web page is able to run scripts of their choosing in the context of the victim.
CVE-2013-6302
CVSS Base Score: 6.5
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/88532
CVSS Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:P
Blind SQL Injection
A malicious user may be able to tamper with legitimate server requests in order to gain access to, or modify, data, they should not have access to.
CVE-2013-6300
CVSS Base Score: 3.5
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/88526
CVSS Vector:
AV:N/AC:M/Au:S/C:N/I:P/A:N
Cross-site Scripting
An attacker that is able to trick a legitimate user into clicking a malicious link or visiting a malicious web page is able to run scripts of their choosing in the context of the victim.
CVE-2013-6303
CVSS Base Score: 4.0
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/88534
CVSS Vector:
AV:N/AC:L/Au:S/C:P/I:N/A:N
Path Traversal
Due to insufficient server-side validation, a malicious user may be able to retrieve content on the server that they should not have access to.
CVE-2013-6320
CVSS Base Score: 3.5
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/88603
CVSS Vector:
AV:N/AC:M/Au:S/C:N/I:P/A:N
Cross-site Scripting
An attacker that is able to trick a legitimate user into clicking a malicious link or visiting a malicious web page is able to run scripts of their choosing in the context of the victim.
CVE-2013-6299
CVSS Base Score: 3.5
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/88525
CVSS Vector:
AV:N/AC:M/Au:S/C:N/I:P/A:N
Cross-site Scripting
An attacker that is able to trick a legitimate user into clicking a malicious link or visiting a malicious web page is able to run scripts of their choosing in the context of the victim.
CVE-2013-6333
CVSS Base Score: 3.5
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/89024
CVSS Vector:
AV:N/AC:M/Au:S/C:N/I:P/A:N
Cross-site Scripting
An attacker that is able to trick a legitimate user into clicking a malicious link or visiting a malicious web page is able to run scripts of their choosing in the context of the victim.
CVE-2013-6331
CVSS Base Score: 6.5
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/89022
CVSS Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:P
SQL Injection
A malicious user may be able to tamper with legitimate server requests in order to gain access to, or modify, data, they should not have access to.

Affected Products

UDS Versions 4.7.0 through 5.0.0
Algo Security Access Control Management Versions 4.7.0 through 4.9.0
AlgoWebApps Version 5.0.0

Remediation/Fixes

A fix has been created for each affected version of the named product. Download and install the appropriate fix as soon as practicable. Fixes and installation instructions are provided at the URLs listed below:


Patch Number Download URL
UDS 500-016 http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.0.0.0-Algo-One-if0016:0&includeSupersedes=0&source=fc&login=true
UDS 490-092 http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.9.0.0-Algo-One-if0092:0&includeSupersedes=0&source=fc&login=true
UDS 480-050 http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.8.0.0-Algo-One-if0050:0&includeSupersedes=0&source=fc&login=true
UDS 471-264 http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.7.1.0-Algo-One-if0264:0&includeSupersedes=0&source=fc&login=true
UDS 470-278 http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.7.0.0-Algo-One-if0278:0&includeSupersedes=0&source=fc&login=true
AlgoWebAps 500-013 http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.0.0.0-Algo-One-if0013:0&includeSupersedes=0&source=fc&login=true
ACM 490-105 http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.9.0.0-Algo-One-if0105:0&includeSupersedes=0&source=fc&login=true
ACM 480-052 http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.8.0.0-Algo-One-if0052:0&includeSupersedes=0&source=fc&login=true
ACM 471-271 http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.7.1.0-Algo-One-if0271:0&includeSupersedes=0&source=fc&login=true
ACM 470-279 http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.7.0.0-Algo-One-if0279:0&includeSupersedes=0&source=fc&login=true

Workarounds/Mitigations

None known, apply fixes.

References:

Complete CVSS Guide
On-line Calculator V2

Change History

28 February 2014: Original Copy Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Algo One

Software version:

4.7, 4.7.1, 4.8, 4.9, 5.0

Operating system(s):

AIX, Linux, Solaris, Windows

Reference #:

1666110

Modified date:

2014-02-28

Translate my page

Machine Translation

Content navigation