-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.0401
        Security Bulletin: Tivoli Business Service Manager clients
                  affected by vulnerabilities in IBM JRE
                               19 March 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Tivoli Business Service Manager
Publisher:         IBM
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Modify Arbitrary Files          -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-1493 CVE-2013-1487 CVE-2013-1486
                   CVE-2013-1485 CVE-2013-1484 CVE-2013-1481
                   CVE-2013-1480 CVE-2013-1478 CVE-2013-1475
                   CVE-2013-1473 CVE-2013-0809 CVE-2013-0450
                   CVE-2013-0446 CVE-2013-0445 CVE-2013-0444
                   CVE-2013-0442 CVE-2013-0441 CVE-2013-0440
                   CVE-2013-0438 CVE-2013-0437 CVE-2013-0434
                   CVE-2013-0433 CVE-2013-0432 CVE-2013-0431
                   CVE-2013-0429 CVE-2013-0428 CVE-2013-0427
                   CVE-2013-0426 CVE-2013-0425 CVE-2013-0424
                   CVE-2013-0423 CVE-2013-0419 CVE-2013-0409
                   CVE-2013-0351 CVE-2012-3213 CVE-2012-0419
                   CVE-2012-0409  

Reference:         ASB-2013.0034
                   ASB-2013.0025
                   ASB-2013.0013
                   ESB-2013.0362
                   ESB-2013.0361
                   ESB-2013.0360
                   ESB-2013.0340
                   ESB-2013.0338
                   ESB-2013.0337
                   ESB-2013.0336
                   ASB-2012.0133

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21628250
   http://www-01.ibm.com/support/docview.wss?uid=swg24034507

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Tivoli Business Service Manager clients affected by 
vulnerabilities in IBM JRE

Document information

Tivoli Business Service Manager

Software version:
4.2, 4.2.1, 6.1, 6.1.1

Operating system(s):
Windows

Reference #:
1628250

Modified date:
2013-03-15

Flash (Alert)

Abstract
These vulnerabilities are only applicable to Java deployments where untrusted
code may be executed under a security manager (e.g. Java applets running in a 
web browser).

Content

VULNERABILITY DETAILS:

CVE IDs: CVE-2012-3213,CVE-2013-0351,CVE-2013-0409,CVE-2013-0419,CVE-2013-0423,
         CVE-2013-0424,CVE-2013-0425,CVE-2013-0426,CVE-2013-0427,CVE-2013-0428,
         CVE-2013-0429,CVE-2013-0431,CVE-2013-0432,CVE-2013-0433,CVE-2013-0434,
         CVE-2013-0437,CVE-2013-0438,CVE-2013-0440,CVE-2013-0441,CVE-2013-0442,
         CVE-2013-0444,CVE-2013-0445,CVE-2013-0446,CVE-2013-0450,CVE-2013-1473,
         CVE-2013-1475,CVE-2013-1478,CVE-2013-1480,CVE-2013-1481,CVE-2013-1484,
         CVE-2013-1485,CVE-2013-1486,CVE-2013-1487,CVE-2013-0809,CVE-2013-1493,
         CVE-2013-1493,CVE-2013-0809,CVE-2013-1493

DESCRIPTION:
This bulletin lists the vunerabilities that affect TBSM and are remediated in
the IBM JRE release containing fixes for CVEs covered in Oracle's January 13, 
February 1 and February 19 releases (2013). This also covers the "YAJ0, Yet 
Another Java Zero-Day vulnerability", was reported publically on 
February 28, 2013. Details about this issue and its successful exploitation are
available in a blog published by the reporter, FireEye Inc 
http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html.

The vulnerabilities could occur when the IBM JRE is installed as the system 
JRE, such that it may be used to execute untrusted Java applets or Web Start 
applications in a browser.

CVEID: CVE-2012-3213
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81769
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-0351
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81786
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2013-0409
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81793
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2013-0419
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81783
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-0423
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81784
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-0424
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81798
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2013-0425
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81766
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-0426
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81767
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-0427
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81795
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2013-0428
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81768
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-0429
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81782
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-0431
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81794
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2013-0432
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81788
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)

CVEID: CVE-2013-0433
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81797
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2013-0434
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81792
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2013-0437
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81753
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-0438
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81800
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2013-0440
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81799
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2013-0441
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81758
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-0442
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81755
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-0444
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81781
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-0445
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81756
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-0446
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81762
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-0450
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81764
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-1473
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81790
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2013-1475
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81759
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-1478
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81754
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-1480
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81757
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-1481
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81770
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-1484
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82179
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-1485
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82180
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2013-1486
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82178
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-1487
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82177
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-0809
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82515
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-1493
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82514
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

AFFECTED PRODUCTS AND VERSIONS:

