Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.1004
Security Bulletin: Cúram is vulnerable to cross site
scripting attack (CVE-2014-3013)
19 June 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Curam
Publisher: IBM
Operating System: AIX
HP-UX
Linux variants
Solaris
Windows
z/OS
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Unauthorised Access -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2014-3013 CVE-2014-3012
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21675415
http://www-01.ibm.com/support/docview.wss?uid=swg21675454
Comment: This bulletin contains two (2) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Curam is vulnerable to cross site scripting attack
(CVE-2014-3013)
Document information
More support for:
Curam Social Program Management
Software version:
4.5, 5.0, 5.2.0, 5.2.1, 5.2.4, 5.2.5, 5.2.6, 6.0.2, 6.0.3, 6.0.4, 6.0.5
Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows, z/OS
Reference #:
1675415
Modified date:
2014-06-09
Security Bulletin
Summary
Curam is vulnerable to cross site scripting attack.
Vulnerability Details
CVEID: CVE-2014-3013
DESCRIPTION:
Curam is vulnerable to cross site scripting attack caused by improper
validation and sanitization of tags in custom JSPs or custom renderers that
add text nodes to content that will be rendered onto the screen. A remote
attacker could exploit this vulnerability by injecting a malicious code in
the text which is being rendered into a Web page which would be executed in
a victim's Web browser within the security context of the hosting Web site,
once the page is viewed. The user's session can be completely compromised,
allowing an attacker to perform any action that the user can perform,
monitor the session or steal the data viewed by the user.
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93011 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
Affected Products and Versions
Curam Social Program Management
All products are affected when running code releases 4.5 SP10, 5.0, 5.2,
5.2 SP1, 5.2 SP4, 5.2 SP4 DE, 5.2 SP5, 5.2 SP6, 6.0 SP2, 6.0.3.0, 6.0.4.0,
6.0.4.3, 6.0.4.4, 6.0.4.5, 6.0.5.2, 6.0.5.3, 6.0.5.4.
Remediation/Fixes
Product VRMF Remediation/First Fix
Curam SPM 4.5 SP10 Visit IBM Fix Central and upgrade to EP2
Curam SPM 5.0 Visit IBM Fix Central and upgrade to EP17
Curam SPM 5.2 Visit IBM Fix Central and upgrade to EP3
Curam SPM 5.2 SP1 Visit IBM Fix Central and upgrade to EP17
Curam SPM 5.2 SP4 Visit IBM Fix Central and upgrade to EP24
Curam SPM 5.2 SP4 DE Visit IBM Fix Central and upgrade to EP11
Curam SPM 5.2 SP5 Visit IBM Fix Central and upgrade to EP4
Curam SPM 5.2 SP6 Visit IBM Fix Central and upgrade to EP5
Curam SPM 6.0 SP2 Visit IBM Fix Central and upgrade to EP24
Curam SPM 6.0.3.0 Visit IBM Fix Central and upgrade to iFix 8
Curam SPM 6.0.4.0 Visit IBM Fix Central and upgrade to iFix 13
Curam SPM 6.0.4.3 Visit IBM Fix Central and upgrade to iFix 9
Curam SPM 6.0.4.4 Visit IBM Fix Central and upgrade to iFix 7
Curam SPM 6.0.4.5 Visit IBM Fix Central and upgrade to iFix 5
Curam SPM 6.0.5.2 Visit IBM Fix Central and upgrade to iFix 9
Curam SPM 6.0.5.3 Visit IBM Fix Central and upgrade to iFix 10
Curam SPM 6.0.5.4 Visit IBM Fix Central and upgrade to iFix 3
Workarounds and Mitigations
None
Important note
IBM strongly suggests that all System z customers be subscribed to the
System z Security Portal to receive the latest critical System z security
and integrity service. If you are not subscribed, see the instructions
on the System z Security web site. Security and integrity APARs and
associated fixes will be posted to this portal. IBM suggests reviewing
the CVSS scores and applying all security or integrity fixes as soon as
possible to minimize any potential risk.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
9 June 2014: Original version published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Product Alias/Synonym
Curam
- -------------------------------------------------------------------------------
Security Bulletin: Curam is vulnerable to CRLF Injection attack
(CVE-2014-3012)
Document information
More support for:
Curam Social Program Management
Software version:
5.2.1, 5.2.4, 6.0.4, 6.0.5
Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows, z/OS
Reference #:
1675454
Modified date:
2014-06-09
Security Bulletin
Summary
Curam is vulnerable to CRLF Injection attack when not deployed on IBM
WebSphere.
