Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0483 Potential security vulnerabilities with JavaTM SDKs 5 April 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Maximo Asset Management Publisher: IBM Operating System: AIX Solaris HP-UX Windows SUSE Red Hat Enterprise Linux Server 5 Red Hat Enterprise Linux Server 6 Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-1493 CVE-2013-1489 CVE-2013-1487 CVE-2013-1486 CVE-2013-1485 CVE-2013-1484 CVE-2013-1481 CVE-2013-1480 CVE-2013-1478 CVE-2013-1476 CVE-2013-1475 CVE-2013-1473 CVE-2013-0809 CVE-2013-0450 CVE-2013-0449 CVE-2013-0446 CVE-2013-0445 CVE-2013-0444 CVE-2013-0443 CVE-2013-0442 CVE-2013-0441 CVE-2013-0440 CVE-2013-0438 CVE-2013-0437 CVE-2013-0435 CVE-2013-0434 CVE-2013-0433 CVE-2013-0432 CVE-2013-0431 CVE-2013-0429 CVE-2013-0428 CVE-2013-0427 CVE-2013-0426 CVE-2013-0425 CVE-2013-0424 CVE-2013-0423 CVE-2013-0422 CVE-2013-0419 CVE-2013-0409 CVE-2013-0351 CVE-2013-0169 CVE-2012-3342 CVE-2012-3213 CVE-2012-3174 CVE-2012-1541 Reference: ASB-2013.0034 ASB-2013.0025 ASB-2013.0013 ASB-2013.0006 ESB-2013.0401 ESB-2013.0366 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21633170 - --------------------------BEGIN INCLUDED TEXT-------------------- Potential security vulnerabilities with JavaTM SDKs Flash (Alert) Software version: 6.2, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 7.1, 7.1.1, 7.1.2, 7.2, 7.2.1, 7.5 Operating system(s): Platform Independent Reference #: 1633170 Modified date: 2013-04-02 Abstract Security Bulletin: Asset and Service Mgmt Products - Potential security exposure when using JavaTM based applications due to vulnerabilities in Java Software Developer Kits. See Vulnerability Details for CVE IDs. Content VULNERABILITY DETAILS: Customers who have Java based applications, such as Maximo Asset Management, Maximo Asset Management Essentials, Maximo Asset Management for Energy Optimization, Maximo Industry Solutions (including Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas and Maximo for Utilities), Tivoli Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, Change and Configuration Management Database, SmartCloud Control Desk, Intelligent Building Management, or TRIRIGA for Energy Optimization are potentially impacted by these vulnerabilities, which can cause issues related to confidentiality, integrity, and availability. For additional information including the most current description and CVSS for each vulnerability, please refer to developerWorks JavaTM Technology Security Alerts. CVE-2012-1541 CVSS Base Score: 10 CVSS Temporal Score: See http:/xforce.iss.net/xforce/xfdb/81761 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability, related to Deployment CVE-2012-3174 CVSS Base Score: 9.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81200 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors CVE-2012-3213 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81769 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Scripting CVE-2012-3342 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78334 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability, related to Deployment CVE-2013-0169 CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/74380 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C Unspecified vulnerability in the JRE component allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets CVE-2013-0351 CVSS Base Score: 7.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81786 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P Unspecified vulnerability in JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment CVE-2013-0409 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81793 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N Unspecified vulnerability in the JRE allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX CVE-2013-0419 CVSS Base Score: 7.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81783 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment CVE-2013-0422 CVSS Base Score: 9.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81117 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C Unspecified vulnerability in the JRE component allows remote attackers to execute arbitrary code by (1) using public methods to obtain a reference to a private object, then retrieving arbitrary Class references, and (2) using the Reflection API with recursion in a way that bypasses a security check CVE-2013-0423 CVSS Base Score: 7.