Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0356 Security Bulletin: Potential security vulnerabilities in Rational Host On-Demand products for the Oracle October 2012 CPU 11 March 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Rational Host On-Demand Publisher: IBM Operating System: AIX HP-UX Linux variants Solaris Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2012-5089 CVE-2012-5088 CVE-2012-5087 CVE-2012-5086 CVE-2012-5085 CVE-2012-5084 CVE-2012-5083 CVE-2012-5081 CVE-2012-5079 CVE-2012-5077 CVE-2012-5076 CVE-2012-5075 CVE-2012-5074 CVE-2012-5073 CVE-2012-5072 CVE-2012-5071 CVE-2012-5070 CVE-2012-5069 CVE-2012-5068 CVE-2012-5067 CVE-2012-4416 CVE-2012-3216 CVE-2012-3159 CVE-2012-3143 CVE-2012-1533 CVE-2012-1532 CVE-2012-1531 Reference: ESB-2013.0330 ESB-2013.0322 ESB-2013.0298 ESB-2013.0157 ESB-2013.0156 ESB-2013.0123 ESB-2013.0053 ESB-2013.0051 ASB-2012.0144 ASB-2012.0143 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21625941 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Potential security vulnerabilities in Rational Host On-Demand products for the Oracle October 2012 CPU Document information Rational Host On-Demand General Information Software version: 11.0, 11.0.1.0, 11.0.2.0, 11.0.3.0, 11.0.4.0, 11.0.5.0, 11.0.5.1, 11.0.6, 11.0.6.1 Operating system(s): AIX, HP Itanium, HP-UX, Linux, Linux iSeries, Linux on System z, Linux pSeries, OS/400, Solaris, Windows, i5/OS, z/OS Reference #: 1625941 Modified date: 2013-03-06 Abstract IBM Rational Host On-Demand provides an IBM JRE that is based on the Oracle JRE as part of its server package for clients to download and install on client machines. There are vulnerabilities that can occur when the affected JRE is installed as the system JRE. Oracle has released October 2012 critical patch updates (CPU) which contain security vulnerability fixes and the IBM JRE that Rational Host On-Demand ships is affected. Content VULNERABILITY DETAILS AFFECTED PRODUCTS: IBM JRE shipped with Host On-Demand 11.0.0.0 through 11.0.6.1. REMEDIATION: Fix: Customers should download the Host On-Demand Version 11.0.7 release from Fix Central and update the existing Host On-Demand. Workaround(s): None Mitigation(s): None REFERENCES IBM Security Alerts: Oracle October 2012 Security Alert Complete CVSS Guide On-line Calculator V2 ( http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 ) RELATED INFORMATION IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog ACKNOWLEDGEMENT None CHANGE HISTORY 6 March 2013: Original publication *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the References section of this Flash. Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Segment: Networking Product: Rational Host On-Demand Component: General Information Platform: AIX, HP-UX, HP Itanium, i5/OS, Linux, Linux iSeries, Linux on System z, Linux pSeries, OS/400, Solaris, Windows, z/OS Version: 11.0, 11.0.1.0, 11.0.2.0, 11.0.3.0, 11.0.4.0, 11.0.5.0, 11.0.5.1, 11.0.6, 11.0.6.1 Edition: - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUT1RbO4yVqjM2NGpAQJt0A//VYbuQr/IDduBClmgrVJENXaUKjdK5i8p BpxNqmZysCaxBDBTQB2rILm5YA5fqPEZb4WJEaiqJWRwg5XzfgJuIvXg/yBwiaCq n9jLiby9FFJhgJRTzDLaeIhOUj17FAYa+2dPJGDH9+PBd/SfT99XaXTFo3IHtpLf MH7D/t9zjsjhQxaOCTo7CM7LznYKpdUAGrx0wiFkKSvJ6Ph+FVXfAxr2WPrU3fkB 761s5XBtHHAEUA7Nddcx2iobRdah2nuaoo884DJjT4CiWw4IiI5MZpwmj2l24QY5 x1428WWDRqVFCrZjb2w+R+I3igAEMGGV0vKLpn/0nOBrF/hIkNkwsnYM+hHhVifd lWIPP+wJEJ3jXronotANZJuLLDmQ1N217FsF6Vdb84ceKtj8FgihCnzvU1HhA+G4 gjb9pBM0zDB8hZlTuU6arwWyNYbmsp7MqcGFeq3sFcS6ThSWRqrrDBREV9InzTMZ iM9EVxJ/KirpVpGmhdEHhrSWsiO5HDj1xw+dH3h3XvftLWvU6xB7tNJfGRBHdDhG m3PD7CqtDk/9f7Mk4+GyG9aO8EW6oGo/idxRQGpz00DhBN4WZJiYtt6miW9MnvSF Iqao7rCAU0oSTKdpqnQgqvTgX8maHBTmZ7ws61U29UVtHPMmzBBwSM5BBjXGYoWL fESeIevtXac= =Gia3 -----END PGP SIGNATURE-----