Tivoli Business Service Manager V4.2.0
Tivoli Business Service Manager V4.2.1
Tivoli Business Service Manager V6.1.0
Tivoli Business Service Manager V6.1.1

REMEDIATION:

Fix* 								VRMF 		APAR 		How to acquire fix 						Availability Date
IBM Tivoli Business Service Manager V6.1.1.0 Intr Fix1 		6.1.1.0 	IV37700 	http://www-01.ibm.com/support/docview.wss?uid=swg24034507 	March 15,2013
IBM Tivoli Business Service Manager V6.1.0.1 Intr Fix 5 	6.1.0.1 	IV37700 	http://www-01.ibm.com/support/docview.wss?uid=swg24034555 	April 15,2013
IBM Tivoli Business Service Manager V4.2.1.3 Intr Fix 7 	4.2.1.3 	IV37700 	http://www-01.ibm.com/support/docview.wss?uid=swg24034554 	April 30,2013
IBM Tivoli Business Service Manager V4.2.0 Intr Fix 10 		4.2.0 		IV37700 	http://www-01.ibm.com/support/docview.wss?uid=swg24034553 	April 30, 2013


Workaround(s):
None.

Mitigation(s):
None

REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2
· CVE-2012-3213
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81769
· CVE-2013-0351
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81786
· CVE-2012-0409
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81793
· CVE-2012-0419
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81783
· CVE-2013-0423
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81784
· CVE-2013-0424
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81798
· CVE-2013-0425
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81766
· CVE-2013-0426
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81767
· CVE-2013-0427
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81795
· CVE-2013-0428
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81768
· CVE-2013-0429
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81782
· CVE-2013-0431
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81794
· CVE-2013-0432
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81788
· CVE-2013-0433
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81797
· CVE-2013-0434
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81792
· CVE-2013-0437
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81753
· CVE-2013-0438
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81800
· CVE-2013-0440
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81799
· CVE-2013-0441
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81758
· CVE-2013-0442
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81755
· CVE-2013-0444
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81781
· CVE-2013-0445
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81756
· CVE-2013-0446
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81762
· CVE-2013-0450
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81764
· CVE-2013-1473
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81790
· CVE-2013-1475
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81759
· CVE-2013-1478
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81754
· CVE-2013-1480
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81757
· CVE-2013-1481
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81770
· CVE-2013-1484
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/82179
· CVE-2013-1485
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/82180
· CVE-2013-1486
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/82178
· CVE-2013-1487
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/82177
· CVE-2013-0809
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/82515
· CVE-2013-1493
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/82514

RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

ACKNOWLEDGEMENT
None

CHANGE HISTORY
Original Copy Published

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the 
Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), 
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Copyright and trademark information

IBM, the IBM logo and ibm.com are trademarks of International Business Machines
Corp., registered in many jurisdictions worldwide. Other product and service
names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark information" at
www.ibm.com/legal/copytrade.shtml.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUUevgO4yVqjM2NGpAQK9nA//eFBO1P0ySZrkiPgep464dqDqpk55DSfH
hmyOmIqrfMOs2AQmmpXSp/KT6JJfzcU1ZHjQEj2KjAIu+iBb+GzVwEKBNpd72fPS
1uFduNCESLVdjuOmcP8LLlm+TKD0MqgA0Lo6BPQ3f0j48Fh3iTrjv3YfDHcngknD
DGsR82SgCumQl1f2ua2/5RbpTdGaYUh+nICSv+tDbVvmqRbzeOGeAvmzvRON967k
KaVhD3ecuvStwBNYBnsLYe/N3ZHqcdXFFs3DiVHz1d1Y4Fj3gGDfssQNNMbE1QoN
HJzawS3oubuUG+WMTseOOHNbhw4O/3tngRh6XdFNw/XiT0eyTI9N9HIybaak17XU
YefgIRUWFu+TxKMuHXwVCbGM5CX9PXrgLRNq2LVFLKkJrEjlLoW7246wFU5L+HZz
NiqgUVYn39LS5MsZoL1JR3p4s6zAzAQu+U/SvDxSSu9xAqMkpiaUB2AQ0RvGV8xq
BF8et+YlPdNWCop7sQ4421psYxG44CUGRDl27mHTG47WAE7uq5JfaA9KkzJ8r+QX
sFMY/XkeYJ3iL1gySsRzohhyTmslZjXgs+Km9kcciyNKVhEGgVNViQ4HZzdUb0yJ
okbRZaH8jZoA7hJLJ3xAjgUhPLAxqstE6mWi84LWdaet0WyxDhOfqfOggQpf5e+y
r9a32LykPcU=
=nER9
-----END PGP SIGNATURE-----