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81784 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment CVE-2013-0424 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81798 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N Unspecified vulnerability in the JRE component allows remote attackers to affect integrity via vectors related to RMI CVE-2013-0425 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81766 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries CVE-2013-0426 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81767 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries CVE-2013-0427 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81795 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries CVE-2013-0428 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81768 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries CVE-2013-0429 CVSS Base Score: 7.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81782 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C Unspecified vulnerability in the JRE component in allows remote attackers to affect confidentiality via vectors related to CORBA CVE-2013-0431 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81794 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N Unspecified vulnerability in the JRE component allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors related to JMX CVE-2013-0432 CVSS Base Score: 6.4 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81788 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality and integrity via vectors related to AWT CVE-2013-0433 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81797 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N Unspecified vulnerability in the JRE component allows remote attackers to affect integrity via unknown vectors related to Networking CVE-2013-0434 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81792 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality via vectors related to JAXP CVE-2013-0435 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81791 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality via vectors related to JAX-WS CVE-2013-0437 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81753 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D CVE-2013-0438 CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81800 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality via unknown vectors related to Deployment CVE-2013-0440 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81799 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P Unspecified vulnerability in the JRE component allows remote attackers to affect availability via vectors related to JSSE CVE-2013-0441 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81758 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA CVE-2013-0442 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81755 CVSS Environmental Score*: Undefined CVSS Vector: AV:/AC:L/Au:N/C:C/I:C/A:C Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT CVE-2013-0443 CVSS Base Score: 4 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81801 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality and integrity via vectors related to JSSE CVE-2013-0444 CVSS Base Score: 7.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81781 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C Unspecified vulnerability in JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans CVE-2013-0445 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81756 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT CVE-2013-0446 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81762 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment CVE-2013-0449 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81789 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality via unknown vectors related to Deployment CVE-2013-0450 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81764 