Date: 25 June 2012
References: ESB-2011.0542 ESB-2012.0634
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0613
Multiple vulnerabilities in IBM Lotus Expeditor
25 June 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Lotus Expeditor
Publisher: IBM
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2012-0191 CVE-2012-0187 CVE-2012-0186
CVE-2010-4647 CVE-2008-7271
Reference: ESB-2011.0542
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21575642
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: IBM Lotus Expeditor Security Advisory and Security Update
Pack (CVE-2008-7271, CVE-2010-4647, CVE-2012-0186, CVE-2012-0191,
CVE-2012-0187)
Flash (Alert)
Abstract
IBM has identified a total of four vulnerabilities in IBM Lotus Expeditor. All
four vulnerabilities are resolved by IBM Lotus Expeditor 6.2 FP5+Security Pack.
VULNERABILITY DETAILS Directory Traversal
CVE ID: CVE-2012-0186
DESCRIPTION: Specially-crafted URLs can be sent to the Eclipse Help component
of IBM Lotus Expeditor to disclose the location of private resources (files).
This issue can be tracked by SPR # SAKL7QQG28.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72096 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
VULNERABILITY DETAILS Flawed Access Control Checks for Remote requests to Web
Container
CVE ID: CVE-2012-0191
DESCRIPTION: Malicious users can spoof request headers sent to the Expeditor
web container exploiting a flaw in access control checking to make it appear
that the request came from localhost. This issue can be tracked as SPR#
SAKL7QQG28 and MSTO89WRX8
CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72156 for the
current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
VULNERABILITY DETAILS Microsoft Windows Insecure Library Loading
CVE ID: CVE-2012-0187
DESCRIPTION: A vulnerability in IBM Lotus Expeditor caused by the Microsoft
Windows Insecure Library Loading issue could allow remote code execution. Users
clicking on a known file type from an untrusted and vulnerable location may
inadvertently cause execution of untrusted code on their system. For more
details please reference Microsoft Security Advisory 2269637. This issue can
be tracked as SPR# DKLN8K7TEA, RAKA89HPF2, JKAE893E7R and RAKA899QV5.
CVSS:
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72097 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
VULNERABILITY DETAILS Multiple IBM Lotus Expeditor Cross-site Scripting issues
CVE IDs: CVE-2008-7271, CVE-2010-4647
DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in the Help
Contents web application (i.e., the Help Server) in Eclipse IDE, possibly
3.3.2, allow remote attackers to inject arbitrary web script or HTML. These
issues can be tracked as SPR# SAKL7QQG28 and JCHC89R945.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/64833 and
http://xforce.iss.net/xforce/xfdb/64834 for the current scores
CVSS Environmental Score*: Undefined
CVSS String: (AV:R/AC:M/Au:N/C:N/I:P/A:N)
REMEDIATION:
The recommended solution is to apply the fix. To obtain this fix, Expeditor
customers with access to Fix Central can download and apply IBM Lotus Expeditor
6.2 FP5 + Security Pack.
Fix:
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm/Lotus&product=ibm/Lotus/Lotus+Expeditor&release=All&platform=All&function=fixId&fixids=XPD-6.2.0.0-Client-IFix2
Workaround:
None known, apply fixes.
Mitigation:
None known, apply fixes.
REFERENCES:
Complete CVSS Guide
http://www.first.org/cvss/cvss-guide.html
On-line Calculator V2
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
X-Force Vulnerability Database
Eclipse IDE searchWord cross-site scripting
http://xforce.iss.net/xforce/xfdb/64834
X-Force Vulnerability Database
Eclipse IDE query string cross-site scripting
http://xforce.iss.net/xforce/xfdb/64833
X-Force Vulnerability Database
Directory Traversal
http://xforce.iss.net/xforce/xfdb/72096
X-Force Vulnerability Database
Flawed Access Control Checks for Remote requests to Web Container
http://xforce.iss.net/xforce/xfdb/72196
X-Force Vulnerability Database
Microsoft Windows Insecure Library Loading
http://xforce.iss.net/xforce/xfdb/72097
CVE-2008-7271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7271
CVE-2010-4647
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4647
CVE-2012-0186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0186
CVE-2012-0191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0191
CVE-2012-0187
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0187
RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
CHANGE HISTORY:
21/06/2012: Initial publication.
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBT+f+VO4yVqjM2NGpAQJeURAApR2oP7cwTREuUwmK18lo609Ltu/s8ll8
WHPwMsSmaMDz9jR6bFaTa1E+5lQITSYPxDTDnpVCQvDYQjIi0BlH4q+/FxZPIBmc
V+rQ1pjpYt9qXZvNEooGzvM+tu7mjC18pKGVTvXovLlyb0Ut+Ad7CRiwwTTuVLML
JOpRDc1cM4psIHHPp0aYZC7tVMYDmEoz6uSKM6Xhw5SEfgNvUhT7bI8uuD4OAtEN
tL1aWPvBH0df0PBL+dFg0Cp+BLhhppBSDQ1uaNPaklvjvdWv+K6VfLgCIuI8k0RG
4CAOb4Qgv43861PAUpkh7Y8LGFR59m/cvY/75aF9REAZH6Xo4WzywjM7Ryq/MXvZ
6xexfzxGjpSy7mlZksj+iZp/Ec2P5RqgVrfoPZKk2kGuIUNIvO9jeeYrdEdqD8DU
45ES0naiTSosbGVj62qC9Iz3Dzzdm53SW019MHNuKCsDgYgWeS7Gr0q+aWuvzpHF
m3ZpKBdNHF531hbrfumSoxE5Ri5MYYqdU9qzdmDVNUr9vWSnKFxhEcriYC/CP9nq
OFsNzerCAm6L2SuwfsUueuVXNH2ZTklDyc7iw5voI0yGxZX5mHNKmFY1kIT9zqjy
nvofSsgGgYxALFavc4BEtbS0W2PcPP6id/q57nl29kD4i6aSg1UAKRxSsONm6n7K
WEMPXpqUIeY=
=SOMK
-----END PGP SIGNATURE-----
|