Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0401 Security Bulletin: Tivoli Business Service Manager clients affected by vulnerabilities in IBM JRE 19 March 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Tivoli Business Service Manager Publisher: IBM Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-1493 CVE-2013-1487 CVE-2013-1486 CVE-2013-1485 CVE-2013-1484 CVE-2013-1481 CVE-2013-1480 CVE-2013-1478 CVE-2013-1475 CVE-2013-1473 CVE-2013-0809 CVE-2013-0450 CVE-2013-0446 CVE-2013-0445 CVE-2013-0444 CVE-2013-0442 CVE-2013-0441 CVE-2013-0440 CVE-2013-0438 CVE-2013-0437 CVE-2013-0434 CVE-2013-0433 CVE-2013-0432 CVE-2013-0431 CVE-2013-0429 CVE-2013-0428 CVE-2013-0427 CVE-2013-0426 CVE-2013-0425 CVE-2013-0424 CVE-2013-0423 CVE-2013-0419 CVE-2013-0409 CVE-2013-0351 CVE-2012-3213 CVE-2012-0419 CVE-2012-0409 Reference: ASB-2013.0034 ASB-2013.0025 ASB-2013.0013 ESB-2013.0362 ESB-2013.0361 ESB-2013.0360 ESB-2013.0340 ESB-2013.0338 ESB-2013.0337 ESB-2013.0336 ASB-2012.0133 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21628250 http://www-01.ibm.com/support/docview.wss?uid=swg24034507 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Tivoli Business Service Manager clients affected by vulnerabilities in IBM JRE Document information Tivoli Business Service Manager Software version: 4.2, 4.2.1, 6.1, 6.1.1 Operating system(s): Windows Reference #: 1628250 Modified date: 2013-03-15 Flash (Alert) Abstract These vulnerabilities are only applicable to Java deployments where untrusted code may be executed under a security manager (e.g. Java applets running in a web browser). Content VULNERABILITY DETAILS: CVE IDs: CVE-2012-3213,CVE-2013-0351,CVE-2013-0409,CVE-2013-0419,CVE-2013-0423, CVE-2013-0424,CVE-2013-0425,CVE-2013-0426,CVE-2013-0427,CVE-2013-0428, CVE-2013-0429,CVE-2013-0431,CVE-2013-0432,CVE-2013-0433,CVE-2013-0434, CVE-2013-0437,CVE-2013-0438,CVE-2013-0440,CVE-2013-0441,CVE-2013-0442, CVE-2013-0444,CVE-2013-0445,CVE-2013-0446,CVE-2013-0450,CVE-2013-1473, CVE-2013-1475,CVE-2013-1478,CVE-2013-1480,CVE-2013-1481,CVE-2013-1484, CVE-2013-1485,CVE-2013-1486,CVE-2013-1487,CVE-2013-0809,CVE-2013-1493, CVE-2013-1493,CVE-2013-0809,CVE-2013-1493 DESCRIPTION: This bulletin lists the vunerabilities that affect TBSM and are remediated in the IBM JRE release containing fixes for CVEs covered in Oracle's January 13, February 1 and February 19 releases (2013). This also covers the "YAJ0, Yet Another Java Zero-Day vulnerability", was reported publically on February 28, 2013. Details about this issue and its successful exploitation are available in a blog published by the reporter, FireEye Inc http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html. The vulnerabilities could occur when the IBM JRE is installed as the system JRE, such that it may be used to execute untrusted Java applets or Web Start applications in a browser. CVEID: CVE-2012-3213 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81769 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-0351 CVSS Base Score: 7.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81786 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVEID: CVE-2013-0409 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81793 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVEID: CVE-2013-0419 CVSS Base Score: 7.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81783 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-0423 CVSS Base Score: 7.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81784 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-0424 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81798 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) CVEID: CVE-2013-0425 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81766 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-0426 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81767 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-0427 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81795 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) CVEID: CVE-2013-0428 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81768 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-0429 CVSS Base Score: 7.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81782 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-0431 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81794 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVEID: CVE-2013-0432 CVSS Base Score: 6.4 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81788 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N) CVEID: CVE-2013-0433 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81797 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) CVEID: CVE-2013-0434 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81792 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVEID: CVE-2013-0437 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81753 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-0438 CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81800 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) CVEID: CVE-2013-0440 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81799 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVEID: CVE-2013-0441 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81758 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-0442 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81755 CVSS Environmental Score*: Undefined CVSS Vector: (AV:/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-0444 CVSS Base Score: 7.