IBM Eclipse Help System multiple products open redirect

iehs-multiple-open-redirect (74832) The risk level is classified as MediumMedium Risk

Description:

Multiple IBM products could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the Eclipse Help System. An attacker could exploit this vulnerability to redirect a victim to arbitrary Web sites.

*CVSS:

Base Score: 4.3
  Access Vector: Network
  Access Complexity: Medium
  Authentication: None
  Confidentiality Impact: None
  Integrity Impact: Partial
  Availability Impact: None
 
Temporal Score: 3.2
  Exploitability: Unproven
  Remediation Level: Official-Fix
  Report Confidence: Confirmed

Consequences:

Other

Remedy:

Refer to the appropriate IBM Security Bulletin for patch, upgrade or suggested workaround information. See References.

References:

  • IBM APAR JR43170: Integrated Information Core interim fix for APAR JR43170.
  • IBM Security Bulletin 1596690: Open Redirect and Cross-Site Scripting Vulnerabilities in the SPSS Data Collection Developer Library Help System (CVE-2012-2159, CVE-2012-2161).
  • IBM Security Bulletin 1598423: Vulnerabilities in AppScan Source.
  • IBM Security Bulletin 1605839: ClearQuest Help System Open Redirect (CVE-2012-2159).
  • IBM Security Bulletin 1611767: Open Redirect and Cross-Site Scripting Vulnerabilities in Administration Client for ASF Help System.
  • IBM Security Bulletin 1612193: Open Redirect and Cross-Site Scripting Vulnerabilities in the locally installable IBM DB2 Information Center (CVE-2012-2159, CVE-2012-2161, CVE-2013-0467).
  • IBM Security Bulletin 1614265: Security Vulnerabilities fixed in IBM WebSphere Application Server 8.5.0.1.
  • IBM Security Bulletin 1614444: Open redirect and cross-site scripting vulnerabilities in DB2 QMF for Workstation and DB2 QMF for WebSphere help systems (CVE-2012-2159, CVE-2012-2161).
  • IBM Security Bulletin 1614445: Open redirect and cross-site scripting vulnerabilities in IBM DataQuant for z/OS and IBM DataQuant for Multiplatforms help systems (CVE-2012-2159, CVE-2012-2161).
  • IBM Security Bulletin 1615067: Open redirect and cross-site scripting vulnerabilities in the InfoSphere Streams help system (CVE-2012-2159, CVE-2012-2161).
  • IBM Security Bulletin 1617872: Open Redirect and Cross-Site Scripting Vulnerabilities in the IBM InfoSphere Discovery Information Center (CVE-2012-2159, CVE-2012-2161).
  • IBM Security Bulletin 1619410: Open redirect and cross-site scripting vulnerabilities in RPE help system (CVE-2012-2159, CVE-2012-2161).
  • IBM Security Bulletin 1619693: Open Redirect and Cross-Site Scripting Vulnerabilities in help system for InfoSphere MDM Server, InfoSphere Master Information Hub and InfoSphere MDM Custom Domain Hub (CVE-2012-2159, CVE-2012-2161).
  • IBM Security Bulletin 1623501: Multiple security vulnerabilities in the IBM InfoSphere Information Server Suite.
  • IBM Security Bulletin 1625573: Open redirect and cross-site scripting vulnerabilities in the IBM Data Studio help system (CVE-2012-2159, CVE-2012-2161, CVE-2013-0467).
  • IBM Security Bulletin 1625624: Security Vulnerabilities Addressed in Asset and Service Mgmt.
  • IBM Security Bulletin 1627597: Security vulnerabilities addressed in IBM Domino & IBM Domino Designer 9.0 (CVE-2013-0487, CVE-2012-2161, CVE-2012-2159, CVE-2013-0486, CVE-2012-6277, CVE-2013-0488, CVE-2013-0489).
  • IBM Security Bulletin 1632748: Security Vulnerabilities addressed in IBM Tivoli Netcool Performance Manager (CVE-2012-2159, CVE-2012-2161).
  • IBM Security Bulletin 1635863: Multiple security vulnerabilities in IBM Sales Center for WebSphere Commerce (CVE-2008-7271, CVE-2010-4647, CVE-2012-0186, CVE-2012-0191, CVE-2012-2159, CVE-2012-2161).
  • BID-53859: IBM WebSphere Sensor Events Multiple Input Validation Vulnerabilities
  • BID-53884: IBM Eclipse Help System Multiple Security Vulnerabilities
  • BID-54152: IBM Rational Directory Server URI Redirection and Cross Site Scripting Vulnerabilities
  • CVE-2012-2159: Open redirect vulnerability in IBM Eclipse Help System (IEHS), as used in IBM Security AppScan Source 7.x and 8.x before 8.6 and IBM SPSS Data Collection Developer Library 6.0 and 6.0.1, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
  • OSVDB ID: 82754: IBM Eclipse Help System Unspecified Arbitrary Site Redirect
  • SA49438: IBM Eclipse Help System Redirection Weakness and Cross-Site Scripting Vulnerability
  • SA49455: IBM SPSS Data Collection Developer Library Eclipse Help System Vulnerabilities
  • SA49627: IBM Rational Directory Server Help System Redirection Weakness and Cross-Site Scripting Vulnerability
  • SA49668: IBM Integrated Information Core Multiple Vulnerabilities
  • SA49959: IBM WebSphere Products Eclipse Help System Vulnerabilities
  • SA50125: IBM Tivoli Directory Integrator IEHS Redirection Weakness and Cross-Site Scripting Vulnerability
  • SA50729: IBM Installation Manager IEHS Redirection Weakness and Cross-Site Scripting Vulnerability
  • SA50755: Rational Business Developer Multiple Vulnerabilities
  • SA50784: IBM Rational Change IEHS Redirection Weakness and Cross-Site Scripting Vulnerability
  • SA51053: IBM DataQuant / DB2 QMF IEHS Redirection Weakness and Cross-Site Scripting Vulnerability
  • SA51302: IBM InfoSphere Discovery IEHS Redirection Weakness and Cross-Site Scripting Vulnerability
  • SA52132: IBM Multiple Products Multiple Vulnerabilities
  • SA52175: IBM Data Studio Help System Multiple Vulnerabilities
  • SA52754: IBM Lotus Domino Designer Redirection Weakness and Cross-Site Scripting Vulnerability
  • SA52849: IBM Tivoli Netcool Performance Manager IEHS Two Vulnerabilities