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX CVE-2013-0809 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82515 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Unspecified vulnerability in the JRE component allows remote attackers to execute arbitrary code via unknown vectors CVE-2013-1473 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81790 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N Unspecified vulnerability in the JRE component allows remote attackers to affect integrity via unknown vectors related to Deployment CVE-2013-1475 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81759 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA CVE-2013-1476 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81760 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA CVE-2013-1478 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81754 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability, related to JMX CVE-2013-1480 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81757 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D CVE-2013-1481 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81770 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound CVE-2013-1484 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82179 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries CVE-2013-1485 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82180 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N Unspecified vulnerability in the JRE component allows remote attackers to affect integrity via unknown vectors related to Libraries CVE-2013-1486 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82178 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX CVE-2013-1487 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82177 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment CVE-2013-1489 CVSS Base Score: 0 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81802 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:N Unspecified vulnerability in the JRE component allows remote attackers to bypass the "Very High" security level of the Java Control Panel and execute unsigned Java code without prompting the user CVE-2013-1493 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82514 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C The color management (CMM) functionality in the 2D component allows remote attackers to execute arbitrary code or cause a denial of service via an image with crafted raster parameters, which triggers an out-of-bounds read or memory corruption in the JVM The developerWorks JavaTM Technology Security Alerts includes a link to Oracle's February 2013 Critical Patch Update and March 2013 Security Alert. VERSIONS AFFECTED: The following Oracle Java versions, which are not IBM products, are affected: Java SE JDK and JRE Version 7 Update 7 and earlier*** Java SE JDK and JRE Version 6 Update 35 and earlier Java SEJDK and JRE Version 5 Update 36 and earlier Java SE JDK and JRE Version 1.4.2_38 and earlier The following IBM Java versions are affected: IBM SDK Java Technology Edition Version 7*** IBM SDK Java Technology Edition Version 6 IBM SDK Java Technology Edition Version 5 IBM SDK Java Technology Edition Version 1.4.2 IBM supplied the Java Runtime Environment (JRE) from the IBM SDK Java Technology Edition Versions with the following: The 6.x versions of Maximo Asset Management, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, Maximo for Utilities, Tivoli Asset Management for IT, and Maximo Service Desk bundled the JRE from IBM SDK Java Technology Edition Version 1.4.2. The 7.1.x versions of Maximo Asset Management, Maximo Asset Management Essentials, Maximo Asset Management for Energy Optimization, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, Maximo for Utilities, Tivoli Asset Management for IT, Tivoli Service Request Manager, and Tivoli Change and Configuration Management Database bundled the JRE from IBM SDK Java Technology Edition Version 5. The 7.2.x versions of Tivoli Asset Management for IT, Tivoli Service Request Manager, and Tivoli Change and Configuration Management Database bundled the JRE from IBM SDK Java Technology Edition Version 5. The 7.5.x versions of Maximo Asset