Vulnerabilities have been identified in IBM SPSS Modeler which make the product vulnerable to an incorrect Single Sign On being accepted on UNIX and a denial of service attack triggered by a malicious XML data.
VULNERABILITY DETAILS:
CVEID: CVE-2013-6739
DESCRIPTION: Prior to Modeler 16 Single Sign On is only supported on the Windows platform; an issue has been discovered where the server on UNIX platforms is allowing a user to connect to the server and run a session with an SSO token.
CVSS Base Score: 5.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/89855> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CVE ID: CVE-2013-5372
DESCRIPTION: If an attacker makes a victim open a specially crafted XML document, it could be possible to conduct denial of service attacks using IBM SPSS Modeler installed on the victimโs system.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/86662> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE ID: CVE-2013-5825
DESCRIPTION: If an attacker makes a victim open a specially crafted XML document, it could be possible to conduct denial of service attacks using IBM SPSS Modeler installed on the victimโs system.
SS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/87988> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)
ACKNOWLEDGEMENT
None
Versions 14 through 15.0 of IBM SPSS Modeler running on all supported platforms are affected.
Remediation: The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.
Fix:
For IBM SPSS Modeler:
For version 14.2:
- Apply the Interim Fix
For version 15:
- Apply the Interim Fix
For version 16:
- Apply the Interim Fix
Workaround(s):
None; apply fixes.
Mitigation(s):
Single Sign on configuration requires Modeler Client to authenticate with the IBM SPSS Collaboration and Deployment Services platform in the connection process before it can connect to Modeler Server.