Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0051 Security Bulletin: IBM Tivoli Federated Identity Manager can be affected by a vulnerability in IBM Java Runtime Environment (CVE-2012-5081) 9 January 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Tivoli Federated Identity Manager Publisher: IBM Operating System: AIX HP-UX Linux variants Solaris Windows z/OS Impact/Access: Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-5081 Reference: ESB-2013.0021 ASB-2012.0144 ASB-2012.0143 ESB-2012.1187 ESB-2012.1168 ESB-2012.1147 ESB-2012.1107 ESB-2012.1090 ESB-2012.1004 ESB-2012.1003 ESB-2012.0999 ESB-2012.0998 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21621886 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: IBM Tivoli Federated Identity Manager can be affected by a vulnerability in IBM Java Runtime Environment (CVE-2012-5081) Flash (Alert) Document information Tivoli Federated Identity Manager Software version: 6.0, 6.1, 6.1.1, 6.2, 6.2.1, 6.2.2 Operating system(s): AIX, HP-UX, Linux, Solaris, Windows, z/OS Reference #: 1621886 Modified date: 2013-01-08 Abstract The implementation of TLS in the IBM Java JDK may not check the TLS vector length as set out in the Internet Engineering Task Force Request For Comments (RFC) 5246. The fix enhances the checking for the vector length. Content VULNERABILITY DETAILS: DESCRIPTION: The JDK's TLS implementation may not check the TLS vector length as set out in the latest RFC 5246. This issue is exploitable on server deployments that use JSSE. Under certain conditions, IBM Tivoli Federated Identity Manager uses Java Secure Socket Extensions (JSSE) to establish a Secure Socket Layer (SSL) connection. The vulnerability could occur when the SSL connection is enabled. The only solution is to upgrade the JDK. The attack does not require local network access nor does it require authentication, but some degree of specialized knowledge and techniques are required. An exploit would not impact the confidentiality of information or the integrity of data, but the availability of the system could be compromised. CVEID: CVE-2012-5081 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79435 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) AFFECTED PRODUCTS AND VERSIONS: Tivoli Federated Identity Manager versions 6.0, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2 Tivoli Federated Identity Manager Business Gateway versions 6.1.1, 6.2.0, 6.2.1, 6.2.2 REMEDIATION: The remediation depends on the version of WebSphere you are using. There are two alternatives. Alternative 1) If you are using the eWAS bundled with Tivoli Federated Identity Manager (this was only avaliable for FIM versions 6.1.1 or higher), you will need to apply the patch for IBM Java 5 SR 15. This is available at the following link: http://www-01.ibm.com/support/docview.wss?uid=swg24033932 Alternative 2) If you are using a separate WebSphere installation instead of the eWAS bundled with Tivoli Federated Identity Manager, please see the following advisory to determine how to patch your WebSphere version: http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D600&uid=swg21617227&loc=en_US&cs=utf-8 Workaround(s): None Mitigation(s): None REFERENCES: Complete CVSS Guide On-line Calculator V2 CVE-2012-5081 http://xforce.iss.net/xforce/xfdb/79435 RELATED INFORMATION: IBM Secure Engineering Web Portal *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Copyright and trademark information IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUO0STe4yVqjM2NGpAQKfJBAAiBvZQgsByuUJubWWE9rJGABgTr4Knmwa ccBdcls60g6wBz6vGvY78bdmqtzjlG9czYOIDPNA6OXtlROcdVZRKPBc6T97Z1/l LAo/RE4/H+bYaLkgZoRIu5R7MYKI/qzrqPzV5rwWq8FV663YmWe0eMe3NPPcs5xL fMzVrz5RXJI8AFx8pyqSCwuUOvYhG2ddRyi+FmkSExcjkg7fpsZHp1h2DyISXbNG xYN8uZJyZAed9auePVUeDlKIdyv51Rt08x8JglIJxfzc1joCbTiVdxh/SeQogwv6 lxFwDHK6Da070jh9dk3C8JhOXD/AOnPUS7uIphgdD6QlJxhzz+eXgCuxEhFCZ4Cj iW95nqFXD529JJfIuwiudN2q6FzylI3s19S/gUprnpiik03D2YI9lhFFmZWTHE5Z pPKkbpqeBjmqI+aAHXJpMb4SJgJAaTkLsI8OJ347Fci0I/Ot863i9cYzenYW9oB2 GgzEStA2vN46Obt1aYgM9Rgnq5PNhhB+xkLFFbYZevJhH4BXs3z1ecru/jKi7I1E oGMt8OoeFqdCRojhkXBnWvuktvYiu8VI/2eLmq+qat+ncqcK8vHKcISe5knkYhXX q3IP26SU7YK+UNHZ/52BOgAyS9QPEEhBnjTfrUWTXO1BkI5Z0yPa0cCj9RMUXWBH HEPkAptbt3w= =ZUCz -----END PGP SIGNATURE-----