Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.1147
Security Bulletin: Potential security vulnerabilities in WebSphere
Application Server products for the Oracle October 2012 CPU
5 December 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: WebSphere Application Server
Publisher: IBM
Operating System: AIX
HP-UX
Linux variants
Solaris
Windows
IBM i
i5/OS
z/OS
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Delete Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2012-5089 CVE-2012-5088 CVE-2012-5087
CVE-2012-5086 CVE-2012-5085 CVE-2012-5084
CVE-2012-5083 CVE-2012-5082 CVE-2012-5081
CVE-2012-5080 CVE-2012-5079 CVE-2012-5078
CVE-2012-5077 CVE-2012-5076 CVE-2012-5075
CVE-2012-5074 CVE-2012-5073 CVE-2012-5072
CVE-2012-5071 CVE-2012-5070 CVE-2012-5069
CVE-2012-5068 CVE-2012-5067 CVE-2012-4416
CVE-2012-3216 CVE-2012-3159 CVE-2012-3143
CVE-2012-1533 CVE-2012-1532 CVE-2012-1531
Reference: ASB-2012.0144
ASB-2012.0143
ESB-2012.1090
ESB-2012.1004
ESB-2012.1003
ESB-2012.0999
ESB-2012.0998
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21617227
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Potential security vulnerabilities in WebSphere Application
Server products for the Oracle October 2012 CPU
Flash (Alert)
Document information
WebSphere Application Server
General
Software version:
6.1, 7.0, 8.0, 8.5
Operating system(s):
AIX, HP-UX, IBM i, Linux, Solaris, Windows, i5/OS, z/OS
Software edition:
Base, Developer, Express, Network Deployment
Reference #:
1617227
Modified date:
2012-12-04
Abstract
The IBM WebSphere Application Server is shipped with an IBM Java JDK that is
based on the Oracle JDK. Oracle has released October 2012 critical patch
updates (CPU) which contain security vulnerability fixes and the IBM Java JDK
that WebSphere Application Server ships is affected.
Content
Versions affected:
* JDK shipped with IBM WebSphere Application Server Version 8.5.0.0 through
8.5.0.1, Version 8.0.0.0 through 8.0.0.5, Version 7.0.0.0 through 7.0.0.25,
Version 6.1.0.0 through 6.1.0.45
* This does not occur on JDK versions shipped with WebSphere Application
Servers 8.5.0.2, 8.0.0.6, 7.0.0.27 and 6.1.0.47 or later.
Description:
This Security Bulletin addresses the security vulnerabilities
that have shipped with the IBM JDK and is part of the Oracle October 2012
critical patch updates (CPU). For details on these updates please refer to the
Reference section of this bulletin.
Solutions:
Upgrade your JDK to an interim fix level as determined below:
For IBM WebSphere Application Server for distributed operating systems and IBM
WebSphere Application Server Hypervisor Edition :
Download and apply the interim fix APARs below, for your appropriate release:
For V8.5.0.0 through 8.5.0.1:
Apply Interim Fix PM75382: Will upgrade you to JDK 6 2.6 SR4
- --OR--
Apply Interim Fix PM75383: Will upgrade you to JDK 7 SR3
- --OR--
Apply Java SDK shipped with WebSphere Application Server Fix pack 2
(8.5.0.2) or later (targeted to be available mid April 2013).
For 8.0.0.0 through 8.0.0.5:
Apply Interim Fix PM75381: Will upgrade you to JDK 6 2.6 SR4
- --OR--
Apply Java SDK shipped with WebSphere Application Server Fix pack 6
(8.0.0.6) or later (targeted to be available late April 2013).
For V7.0.0.0 through 7.0.0.25:
Apply Interim Fix PM75379: Will upgrade you to JDK 6 SR12
- --OR--
Apply Java SDK shipped with WebSphere Application Server Fix pack 27
(7.0.0.27) or later (targeted to be available late January 2013).
For V6.1.0.0 through 6.1.0.45:
Apply Interim Fix PM75378: Will upgrade you to JDK 5 SR15
- --OR--
Apply Java SDK shipped with WebSphere Application Server Fix pack 47
(6.1.0.47) or later (check back for estimated date).
For IBM WebSphere Application Server for i5/OS operating systems:
The IBM Developer Kit for Java is prerequisite software for WebSphere
Application Server for IBM i.
For Versions 8.5.0.0 through 8.5.0.1:
Apply all of the PTFs matching one of these Developer Kit for Java options
and the version of IBM i installed on your system from the chart below.
For Versions 8.0.0.0 through 8.0.0.5:
Apply all of the PTFs matching one of these Developer Kit for Java options
and the version of IBM i installed on your system from the chart below.
For Versions 7.0 through 7.0.0.25:
Apply all of the PTFs matching one of these Developer Kit for Java options
and the version of IBM i installed on your system from the chart below.
For Versions 6.1 through 6.1.0.45:
Apply all of the PTFs matching one of these Developer Kit for Java options
and the version of IBM i installed on your system from the chart below.
