[BESAdmin-Announcements] Content Modification in Software Use Analytics and Security Compliance Analytics - Update for Critical Ruby on Rails Security Vulnerability

Mon Jan 21 21:23:36 PST 2013

IBM has modified content in the sites for Software Use Analytics and 
Security Compliance Analytics.
This release was in response to a publicly disclosed Ruby on Rails 
framework critical security vulnerability. 

Actions to Take: 
- Update SUA 1.3 installs with fixlet 30 in the DSS Software Asset 
Management site
- Update SUA 2 installs with fixlet 48 in the IBM Software Inventory Site
- Update SCA 1.3 installs with fixlet 13 in the SCM Reporting site

Published site versions: 
DSS Software Asset Management version 21
IBM Software Inventory version 16
SCM Reporting version 48

Security Bulletin: Tivoli Endpoint Manager for Software Use Analytics and 
Tivoli Endpoint Manager for Security Compliance Analytics (CVE-2012-6496, 
CVE-2013-0156)

Abstract:  SQL Injection Vulnerabilities in Ruby on Rails

VULNERABILITY DETAILS: 

DESCRIPTION: 
 Vulnerabilities in request parsing in Ruby on Rails affects all GA 
versions of SUA 1, SUA 2, and SCA 1.

CVEID: CVE-2012-6496
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81004 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector:  (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2013-0156
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81119 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector:  (AV:N/AC:M/Au:N/C:C/I:C/A:C)

AFFECTED PRODUCTS AND VERSIONS: 
Tivoli Endpoint Manager for Software Use Analytics 1.3 and earlier
Tivoli Endpoint Manager for Software Use Analytics 2.0
Tivoli Endpoint Manager for Security Compliance Analytics 1.3 and earlier

REMEDIATION: 

Product
APAR
How to acquire fix
Patch SUA 2.0

Apply fixlet 48 (TEM SUA Patch for Security Vulnerability CVE-2013-0156) 
in IBM Software Inventory site or download latest installer.
Patch SCA 1

Apply fixlet 13(TEM SCA Patch for Security Vulnerability CVE-2013-0156) in 
the SCM Reporting site or download latest installer.
Patch SUA 1.3

Apply fixlet 30 (SAM Patch for Security Vulnerability CVE-2013-0155 and 
CVE-2013-0156) in DSS Software Asset Management site or download latest 
installer.

All prior versions of SUA and SCA should be upgraded to the latest 
supported version.

Workaround(s): 
None

Mitigation(s): 
None

REFERENCES: 
·       Complete CVSS Guide
·       On-line Calculator V2 
·       CVE-2012-6496
·       CVE-2013-0156
·       X-Force Vulnerability Database 
http://xforce.iss.net/xforce/xfdb/81119
·       X-Force Vulnerability Database 
http://xforce.iss.net/xforce/xfdb/81004

RELATED INFORMATION: 
IBM Secure Engineering Web Portal 
IBM Product Security Incident Response Blog

ACKNOWLEDGEMENT
None

CHANGE HISTORY
18 January, 2013:  Original Copy Published

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the 
impact of this vulnerability in their environments by accessing the links 
in the Reference section of this Flash. 

Note: According to the Forum of Incident Response and Security Teams 
(FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry 
open standard designed to convey vulnerability severity and help to 
determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES 
"AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF 
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE 
RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY 
VULNERABILITY.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20130121/54a70466/attachment.html 