Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.0742
Security Bulletin: IBM Algo Audit and Compliance information disclosure
vulnerability (CVE-2014-0053) and IBM Algo Audit and
Compliance code execution vulnerability (CVE-2013-4330)
16 May 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Algo Audit and Compliance
Publisher: IBM
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-0053 CVE-2013-4330
Reference: ESB-2014.0126
ESB-2013.1831
ESB-2013.1397
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21669917
http://www-01.ibm.com/support/docview.wss?uid=swg21669909
Comment: This bulletin contains two (2) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: IBM Algo Audit and Compliance information disclosure
vulnerability (CVE-2014-0053)
Security Bulletin
Document information
More support for:
Algo Audit and Compliance
Software version:
2.1
Operating system(s):
Windows
Software edition:
All Editions
Reference #:
1669917
Modified date:
2014-05-09
Summary
IBM Algo Audit and Compliance uses Grails and is affected by the information
disclosure vulnerability identified in it, which could permit an attacker to
obtain configuration data and other sensitive information.
Vulnerability Details
CVE ID:
CVE-2014-0053
Description:
A vulnerability has been identified in Grails that could allow a remote
attacker to obtain sensitive information, caused by the failure to restrict
access to resources located within the /WEB-INF directory. An attacker could
exploit this vulnerability to obtain configuration data and other sensitive
information. The attack requires network access, no authentication and a low
degree of specialized knowledge and technique. An attack may compromise the
confidentiality of information, but not the availability of the system or the
integrity of data.
CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/91270
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Affected Products and Versions
IBM Algo Audit and Compliance versions 2.1 - 2.1.0.1
Remediation/Fixes
Download and install IBM Algo Audit and Compliance version 2.1.0.2 from Fix
Central, details available at
http://www-01.ibm.com/support/docview.wss?uid=swg24037328
Workarounds and Mitigations
None known
References
Complete CVSS Guide
On-line Calculator V2
CVE-2014-0053
http://xforce.iss.net/xforce/xfdb/91270
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
None
Change History
9 May 2014: Original copy published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- -----
Security Bulletin: IBM Algo Audit and Compliance code execution vulnerability
(CVE-2013-4330)
Security Bulletin
Document information
More support for:
Algo Audit and Compliance
Software version:
2.1
Operating system(s):
Windows
Software edition:
All Editions
Reference #:
1669909
Modified date:
2014-05-09
Summary
IBM Algo Audit and Compliance uses Apache Camel and is affected by the code
execution vulnerability identified in it, which could permit an attacker to
execute arbitrary code on the system.
Vulnerability Details
CVE ID:
CVE-2013-4330
Description:
A high-risk vulnerability has been identified in Apache Camel that could allow
a remote attacker to execute arbitrary code on the system, caused by the
improper handling of simple language expressions. An attacker could exploit
this vulnerability to execute arbitrary code on the system with elevated
privileges. The attack requires network access, no authentication and a low
degree of specialized knowledge and technique. An attack may compromise the
confidentiality of information, the availability of the system and the
integrity of data.
CVSS:
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87542
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Affected Products and Versions
IBM Algo Audit and Compliance versions 2.1.0.0, 2.1.0.1
Remediation/Fixes
Download and install IBM Algo Audit and Compliance version 2.1.0.2 from Fix
Central, details available at
http://www-01.ibm.com/support/docview.wss?uid=swg24037328.
Workarounds and Mitigations
None known
References
Complete CVSS Guide
On-line Calculator V2
CVE-2013-4330
http://xforce.iss.net/xforce/xfdb/87542
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
None
Change History
- - 9 May 2014: Original copy published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU3V3CxLndAQH1ShLAQIiQA/+NSKaChBTZaF3RSejajfTbMsyOIWwr26n
j1I3dR057ASSI1l+zHnjjGOyblT8E4MrLcGkrOtjogUfiw4e1FeDIGQeh6+l8D1o
3D0R9/auvXahT3PH8E3JTrwy1WwX8t3Qek9It7thrTipIWJYiAsUSzuykfsHe8TA
4IDjX1aITH2lzg1maHlLEKW3VZ3luiNlka2fBDeHojxaVItbm6rHwk3Gxc2NicmM
5rQRvcnwq9cGDav7eJlyt8jC+0iOJytEU17DxUG9JJXyYVm5lL8PeGppmCIQ8BEu
Uy/cgHnZjmsBmaFpdo7MuOo69u9b0pObh8wl/E5I162DLCZ1MtP4G97NjemtaO6t
cYMfak99S4sPaTND5NVO1/OoFuOQgmMCQ0qcJY1AbP2FBFBwcYLQDRr4L+9JMjhI
ZVD+DFZ1aSn+d3bf/6u3Hza76vd52d5yKluFRQ6DJmlqGGP2ICWIUDmr22ABDJkD
3V+VvDebPYbjfdJ4on97FMu9S753eDzB+QE/V/Q0CuLjt1shVm2mtdqY5/Hk5g02
2/5/GW2Eq4goiyksLwuIxE1zCItE0PkFaSKNdg3YWfZXt15oCm1KAIxbiLbOF+S6
kX+f0sUveSTi2Flye31xLolAw6uLAlh5UL0rjE5/HNPAut7hrIzr0m6pEYdwvOoA
31gnF3675sA=
=T6iM
-----END PGP SIGNATURE-----