<font size=3 face="Default Sans Sarif">IBM has modified content in the
sites for Software Use Analytics and Security Compliance Analytics.</font>
<p><font size=3 face="Default Sans Sarif">This release was in response
to a publicly disclosed Ruby on Rails framework critical security vulnerability.
</font>
<br>
<p><font size=3 face="Default Sans Sarif">Actions to Take: </font>
<p><font size=3 face="Default Sans Sarif">- Update SUA 1.3 installs with
fixlet 30 in the DSS Software Asset Management site</font>
<p><font size=3 face="Default Sans Sarif">- Update SUA 2 installs with
fixlet 48 in the IBM Software Inventory Site</font>
<p><font size=3 face="Default Sans Sarif">- Update SCA 1.3 installs with
fixlet 13 in the SCM Reporting site</font>
<p>
<p><font size=3 face="Default Sans Sarif">Published site versions: </font>
<p><font size=3 face="Default Sans Sarif">DSS Software Asset Management
version 21</font>
<p><font size=3 face="Default Sans Sarif">IBM Software Inventory version
16</font>
<p><font size=3 face="Default Sans Sarif">SCM Reporting version 48</font>
<p>
<br><font size=3 face="Default Sans Sarif"><b>Security Bulletin</b>: Tivoli
Endpoint Manager for Software Use Analytics and Tivoli Endpoint Manager
for Security Compliance Analytics (CVE-2012-6496, CVE-2013-0156)</font>
<br>
<br><font size=3 face="Default Sans Sarif"><b>Abstract: </b> SQL Injection
Vulnerabilities in Ruby on Rails</font>
<br>
<br><font size=3 face="Default Sans Sarif"><b>VULNERABILITY DETAILS: </b></font>
<br>
<br><font size=3 face="Default Sans Sarif"><b>DESCRIPTION: </b></font>
<br><font size=3 face="Default Sans Sarif"> Vulnerabilities in request
parsing in Ruby on Rails affects all GA versions of SUA 1, SUA 2, and SCA
1.</font>
<br>
<br>
<br><font size=3 face="Default Sans Sarif"><b>CVEID: </b>CVE-2012-6496</font>
<br><font size=3 face="Default Sans Sarif">CVSS Base Score: 7.5</font>
<br><font size=3 face="Default Sans Sarif">CVSS Temporal Score: See </font><a href=http://xforce.iss.net/xforce/xfdb/81004><font size=3 face="Default Sans Sarif"><u>http://xforce.iss.net/xforce/xfdb/81004</u></font></a><font size=3 face="Default Sans Sarif">
for the current score<br>
CVSS Environmental Score*: Undefined<br>
CVSS Vector: </font><a href="http://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2012-6496&vector=(AV%3AN/AC%3AL/Au%3AN/C%3AP/I%3AP/A%3AP)" target=_blank><font size=3 face="Default Sans Sarif"><u>(AV:N/AC:L/Au:N/C:P/I:P/A:P)</u></font></a>
<br>
<br><font size=3 face="Default Sans Sarif"><b>CVEID: </b>CVE-2013-0156</font>
<br><font size=3 face="Default Sans Sarif">CVSS Base Score: 9.3<br>
CVSS Temporal Score: See </font><a href=http://xforce.iss.net/xforce/xfdb/81119><font size=3 face="Default Sans Sarif"><u>http://xforce.iss.net/xforce/xfdb/81119</u></font></a><font size=3 face="Default Sans Sarif">
for the current score<br>
CVSS Environmental Score*: Undefined<br>
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)</font>
<br>
<br>
<br><font size=3 face="Default Sans Sarif"><b>AFFECTED PRODUCTS AND VERSIONS:
</b></font>
<br><font size=3 face="Default Sans Sarif">Tivoli Endpoint Manager for
Software Use Analytics 1.3 and earlier</font>
<br><font size=3 face="Default Sans Sarif">Tivoli Endpoint Manager for
Software Use Analytics 2.0</font>
<br><font size=3 face="Default Sans Sarif">Tivoli Endpoint Manager for
Security Compliance Analytics 1.3 and earlier</font>
<br>
<br>
<br><font size=3 face="Default Sans Sarif"><b>REMEDIATION: </b></font>
<br>
<br>
<table border>
<tr>
<td><font size=3 face="Default Sans Sarif"><b><i>Product</i></b></font>
<td><font size=3 face="Default Sans Sarif"><b><i>APAR</i></b></font>
<td><font size=3 face="Default Sans Sarif"><b><i>How to acquire fix</i></b></font>
<tr>
<td><font size=3 face="Default Sans Sarif"><i>Patch SUA 2.0</i></font>
<td>