Management, Maximo Asset Management Essentials, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, Maximo for Utilities, and SmartCloud Control Desk bundled the JRE from IBM SDK Java Technology Edition Version 6. Intelligent Building Management 1.1.x and TRIRIGA for Energy Optimization 1.2.x bundled the JRE from IBM SDK Java Technology Edition Version 6. It is likely that earlier versions of affected products are also affected by these vulnerabilities. Remediation is not provided for product versions that are no longer supported. IBM recommends that customers upgrade to the latest supported version of products in order to obtain remediation for the vulnerabilities. ***Please note that the versions of the IBM products listed above do not bundle JRE Version 7 or IBM SDK Java Technology Edition Version 7; however, JRE Version 7 and IBM SDK Java Technology Edition Version 7 are listed here because JRE Version 7 is relatively prevalent on the browser and therefore can potentially impact access to these IBM product versions. REMEDIATION: Fix: There are two areas where the vulnerabilities in the Java SDK/JDK or JRE may require remediation: 1. Application Server - Update the Websphere Application Server. Refer to JDK Fixes for Websphere Application Server for additional information on updating and maintaining the JDK component within Websphere. Customers with Oracle Weblogic Server, which is not an IBM product and is not shipped by IBM, will also want to update their server. 2. Browser Client - Update the Java plug-in used by the browser on client systems, using the remediated JRE version referenced on developerWorks JavaTM Technology Security Alerts or referenced on Oracle’s latest Critical Patch Update (which can be accessed via developerWorks JavaTM Technology Security Alerts). Updating the browser Java plug-in may impact some applets such as Maximo Asset Management Scheduler. Download from IBM FixCentral the latest Maximo Asset Management Scheduler Interim Fix for Version 7.1 or the latest Maximo Asset Management Fix Pack for Version 7.5, which includes the resolution for APAR IV11560. Due to the threat posed by a successful attack, IBM strongly recommends that customers apply fixes as soon as possible. Workaround: Until you apply the fixes, it may be possible to reduce the risk of successful attack by restricting network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from unprivileged users may help reduce the risk of successful attack. Both approaches may break application functionality, so IBM strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem. Mitigation: None Known REFERENCES: Complete CVSS Guide On-line Calculator V2 X-Force Vulnerability Database CVE-2012-1541 - http:/xforce.iss.net/xforce/xfdb/81761 CVE-2012-3174 - http://xforce.iss.net/xforce/xfdb/81200 CVE-2012-3213 - http://xforce.iss.net/xforce/xfdb/81769 CVE-2012-3342 - http://xforce.iss.net/xforce/xfdb/78334 CVE-2013-0169 - http://xforce.iss.net/xforce/xfdb/74380 CVE-2013-0351 - http://xforce.iss.net/xforce/xfdb/81786 CVE-2013-0409 - http://xforce.iss.net/xforce/xfdb/81793 CVE-2013-0419 - http://xforce.iss.net/xforce/xfdb/81783 CVE-2013-0422 - http://xforce.iss.net/xforce/xfdb/81117 CVE-2013-0423 - http://xforce.iss.net/xforce/xfdb/81784 CVE-2013-0424 - http://xforce.iss.net/xforce/xfdb/81798 CVE-2013-0425 - http://xforce.iss.net/xforce/xfdb/81766 CVE-2013-0426 - http://xforce.iss.net/xforce/xfdb/81767 CVE-2013-0427 - http://xforce.iss.net/xforce/xfdb/81795 CVE-2013-0428 - http://xforce.iss.net/xforce/xfdb/81768 CVE-2013-0429 - http://xforce.iss.net/xforce/xfdb/81782 CVE-2013-0431 - http://xforce.iss.net/xforce/xfdb/81794 CVE-2013-0432 - http://xforce.iss.net/xforce/xfdb/81788 CVE-2013-0433 - http://xforce.iss.net/xforce/xfdb/81797 CVE-2013-0434 - http://xforce.iss.net/xforce/xfdb/81792 CVE-2013-0435 - http://xforce.iss.net/xforce/xfdb/81791 CVE-2013-0437 - http://xforce.iss.net/xforce/xfdb/81753 CVE-2013-0438 - http://xforce.iss.net/xforce/xfdb/81800 CVE-2013-0440 - http://xforce.iss.net/xforce/xfdb/81799 CVE-2013-0441 - http://xforce.iss.net/xforce/xfdb/81758 CVE-2013-0442 - http://xforce.iss.net/xforce/xfdb/81755 CVE-2013-0443 - http://xforce.iss.net/xforce/xfdb/81801 CVE-2013-0444 - http://xforce.iss.net/xforce/xfdb/81781 CVE-2013-0445 - http://xforce.iss.net/xforce/xfdb/81756 CVE-2013-0446 - http://xforce.iss.net/xforce/xfdb/81762 CVE-2013-0449 - http://xforce.iss.net/xforce/xfdb/81789 CVE-2013-0450 - http://xforce.iss.net/xforce/xfdb/81764 CVE-2013-0809 - http://xforce.iss.net/xforce/xfdb/82515 CVE-2013-1473 - http://xforce.iss.net/xforce/xfdb/81790 CVE-2013-1475 - http://xforce.iss.net/xforce/xfdb/81759 CVE-2013-1476 - http://xforce.iss.net/xforce/xfdb/81760 CVE-2013-1478 - http://xforce.iss.net/xforce/xfdb/81754 CVE-2013-1480 - http://xforce.iss.net/xforce/xfdb/81757 CVE-2013-1481 - http://xforce.iss.net/xforce/xfdb/81770 CVE-2013-1484 - http://xforce.iss.net/xforce/xfdb/82179 CVE-2013-1485 - http://xforce.iss.net/xforce/xfdb/82180 CVE-2013-1486 - http://xforce.iss.net/xforce/xfdb/82178 CVE-2013-1487 - http://xforce.iss.net/xforce/xfdb/82177 CVE-2013-1489 - http://xforce.iss.net/xforce/xfdb/81802 CVE-2013-1493 - http://xforce.iss.net/xforce/xfdb/82514 *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Change History 2 Apr 2013 Flash published CROSS REFERENCE INFORMATION: Segment Product Component/Platform Version Systems and Asset Management Maximo Asset Management All 6.2.0 - 6.2.8 7.1.1.0 - 7.1.1.10 7.5.0.0 - 7.5.0.3 Systems and Asset Management Maximo Asset Management Essentials All 7.1.1.0 - 7.1.1.10 7.5.0.0 - 7.5.0.3 Systems and Asset Management Maximo Asset Management for Energy Optimization All 7.1.0.0 - 7.1.1.0 Systems and Asset Management Maximo for Government All 6.1.0.0 7.1.0.0 Systems and Asset Management Maximo for Nuclear Power All 6.3.0 7.1.0.0 - 7.1.1.0 7.5.0.0 - 7.5.1.0 Systems and Asset Management Maximo for Transportation All 6.3.0 7.1.0.0 - 7.1.1.0 7.5.0.0 Systems and Asset Management Maximo for Life Sciences All 6.4.0 - 6.5.0 7.1.0.0 - 7.1.2.0 7.5.0.0 Systems and Asset Management Maximo for Oil and Gas All 6.3.0 - 6.4.0 7.1.0.0 - 7.1.2.0 7.5.0.0 - 7.5.1.0 Systems and Asset Management Maximo for Utilities All 6.3.0 7.1.0.0 - 7.1.2.0 7.5.0.0 Systems and Asset Management Tivoli Service Request Manager All 7.1.0.0 - 7.1.1.10 Maximo Service Desk 7.2.0.0 - 7.2.1.3 6.2.0 - 6.2.8 Systems and Asset Management Tivoli Asset Management for IT All 6.2.0 - 6.2.8 7.1.0.0 - 7.1.1.10 7.2.0.0 - 7.2.2.1 Systems and Asset Management Change and Configuration Management Database All 7.1.0.0 - 7.1.1.10 7.2.0.0 - 7.2.1.2 Systems and Asset Management Intelligent Building Management All 1.1.0.0 Systems and Asset Management TRIRIGA for Energy Optimization All 1.2.0.0 Systems and Asset Management SmartCloud Control Desk All 7.5.0.0 - 7.5.1.0 Cross reference information Segment Product Systems and Asset Management IBM Maximo Asset Management Essentials Systems and Asset Management IBM Maximo Asset Management for Energy Optimization Systems and Asset Management IBM Maximo for Government Systems and Asset Management IBM Maximo for Nuclear Power Systems and Asset Management IBM Maximo for Transportation Systems and Asset Management IBM Maximo for Life Sciences Systems and Asset Management IBM Maximo for Oil and Gas Systems and Asset Management IBM Maximo for Utilities Systems and Asset Management Tivoli Service Request Manager Systems and Asset Management Tivoli Asset Management for IT Systems and Asset Management Tivoli Change and Configuration Management Database Systems and Asset Management IBM SmartCloud Control Desk Systems and Asset Management IBM TRIRIGA Energy Optimization - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUV5vhu4yVqjM2NGpAQKakxAAthc/J8UMZs2+3DXm3PayLlmo+QlC7NJi 617z+yQfBtFEWDBaKGn2DBMrjpWolfoo5NVXVF4eraZVr1DG+MjNHBLFAwZM2uWM MDxh+BIL+PQzn420xXVE/SyBuMcv8jq2mQwy19fTSeNr5SsnrmgRKs190svVvnTD yCzQjxzBd2fiduy5h+MJUoDoAeVm7Dbl4dJipytnMiS2Hj5HHnGySRPrZePG5E5/ gTX+srpoiR3kPzEJdXWphetJ/+elv8Cx+p4g2QC5R2DCTjyeSQMxZ/fEBn7VOXKH dXthqdLdfpEFQpb20+ewYFBI0vIE2atyM/WNz9HCYPDaEI9205FgmmH+QUhUxCYr hf7lTHMyX4crUecprreF2BJg01YGcZkhUiTBe4QSlp7D0abw5zykwuehMrVu2+gH cPKQbgWbdj9k6rAfU0ub0TPrrRlFo3tElz92V1fDJvsILOKMRFKGowrGTo9kTHAM jqwFJfEnPNf4g7PEziS+uNhJnfPdTzNIEbjVQr+ELIZZ/xdJPPcFxn6wh5vUM5da okkk7SboByo3yWrQvm8FI0xadCIDvksNMaJxYgCHvVj9jgQf4Ia9C7P6dc88XMfs grS9QigcXdn18FFLZf6aNXHnmIfwyu4HW5UeZmv0pDC41AAMvZjgLO7EKMUt0kHJ Fj0mdlaN4Ek= =3b0R -----END PGP SIGNATURE-----