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81781 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-0445 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81756 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-0446 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81762 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-0450 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81764 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-1473 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81790 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) CVEID: CVE-2013-1475 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81759 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-1478 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81754 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-1480 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81757 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-1481 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81770 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-1484 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82179 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-1485 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82180 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) CVEID: CVE-2013-1486 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82178 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-1487 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82177 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-0809 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82515 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-1493 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82514 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) AFFECTED PRODUCTS AND VERSIONS: Tivoli Business Service Manager V4.2.0 Tivoli Business Service Manager V4.2.1 Tivoli Business Service Manager V6.1.0 Tivoli Business Service Manager V6.1.1 REMEDIATION: Fix* VRMF APAR How to acquire fix Availability Date IBM Tivoli Business Service Manager V6.1.1.0 Intr Fix1 6.1.1.0 IV37700 http://www-01.ibm.com/support/docview.wss?uid=swg24034507 March 15,2013 IBM Tivoli Business Service Manager V6.1.0.1 Intr Fix 5 6.1.0.1 IV37700 http://www-01.ibm.com/support/docview.wss?uid=swg24034555 April 15,2013 IBM Tivoli Business Service Manager V4.2.1.3 Intr Fix 7 4.2.1.3 IV37700 http://www-01.ibm.com/support/docview.wss?uid=swg24034554 April 30,2013 IBM Tivoli Business Service Manager V4.2.0 Intr Fix 10 4.2.0 IV37700 http://www-01.ibm.com/support/docview.wss?uid=swg24034553 April 30, 2013 Workaround(s): None. Mitigation(s): None REFERENCES: · Complete CVSS Guide · On-line Calculator V2 · CVE-2012-3213 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81769 · CVE-2013-0351 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81786 · CVE-2012-0409 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81793 · CVE-2012-0419 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81783 · CVE-2013-0423 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81784 · CVE-2013-0424 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81798 · CVE-2013-0425 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81766 · CVE-2013-0426 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81767 · CVE-2013-0427 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81795 · CVE-2013-0428 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81768 · CVE-2013-0429 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81782 · CVE-2013-0431 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81794 · CVE-2013-0432 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81788 · CVE-2013-0433 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81797 · CVE-2013-0434 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81792 · CVE-2013-0437 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81753 · CVE-2013-0438 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81800 · CVE-2013-0440 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81799 · CVE-2013-0441 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81758 · CVE-2013-0442 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81755 · CVE-2013-0444 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81781 · CVE-2013-0445 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81756 · CVE-2013-0446 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81762 · CVE-2013-0450 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81764 · CVE-2013-1473 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81790 · CVE-2013-1475 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81759 · CVE-2013-1478 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81754 · CVE-2013-1480 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81757 · CVE-2013-1481 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81770 · CVE-2013-1484 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/82179 · CVE-2013-1485 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/82180 · CVE-2013-1486 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/82178 · CVE-2013-1487 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/82177 · CVE-2013-0809 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/82515 · CVE-2013-1493 · X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/82514 RELATED INFORMATION: IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog ACKNOWLEDGEMENT None CHANGE HISTORY Original Copy Published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Copyright and trademark information IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUUevgO4yVqjM2NGpAQK9nA//eFBO1P0ySZrkiPgep464dqDqpk55DSfH hmyOmIqrfMOs2AQmmpXSp/KT6JJfzcU1ZHjQEj2KjAIu+iBb+GzVwEKBNpd72fPS 1uFduNCESLVdjuOmcP8LLlm+TKD0MqgA0Lo6BPQ3f0j48Fh3iTrjv3YfDHcngknD DGsR82SgCumQl1f2ua2/5RbpTdGaYUh+nICSv+tDbVvmqRbzeOGeAvmzvRON967k KaVhD3ecuvStwBNYBnsLYe/N3ZHqcdXFFs3DiVHz1d1Y4Fj3gGDfssQNNMbE1QoN HJzawS3oubuUG+WMTseOOHNbhw4O/3tngRh6XdFNw/XiT0eyTI9N9HIybaak17XU YefgIRUWFu+TxKMuHXwVCbGM5CX9PXrgLRNq2LVFLKkJrEjlLoW7246wFU5L+HZz NiqgUVYn39LS5MsZoL1JR3p4s6zAzAQu+U/SvDxSSu9xAqMkpiaUB2AQ0RvGV8xq BF8et+YlPdNWCop7sQ4421psYxG44CUGRDl27mHTG47WAE7uq5JfaA9KkzJ8r+QX sFMY/XkeYJ3iL1gySsRzohhyTmslZjXgs+Km9kcciyNKVhEGgVNViQ4HZzdUb0yJ okbRZaH8jZoA7hJLJ3xAjgUhPLAxqstE6mWi84LWdaet0WyxDhOfqfOggQpf5e+y r9a32LykPcU= =nER9 -----END PGP SIGNATURE-----