IBM Support

Security Bulletin: Vulnerability in IBM SPSS Data Collection due to issues in Eclipse Help System (CVE-2013-0464, CVE-2013-0467)

News


Abstract

The version of IBM Eclipse Help System that is shipped with IBM SPSS Data Collection versions 6.0, 6.0.1 ("Data Collection") and 7.0 has multiple security vulnerabilities. These vulnerabilities allow attackers to perform cross-site scripting and source code disclosure attacks.

Content


VULNERABILITY DETAILS:

DESCRIPTION:
Cross-Site Scripting vulnerabilities may enable malicious scripts to be injected into a victim's context.
CVE IDs: CVE-2013-0464
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81060 for the current score.
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)


DESCRIPTION:
A source code disclosure vulnerability may allow an attacker to retrieve the source code of some resources located on the server.
CVE IDs: CVE-2013-0467
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81102 for the current score.
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)


AFFECTED PRODUCTS AND VERSIONS:
IBM SPSS Data Collection Developer Library 6.0 (DDL 6.0) using IEHS 3.4.3
IBM SPSS Data Collection Developer Library 6.0.1 (DDL 6.0.1) using IEHS 3.4.3
IBM SPSS Data Collection Developer Library 7.0 (DDL 7.0) using IEHS 3.6.2


REMEDIATION:

FixVRMFIEHS PMRHow to acquire fix
IEHS Security Issue Fix7.0-IM-DC7DDL-WIN32_64-IF001P001620 / P001643 http://www-933.ibm.com/support/fixcentral/swg/quickorder?parent=SPSS&product=ibm/Information+Management/SPSS+Data+Collection&release=7.0.0.0&platform=All&function=fixId&fixids=7.0-IM-DC7DDL-WIN32_64-IF001
6.0.1-IM-DC6DDL-WIN32_64-IF001http://www-933.ibm.com/support/fixcentral/swg/quickorder?parent=SPSS&product=ibm/Information+Management/SPSS+Data+Collection&release=6.0.1.0&platform=All&function=fixId&fixids=6.0.1-IM-DC6DDL-WIN32_64-IF001
6.0-IM-DC6DDL-WIN32_64-IF001http://www-933.ibm.com/support/fixcentral/swg/quickorder?parent=SPSS&product=ibm/Information+Management/SPSS+Data+Collection&release=6.0.0.0&platform=All&function=fixId&fixids=6.0-IM-DC6DDL-WIN32_64-IF001


Vendor fixes
These 2 issues can be fixed by installing the fix pack for IBM® Eclipse Help System (IEHS) 3.4.3 and 3.6.2.


Steps to apply the fix pack


1. Back up the files in your <IEHS>directory. The default directory is "C:\Program Files\Common Files\IBM\SPSS\DataCollection\<Data Collection Version>\Documentation\ibm_help


2. Download the right version fix patches for issue P001620 (source code disclosure issue) and P001643 (XSS in Search control box and performance issue in banner or welcome page in doc.zip)


3. Extract them to your <IEHS>directory. The default directory is "C:\Program Files\Common Files\IBM\SPSS\DataCollection\<Data Collection Version>\Documentation\ibm_help", and override all the files.


Workaround(s): none – apply the patches above

Mitigation(s): none


REFERENCES:
  • Complete CVSS Guide
  • On-line Calculator V2
  • CVE-2013-0464
  • CVE-2013-0467
  • X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/81060
  • X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/81102



  • RELATED INFORMATION:

    IBM Secure Engineering Web Portal
    IBM Product Security Incident Response Blog


    CHANGE HISTORY
    May 30, 2013: Originally published.
    July 18, 2013: Updated download links and steps to apply fix pack.


    *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

    Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

    [{"Product":{"code":"SSLVQG","label":"IBM SPSS Data Collection"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF025","label":"Platform Independent"}],"Version":"7.0;6.0.1;6.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

    Document Information

    Modified date:
    25 September 2022

    UID

    swg21637954