Platforms Affected:

  • IBM Administration Client for ASF 1.0
  • IBM AppScan Source 7.0
  • IBM AppScan Source 8.0
  • IBM AppScan Source 8.5
  • IBM Change and Configuration Management Database 7.1
  • IBM Change and Configuration Management Database 7.2
  • IBM Data Studio 3.1
  • IBM Data Studio 3.1.1
  • IBM DataQuant 1.2
  • IBM DB2 Information Center 10.1
  • IBM DB2 Information Center 9
  • IBM DB2 Information Center 9.5
  • IBM DB2 Information Center 9.7
  • IBM DB2 Query Management Facility 10.1
  • IBM DB2 Query Management Facility 9.1
  • IBM Eclipse Help System
  • IBM InfoSphere Discovery 4.5.1
  • IBM InfoSphere Information Server 8.1
  • IBM InfoSphere Information Server 8.5
  • IBM InfoSphere Information Server 8.7
  • IBM InfoSphere Master Data Management Custom Domain Hub 10.0
  • IBM InfoSphere Master Data Management Server 10.0
  • IBM InfoSphere Master Data Management Server 8.0.1
  • IBM InfoSphere Master Data Management Server 8.5
  • IBM InfoSphere Master Data Management Server 9.0.1
  • IBM InfoSphere Master Data Management Server 9.0.2
  • IBM InfoSphere Master Information Hub 9.0.1
  • IBM InfoSphere Master Information Hub 9.0.2
  • IBM InfoSphere Streams 2.0
  • IBM Lotus Domino 8.5
  • IBM Lotus Domino 8.5.1
  • IBM Lotus Domino 8.5.2
  • IBM Lotus Domino 8.5.3
  • IBM Maximo Asset Management 6.2
  • IBM Maximo Asset Management 7.1
  • IBM Maximo Asset Management 7.5
  • IBM Maximo Asset Management Essentials 6.2
  • IBM Maximo Asset Management Essentials 7.1
  • IBM Maximo Asset Management Essentials 7.5
  • IBM Maximo Service Desk 6.2
  • IBM Rational ClearQuest 7.1
  • IBM Rational ClearQuest 8.0
  • IBM Rational Publishing Engine 1.1.1.2
  • IBM Rational Publishing Engine 1.1.2
  • IBM Rational Publishing Engine 1.1.2.1
  • IBM Rational Publishing Engine 1.1.2.2
  • IBM Sales Center for WebSphere Commerce 6.0
  • IBM Sales Center for WebSphere Commerce 7.0
  • IBM SmartCloud Control Desk 7.5
  • IBM SPSS Data Collection 6.0
  • IBM Tivoli Asset Management For IT 6.2
  • IBM Tivoli Asset Management For IT 7.1
  • IBM Tivoli Asset Management For IT 7.2
  • IBM Tivoli Netcool Performance Manager 1.3.1
  • IBM Tivoli Netcool Performance Manager 1.3.2
  • IBM Tivoli Service Request Manager 7.1
  • IBM Tivoli Service Request Manager 7.2
  • IBM WebSphere Application Server 8.5

Reported:

Jun 08, 2012

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page

* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

About IBM Security Systems

IBM Security Systems include an extensive portfolio of hardware, software solutions, professional and managed services offerings covering the spectrum of IT and business security risks: people and identity, data and information, application and process, network, server and endpoint and physical infrastructure, empowering clients to innovate and operate their businesses on the most secure infrastructure platforms. Through world-class solutions that address risk across the enterprise, IBM helps organizations build a strong security posture that helps reduce costs, improve service, and manage risk. IBM X-Force(R) Research and Development is one of the most renowned commercial security research and development groups in the world. For more information on how to address today's biggest risks, please visit us at ibm.com/security.