The IBM DB2 Information Center package gives you local access to DB2 documentation on a local or intranet system. Some scripts in the help system, used by DB2 Information Center, are vulnerable to open redirect, or cross-site scripting attacks.
This security bulletin only applies to the installed (local or intranet system) DB2 Information Center. If you don't have a DB2 Information Center installed on a local or intranet system, then this security bulletin is not applicable.
CVE(s): CVE-2012-2159, CVE-2012-2161, and CVE-2013-0467
Affected product(s) and affected version(s):
The following locally installed IBM DB2 Information Center editions running on Linux, and Windows are affected by this security bulletin:
IBM® DB2® 10.1 Information Center Network package
IBM® DB2® 10.1 Information Center Workstation package
IBM® DB2® 9.7 Information Center Network package
IBM® DB2® 9.7 Information Center Workstation package
IBM® DB2® 9.5 Information Center package
IBM® DB2® 9.5 Information Center non-admin/non-root package
IBM® DB2® 9 Information Center package
IBM® DB2® 9 Information Center non-admin/non-root package
Network version (installable) of the DB2 Information Center
The Workstation version (stand-alone) of the DB2 Information Center
Refer to the following reference URLs for remediation and additional vulnerability details.
Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21612193
X-Force Database (http://xforce.iss.net/xforce/xfdb/74832)
X-Force Database (http://xforce.iss.net/xforce/xfdb/74833)
X-Force Database (http://xforce.iss.net/xforce/xfdb/81102)