-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.1284
Security Bulletin: IBM PureData System for Operational Analytics A1791 and
IBM Smart Analytics System 7600, 7700, and 7710 are affected by a privilege
    escalation vulnerability in the DB2 Audit Facility (CVE-2013-3475)
                             13 September 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Smart Analytics System
Publisher:         IBM
Operating System:  AIX
Impact/Access:     Increased Privileges -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-3475  

Reference:         ESB-2013.0778
                   ESB-2013.0767

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21639194

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: IBM PureData System for Operational Analytics A1791 and IBM 
Smart Analytics System 7600, 7700, and 7710 are affected by a privilege 
escalation vulnerability in the DB2 Audit Facility (CVE-2013-3475)

Flash (Alert)

Document information
IBM Smart Analytics System

Software version:
9.7

Operating system(s):
AIX 6.1

Reference #:
1639194

Modified date:
2013-09-06

Abstract

The IBM PureData System for Operational Analytics A1791, IBM Smart Analytics 
System 7600, IBM Smart Analytics System 7700, and IBM Smart Analytics System 
7710 are shipped with DB2 9.7 or DB2 10.1. These versions of DB2 contain a 
security vulnerability in the DB2 Audit Facility which allows an attacker to 
gain DB2 instance owner level privileges. This vulnerability can only be 
exploited by users through a local system account login.

Content

VULNERABILITY DETAILS
CVE-2013-3475
CVSS Base Score: 6.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84358 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:S/C:C/I:C/A:C)


AFFECTED PRODUCTS AND VERSIONS: 

IBM Smart Analytics System 7600
IBM Smart Analytics System 7700
IBM Smart Analytics System 7710
IBM PureData System for Operational Analytics A1791

REMEDIATION: 

FIXES: 

Find your product in the table below and use the link in the Patch/Fix Pack 
Download Link column to find the patch provided by IBM.

For more information about IBM registration IDs, see the IBM Registration FAQ 
page.


Product		 : IBM Smart Analytics System 7600
Operating System : AIX 6.1
Patch/Fix Pack	 : DB2 9.7 Fix Pack 8 special build 30703
Versions	 : DB2 9.7 Fix Pack 8 special build 30703
Patch/Fix Pack	 : Contact IBM Support to request the special build.
Download Link
Installation 	 : Procedure to install a DB2 special build or fix pack on an 
instructions	   IBM Smart Analytics System

Product		 : IBM Smart Analytics System 7700
Operating System : AIX 6.1
Patch/Fix Pack	 : IBM Smart Analytics System 7700 fix pack 2.1.2.0
		   Note: When you install this fix pack, you will update other 
		   components in addition to DB2.	
Versions	 : DB2 9.7 Fix Pack 8 special build 30703
Patch/Fix Pack	 : Navigate to Fix Central and download fix pack 
Download Link	   2.1.2.0-IM-ISAS7700.
Installation 	 : Link to installation instructions
instructions

Product		 : IBM Smart Analytics System 7710
Operating System : AIX 6.1
Patch/Fix Pack	 : IBM Smart Analytics System 7710 fix pack 2.1.2.0
		   Note: When you install this fix pack, you will update other 
		   components in addition to DB2.
Versions	 : DB2 9.7 Fix Pack 8 special build 30703
Patch/Fix Pack	 : Navigate to Fix Central and download fix pack 
Download Link	   2.1.2.0-IM-ISAS7710.
Installation 	 : Link to installation instructions
instructions

Product		 : IBM PureData System for Operational Analytics A1791
Operating System : AIX 7.1
Patch/Fix Pack	 : IBM PureData System for Operational Analytics Fix Pack 
		   1.0.0.2. Note: When you install this fix pack, you will 
		   update other components in addition to DB2.
Versions	 : DB2 9.7 Fix Pack 8 special build 30703 or
		   DB2 10.1 Fix Pack 2 special build 30704
Patch/Fix Pack	 : Refer to the Installation Instructions link and follow the
Download Link	   download instructions in the fix pack readme document.
Installation 	 : Link to fix pack readme document
instructions
		
WORKAROUND(S): 

None. 

MITIGATION(S): 

None. 

REFERENCES:
Complete CVSS Guide
On-line Calculator V2
CVE-2013-3475
X-Force Database


RELATED INFORMATION: 
IBM Secure Engineering Web Portal 
IBM Product Security Incident Response Blog 


ACKNOWLEDGEMENT: 
The vulnerability in DB2 was reported to IBM by Bartlomiej Balcerek via Secunia 
SVCRP. 


CHANGE HISTORY: 
6-September-2013: 
- - Original version published. 


*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of 
this vulnerability in their environments by accessing the links in the 
Reference section of this Flash. 

Note: According to the Forum of Incident Response and Security Teams (FIRST), 
the Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUjJ7uxLndAQH1ShLAQKsVw/+JUebNBSvkK9m4qR3usKvLZ28wlsr9nqX
eEN5g8ufS48BPbiR/JvzvreC9NCe+SDrBmAxJoRF//lGuGR2VfnYFnnR5f3EEEc8
wyk170fCXuwuGjsRSpFPQUsU2GQbomBoR8l19NymKvKLExsqyknYzjOg+MVm3NJa
eeSi28fPzWag9NXOX+X8v+yyNsT/JWs25bEk9Cs4SHjfhUNO9sAQPBrpq5Ztp6VN
uQ29MBLbkisCqzU0HxLnSXivkW31+pJa3mUaFNfwczutPQj7pS3/tvWBjNpV+uJL
U36Is1AF6yt1Rk8Jn05PTsPHZvSMDcXp1WQg2CYcXBq0waY4O6O3vWt9anOHTOld
Ar+rLY2oJxwguBupR7GZM0nnxJrQl7yOuS/y77hMwFVTBbDFlDIoygeu++6qhGNm
3mw/9q6KJOGnDUvhKonPxaA9Mml6rTfQ/0EVlERRFLIoPh4Pr/iBCMDuD89kptZM
kD3qXHsS4rCDdn76qyhNDdSoZI9buyVN3idLsgWH7aMbgvNdn6lUXjsIGHeTiq5p
3tRvgrwYrcydqh2/paSGOXD9dlQ8TCDihc6iceH/YlgyrI6gJwAYjG8ayHcGA23F
Km1IHN3HVjsWYeKER3UK5TqfsDyaExNT02teVBc5rBzGQolCXJihP73taFJnmHhZ
2/dXjW5/SHo=
=qGGe
-----END PGP SIGNATURE-----