Vulnerability Details
CVEID: CVE-2014-3012
DESCRIPTION:
IBM Curam Social Program Management, when not deployed on IBM WebSphere
Application Server, is vulnerable to CRLF Injection attack caused by improper
sanitization of the user supplied code that is output into an http response
header field. A remote attacker could inject CRLF combinations into HTTP
headers in the custom JSPs using multiple unspecified parameters, which
will allow the attacker to take control of a user's session/credentials
or in some cases to prepare and make the web application more amenable to
future attacks. These come in many forms including cross site scripting
and HTTP Response Splitting.
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93010 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
Affected Products and Versions
Curam Social Program Management
All products are affected when running code releases 5.2 SP1, 5.2 SP4,
6.0.4.4, 6.0.4.5, 6.0.5.2, 6.0.5.3, 6.0.5.4.
Remediation/Fixes
Product VRMF Remediation/First Fix
Curam SPM 5.2 SP1 Visit IBM Fix Central and upgrade to EP17
Curam SPM 5.2 SP4 Visit IBM Fix Central and upgrade to EP24
Curam SPM 6.0.4.4 Visit IBM Fix Central and upgrade to iFix 7
Curam SPM 6.0.4.5 Visit IBM Fix Central and upgrade to iFix 5
Curam SPM 6.0.5.2 Visit IBM Fix Central and upgrade to iFix 9
Curam SPM 6.0.5.3 Visit IBM Fix Central and upgrade to iFix 10
Curam SPM 6.0.5.4 Visit IBM Fix Central and upgrade to iFix 3
Workarounds and Mitigations
None
Important note
IBM strongly suggests that all System z customers be subscribed to the
System z Security Portal to receive the latest critical System z security
and integrity service. If you are not subscribed, see the instructions
on the System z Security web site. Security and integrity APARs and
associated fixes will be posted to this portal. IBM suggests reviewing
the CVSS scores and applying all security or integrity fixes as soon as
possible to minimize any potential risk.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
9 June 2014: Original version published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Product Alias/Synonym
Curam
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU6OIARLndAQH1ShLAQKDYw//U2Mtzm2R40RkfZXbmHEr+apMuh7Q4Wju
mwLtUAmUAg+tcZqFKwCYH5B19UOCPGusVI2s9eVTTSHHg7m4y1crIp6Paz6qnUpg
JhBzrY+L8eNFErRabnwqbLgyNjo15MeXmda7TJSY4rM4IPwjxFwUHZ8ZkfYiuGEI
iALS0AQL8EnTrsW77xzJZ7hon9phU15PMD22t1KBwsDpD9dtnY2E/GnltjLrYNNO
oe1z+1U5nMJqQKH8khDI4nRpPpbKsnikfPP2TbS4SL1FPuuFIGQFg9hX3OoZ6bw8
FW/99qfe1/NaXK72qcamHizOStenwdPjjt7mFgVGrYTeAMRblpOXNJwk8vmnrZpl
FD2kIRvIlcIGVB5qpgAbMqXKtoZulAMKfcOgyuaRk76yq79DOy6gIUf4TT3qBWeX
HSXqJ/5/ESqo8CgYT6UozPOyYRQW2CNiqF19f6WSTBG/b78gBEyBmV9Uy6JaJPAK
QVlaZbaeF8dOijMPnPNQWHqxuBjEYOPNYU2h3pHEwEVxsU0DoeoPMEzdrzwcyNUY
az2BPvvUBvKeyIxkdDSzV7Xp5S37jB7IRiArcRwtEWaVHowwy4n7B7FOAPVbF14k
SSOcRPILzKYuf2ki3duqexYvzm7jJrSB9EsrkkbGDt7I1T7T/bzDRt2uhlgPFpRu
oLpUZKTKAEs=
=ndPW
-----END PGP SIGNATURE-----