IBM Support

Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Data Click 10.0 (CVE-2013-3034 CVE-2013-3040 CVE-2013-0599 CVE-2013-4057 CVE-2013-4058 CVE-2013-4059 CVE-2013-4066 CVE-2013-4067)

Security Bulletin


Summary

The IBM InfoSphere DataClick administration and reporting console contains multiple security vulnerabilities. Note: IBM InfoSphere DataClick 10.0 is provided with IBM BigInsights version 2.0 and is not separately available.

Vulnerability Details

CVE ID: CVE-2013-3034

DESCRIPTION:
An attacker can trick a user into inserting a mal-formed URL address into a browser or clicking on a mal-formed URL link and exploit a cross-site scripting vulnerability or an HTML injection vulnerability in the InfoSphere Information Server administration and reporting console to gain unauthorized access or collect sensitive information.

CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/84646 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVE ID: CVE-2013-3040

DESCRIPTION:
Failed login attempts separately identify invalid usernames and passwords enabling sequential brute force attempts to identify valid usernames and passwords.

CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/84765 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)CVSS Base Score:

CVE ID: CVE-2013-0599

DESCRIPTION:
The IBM InfoSphere Information Server help system could disclose sensitive information about the help system’s implementation when an attacker sends a specially-crafted URL.

CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83613 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:N/A:N)

CVE ID: CVE-2013-4057

DESCRIPTION:
Due to insufficient safeguards against cross-site request forgery in Information Server XML Pack an attacker can trick a legitimate user into opening a URL that results in an action being taken as that user, potentially without the knowledge of that user. Any actions taken require the user to already be logged into the DataStage designer or to authenticate separately as part of the attack.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/86546 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)


CVE ID: CVE-2013-4058

DESCRIPTION:
Information Server’s metadata repository is exposed to blind SQL injection attacks through various Information Server web interfaces.

CVSS:
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/86547 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVE ID: CVE-2013-4059

DESCRIPTION:
Various Information Server web interfaces are vulnerable to content-spoofing and cross-site scripting allowing attackers to gain unauthorized access or collect sensitive information.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/86548 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE ID: CVE-2013-4066

DESCRIPTION:
By overlaying the Web Console interface with a different interface and inducing a user to perform mouse clicks and keystrokes, an attacker can cause a user to unwittingly carry out unintended actions within the Web Console.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/86597 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE ID: CVE-2013-4067

DESCRIPTION:
An attacker can steal or manipulate customer session and cookies, or persuade a naive user to supply sensitive information such as username or password.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/86598 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

IBM InfoSphere Data Click version 10.0 running on Linux

Remediation/Fixes

Product

VRMFAPARRemediation/First Fix
InfoSphere Data Click10.0JR46529 JR46682 JR46685 JR47055 JR47357 JR48815 JR49200 JR49206 --Contact IBM customer support to obtain the fix.

Workarounds and Mitigations

None known, apply fixes

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

None

Change History

10 July 2014: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only

PSIRT 34293 (covers PSIRTs 28525, 28554, 30197, 30199, 30200, 30203, 30204

Patch for 10.0 can be found:
https://asc-eng-patch-01.swg.usma.ibm.com/Patches/InformationServer/10.0/Security_bundle/
Updater for 10 and Install instructions found here:
https://asc-eng-patch-01.swg.usma.ibm.com/Patches/InformationServer/10.0/Updater/

[{"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"IBM InfoSphere Data Click","Platform":[{"code":"PF016","label":"Linux"}],"Version":"10.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"IBM InfoSphere Data Click","Platform":[{"code":"PF016","label":"Linux"}],"Version":"10.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
16 June 2018

UID

swg21670298