<td><font size=3 face="Default Sans Sarif"><i>Apply fixlet 48 (</i>TEM
SUA Patch for Security Vulnerability CVE-2013-0156<i>) in IBM Software
Inventory site or download latest installer.</i></font>
<tr>
<td><font size=3 face="Default Sans Sarif"><i>Patch SCA 1</i></font>
<td>
<td><font size=3 face="Default Sans Sarif"><i>Apply fixlet 13(</i>TEM SCA
Patch for Security Vulnerability CVE-2013-0156) in the SCM Reporting site
or download latest installer.</font>
<tr>
<td><font size=3 face="Default Sans Sarif"><i>Patch SUA 1.3</i></font>
<td>
<td><font size=3 face="Default Sans Sarif"><i><u>Apply fixlet 30 (</u></i>SAM
Patch for Security Vulnerability CVE-2013-0155 and CVE-2013-0156) in DSS
Software Asset Management site or download latest installer.</font></table>
<br>
<br><font size=3 face="Default Sans Sarif"><i>All prior versions of SUA
and SCA should be upgraded to the latest supported version.</i></font>
<br>
<br><font size=3 face="Default Sans Sarif"><b><i>Workaround(s):</i></b>
</font>
<br><font size=3 face="Default Sans Sarif">None</font>
<br>
<br><font size=3 face="Default Sans Sarif"><b><i>Mitigation(s):</i></b>
</font>
<br><font size=3 face="Default Sans Sarif"><b>None</b></font>
<br>
<br><font size=3 face="Default Sans Sarif"><b>REFERENCES: </b></font>
<br><a href="https://www-304.ibm.com/support/docview.wss?uid=swg21496117&wv=1"></a><a href="http://www.first.org/cvss/cvss-guide.html"><font size=3 face="Default Sans Sarif">·
<i><u>Complete CVSS Guide</u></i></font></a>
<br><a href="http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2"><font size=3 face="Default Sans Sarif">·
<i><u>On-line Calculator V2</u></i></font></a><font size=3 face="Default Sans Sarif"><i>
</i></font>
<br><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6496"><font size=3 face="Default Sans Sarif">·
<i><u>CVE-2012-6496</u></i></font></a>
<br><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0156"><font size=3 face="Default Sans Sarif">·
<i><u>CVE-2013-0156</u></i></font></a>
<br><font size=3 face="Default Sans Sarif">· <i>X-Force
Vulnerability Database </i></font><a href=http://xforce.iss.net/xforce/xfdb/81119><font size=3 face="Default Sans Sarif"><u>http://xforce.iss.net/xforce/xfdb/81119</u></font></a>
<br><font size=3 face="Default Sans Sarif">· <i>X-Force
Vulnerability Database </i></font><a href=http://xforce.iss.net/xforce/xfdb/81004><font size=3 face="Default Sans Sarif"><u>http://xforce.iss.net/xforce/xfdb/81004</u></font></a>
<br>
<br>
<br><font size=3 face="Default Sans Sarif"><b>RELATED INFORMATION: </b></font>
<br><a href="https://www-304.ibm.com/jct03001c/security/secure-engineering/"><font size=3 face="Default Sans Sarif"><u>IBM
Secure Engineering Web Portal </u></font></a><font size=3 face="Default Sans Sarif"><br>
</font><a href=https://www.ibm.com/blogs/PSIRT><font size=3 face="Default Sans Sarif"><u>IBM
Product Security Incident Response Blog</u></font></a>
<br>
<br><font size=3 face="Default Sans Sarif"><b>ACKNOWLEDGEMENT</b></font>
<br><font size=3 face="Default Sans Sarif">None</font>
<br>
<br><font size=3 face="Default Sans Sarif"><b>CHANGE HISTORY</b></font>
<br><font size=3 face="Default Sans Sarif">18 January, 2013: Original
Copy Published</font>
<br>
<p><font size=3 face="Default Sans Sarif"><i>*The CVSS Environment Score
is customer environment specific and will ultimately impact the Overall
CVSS Score. Customers can evaluate the impact of this vulnerability in
their environments by accessing the links in the Reference section of this
Flash. </i></font>
<p>
<br><font size=3 face="Default Sans Sarif"><b><i>Note: </i></b><i>According
to the Forum of Incident Response and Security Teams (FIRST), the Common
Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS"
WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.</i></font>
<br>
<br>
<br>
<br>
<br>
<br>