Java Developer Kit 5.0 32 bit Java Developer Kit 5.0 64 bit Java Developer Kit 6.0 32 bit Java Developer Kit 6.0 64 bit Java Developer Kit 6.2.6 32 bit Java Developer Kit 6.2.6 64 bit Java Developer Kit 7.0 32 bit Java Developer Kit 7.0 64 bit
V5R4 SI48515 N/A SI48554 N/A N/A N/A N/A N/A
SI48514 SI48559
IBM i 6.1 SI48512 SI48513 SI48541 SI48543 TBD* TBD* N/A N/A
SI48516 SI48518 SI48558 SI48605
SI48621
IBM i 7.1 SI48512 SI48513 SI48541 SI48543 TBD* TBD* TBD* TBD*
SI48516 SI48518 SI48558 SI48605
SI48621
TBD - to be determined. The table will be updated with the PTFs as soon as
they become available.
For WebSphere Application Server for z/OS operating systems:
For V8.5.0.0 through 8.5.0.1:
Apply Interim Fix PM75382: Will upgrade you to JDK 6 2.6 SR4
- --OR--
Apply Interim Fix PM75383: Will upgrade you to JDK 7 SR3
- --OR--
Apply Java SDK shipped with WebSphere Application Server Fix pack 2
(8.5.0.2) or later (targeted to be available mid April 2013).
For V8.0.0.0 through 8.0.0.5:
Apply Interim Fix PM75381: Will upgrade you to JDK 6 2.6 SR4
- --OR--
Apply Java SDK shipped with WebSphere Application Server Fix Pack 6
(8.0.0.6) or later (targeted to be available late April 2013).
For V7.0.0.0 through 7.0.0.25:
Open a Problem Management Record (PMR) with IBM WebSphere Application
Server support to request ++APARs for PM75379 Please include, in the PMR,
your WebSphere Application Server Fix Pack level, as well as any
additional ++APARs and Feature Packs that you have installed
- -OR-
Apply Java SDK shipped with WebSphere Application Server Fix Pack
7.0.0.27, or later, at APAR/PTF Tables by version for IBM WebSphere
Application Server for z/OS (targeted to be available late January 2013)
For V6.1.0.0 through 6.1.0.45:
Open a Problem Management Record (PMR) with IBM WebSphere Application
Server support to request a ++APAR for PM75378 Please include, in the PMR,
your WebSphere Application Server Fix Pack level, as well as any
additional ++APARs and Feature Packs that you have installed.
- --OR--
Apply Java SDK shipped with WebSphere Application Server Fix Pack
6.1.0.47, or later, at APAR/PTF Tables by version for IBM WebSphere
Application Server for z/OS. (check back for estimated date)
For additional details and information on WebSphere Application Server product
updates:
For Distributed, see Recommended fixes for WebSphere Application Server.
For i5/OS, see WebSphere Application Server for i5/OS. For z/OS, see
APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS.
Change history
04 Dec 2012: Original publish date
REFERENCES:
IBM Security Alerts: Oracle October 2012 Security Alert. Oracle Java SE
Critical Patch Update Advisory - June 2012: Oracle Java SE Critical Patch
Update Advisory - October 2012. Java on IBM i Complete CVSS Guide
http://www.first.org/cvss/cvss-guide.html On-line Calculator V2
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUL6+1O4yVqjM2NGpAQLWGw//Tj818+5NbmvuFcT3NZUh4VwF97wMq1ty
glfqYSHetdJmQpJ3zYcCLo0ZdPwO4vAVjNFJ4yqjpwirJjkiHijoPQJ4yun31hAA
G19Tz5ZMDikgWSVeaMGr/luUpSx66j12HmtXHOsc413SXDVzpJhsX8fmhi/243qi
dcp7lAuAt4MJx1N6GOy15OoPb7i4L6Mv7avRCJqfBX78wBeAu2Utch6Fnt1C+147
gCe22UEqzzvPlnIvXCksQRgkC0xoVbQfMByj3u+EC0GyVJchFE3RKOJxr8tc4JYf
gorQlVyy01S6GBZKrbUAXrsheqfQoZ8qeGr4d/Wq7Ac8tLQfwWzIZ0y7NNuy0Xnx
EUlEIT4D5Tys14H/N2r8DrZvt38ZVPkvHIUydh88awsDbE5jiZZyxBb9mHqoRa0s
BIUOdW5Mc9dQ0v9yH4JcMlQyKpkuVgzOu68jUQRW7Qs37O3PrL+aphy/wpMPi1R4
pgCHI7kYMwLS2hQ8oo397l3ySbHM2nuBuKUTAe9vEHouw3q18H6mH0mRg+lXeOaZ
8wlKs96cvLAs0c0azxEw9cPIbsN7i3cdbLHLGMxU5d2E0mVD2zECDMjA5+VGEXAR
db8YC4PdorvETHG3IupoFlWN4L+wHatKwwV/EgvgIO+ZQFyZTwtyxDSJJdQ8gD5Y
iaSwMna6AC4=
=AXjU
-----END PGP SIGNATURE-----