[BESAdmin-Announcements] Content Modification in Software Use Analytics and Security Compliance Analytics - Update for Critical Ruby on Rails Security Vulnerability
Announcements for BES Administrators
besadmin-announcements at bigmail.bigfix.com
Mon Jan 21 21:23:36 PST 2013
IBM has modified content in the sites for Software Use Analytics and
Security Compliance Analytics.
This release was in response to a publicly disclosed Ruby on Rails
framework critical security vulnerability.
Actions to Take:
- Update SUA 1.3 installs with fixlet 30 in the DSS Software Asset
Management site
- Update SUA 2 installs with fixlet 48 in the IBM Software Inventory Site
- Update SCA 1.3 installs with fixlet 13 in the SCM Reporting site
Published site versions:
DSS Software Asset Management version 21
IBM Software Inventory version 16
SCM Reporting version 48
Security Bulletin: Tivoli Endpoint Manager for Software Use Analytics and
Tivoli Endpoint Manager for Security Compliance Analytics (CVE-2012-6496,
CVE-2013-0156)
Abstract: SQL Injection Vulnerabilities in Ruby on Rails
VULNERABILITY DETAILS:
DESCRIPTION:
Vulnerabilities in request parsing in Ruby on Rails affects all GA
versions of SUA 1, SUA 2, and SCA 1.
CVEID: CVE-2012-6496
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81004 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2013-0156
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81119 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
AFFECTED PRODUCTS AND VERSIONS:
Tivoli Endpoint Manager for Software Use Analytics 1.3 and earlier
Tivoli Endpoint Manager for Software Use Analytics 2.0
Tivoli Endpoint Manager for Security Compliance Analytics 1.3 and earlier
REMEDIATION:
Product
APAR
How to acquire fix
Patch SUA 2.0
Apply fixlet 48 (TEM SUA Patch for Security Vulnerability CVE-2013-0156)
in IBM Software Inventory site or download latest installer.
Patch SCA 1
Apply fixlet 13(TEM SCA Patch for Security Vulnerability CVE-2013-0156) in
the SCM Reporting site or download latest installer.
Patch SUA 1.3
Apply fixlet 30 (SAM Patch for Security Vulnerability CVE-2013-0155 and
CVE-2013-0156) in DSS Software Asset Management site or download latest
installer.
All prior versions of SUA and SCA should be upgraded to the latest
supported version.
Workaround(s):
None
Mitigation(s):
None
REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2
· CVE-2012-6496
· CVE-2013-0156
· X-Force Vulnerability Database
http://xforce.iss.net/xforce/xfdb/81119
· X-Force Vulnerability Database
http://xforce.iss.net/xforce/xfdb/81004
RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
ACKNOWLEDGEMENT
None
CHANGE HISTORY
18 January, 2013: Original Copy Published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the
impact of this vulnerability in their environments by accessing the links
in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams
(FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry
open standard designed to convey vulnerability severity and help to
determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES
"AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE
RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY
VULNERABILITY.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20130121/54a70466/attachment.html
More information about the Besadmin-announcements
mailing list