Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0483
Potential security vulnerabilities with JavaTM SDKs
5 April 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Maximo Asset Management
Publisher: IBM
Operating System: AIX
Solaris
HP-UX
Windows
SUSE
Red Hat Enterprise Linux Server 5
Red Hat Enterprise Linux Server 6
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-1493 CVE-2013-1489 CVE-2013-1487
CVE-2013-1486 CVE-2013-1485 CVE-2013-1484
CVE-2013-1481 CVE-2013-1480 CVE-2013-1478
CVE-2013-1476 CVE-2013-1475 CVE-2013-1473
CVE-2013-0809 CVE-2013-0450 CVE-2013-0449
CVE-2013-0446 CVE-2013-0445 CVE-2013-0444
CVE-2013-0443 CVE-2013-0442 CVE-2013-0441
CVE-2013-0440 CVE-2013-0438 CVE-2013-0437
CVE-2013-0435 CVE-2013-0434 CVE-2013-0433
CVE-2013-0432 CVE-2013-0431 CVE-2013-0429
CVE-2013-0428 CVE-2013-0427 CVE-2013-0426
CVE-2013-0425 CVE-2013-0424 CVE-2013-0423
CVE-2013-0422 CVE-2013-0419 CVE-2013-0409
CVE-2013-0351 CVE-2013-0169 CVE-2012-3342
CVE-2012-3213 CVE-2012-3174 CVE-2012-1541
Reference: ASB-2013.0034
ASB-2013.0025
ASB-2013.0013
ASB-2013.0006
ESB-2013.0401
ESB-2013.0366
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21633170
- --------------------------BEGIN INCLUDED TEXT--------------------
Potential security vulnerabilities with JavaTM SDKs
Flash (Alert)
Software version:
6.2, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 7.1, 7.1.1,
7.1.2, 7.2, 7.2.1, 7.5
Operating system(s):
Platform Independent
Reference #:
1633170
Modified date:
2013-04-02
Abstract
Security Bulletin: Asset and Service Mgmt Products - Potential security
exposure when using JavaTM based applications due to vulnerabilities in
Java Software Developer Kits. See Vulnerability Details for CVE IDs.
Content
VULNERABILITY DETAILS:
Customers who have Java based applications, such as Maximo Asset Management,
Maximo Asset Management Essentials, Maximo Asset Management for Energy
Optimization, Maximo Industry Solutions (including Maximo for Government,
Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life
Sciences, Maximo for Oil and Gas and Maximo for Utilities), Tivoli Asset
Management for IT, Tivoli Service Request Manager, Maximo Service Desk,
Change and Configuration Management Database, SmartCloud Control Desk,
Intelligent Building Management, or TRIRIGA for Energy Optimization are
potentially impacted by these vulnerabilities, which can cause issues related
to confidentiality, integrity, and availability. For additional information
including the most current description and CVSS for each vulnerability,
please refer to developerWorks JavaTM Technology Security Alerts.
CVE-2012-1541
CVSS Base Score: 10
CVSS Temporal Score: See http:/xforce.iss.net/xforce/xfdb/81761
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality, integrity, and availability, related to Deployment
CVE-2012-3174
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81200
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality, integrity, and availability via unknown vectors
CVE-2012-3213
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81769
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality, integrity, and availability via unknown vectors
related to Scripting
CVE-2012-3342
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78334
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality, integrity, and availability, related to Deployment
CVE-2013-0169
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/74380
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C
Unspecified vulnerability in the JRE component allows remote attackers
to conduct distinguishing attacks and plaintext-recovery attacks via
statistical analysis of timing data for crafted packets
CVE-2013-0351
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81786
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Unspecified vulnerability in JRE component allows remote attackers to
affect confidentiality, integrity, and availability via unknown vectors
related to Deployment
CVE-2013-0409
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81793
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Unspecified vulnerability in the JRE allows remote attackers to affect
confidentiality, integrity, and availability via vectors related to JMX
CVE-2013-0419
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81783
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality, integrity, and availability via unknown vectors
related to Deployment
CVE-2013-0422
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81117
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C
Unspecified vulnerability in the JRE component allows remote attackers to
execute arbitrary code by (1) using public methods to obtain a reference to
a private object, then retrieving arbitrary Class references, and (2) using
the Reflection API with recursion in a way that bypasses a security check
CVE-2013-0423
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81784
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality, integrity, and availability via unknown vectors
related to Deployment
CVE-2013-0424
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81798
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Unspecified vulnerability in the JRE component allows remote attackers to
affect integrity via vectors related to RMI
CVE-2013-0425
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81766
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality, integrity, and availability via unknown vectors
related to Libraries
CVE-2013-0426
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81767
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality, integrity, and availability via unknown vectors
related to Libraries
CVE-2013-0427
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81795
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality, integrity, and availability via unknown vectors
related to Libraries
CVE-2013-0428
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81768
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality, integrity, and availability via unknown vectors
related to Libraries
CVE-2013-0429
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81782
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C
Unspecified vulnerability in the JRE component in allows remote attackers
to affect confidentiality via vectors related to CORBA
CVE-2013-0431
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81794
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Unspecified vulnerability in the JRE component allows user-assisted remote
attackers to bypass the Java security sandbox via unspecified vectors
related to JMX
CVE-2013-0432
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81788
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality and integrity via vectors related to AWT
CVE-2013-0433
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81797
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Unspecified vulnerability in the JRE component allows remote attackers to
affect integrity via unknown vectors related to Networking
CVE-2013-0434
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81792
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality via vectors related to JAXP
CVE-2013-0435
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81791
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality via vectors related to JAX-WS
CVE-2013-0437
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81753
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality, integrity, and availability via unknown vectors
related to 2D
CVE-2013-0438
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81800
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality via unknown vectors related to Deployment
CVE-2013-0440
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81799
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Unspecified vulnerability in the JRE component allows remote attackers to
affect availability via vectors related to JSSE
CVE-2013-0441
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81758
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality, integrity, and availability via vectors related
to CORBA
CVE-2013-0442
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81755
CVSS Environmental Score*: Undefined
CVSS Vector: AV:/AC:L/Au:N/C:C/I:C/A:C
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality, integrity, and availability via vectors related
to AWT
CVE-2013-0443
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81801
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality and integrity via vectors related to JSSE
CVE-2013-0444
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81781
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C
Unspecified vulnerability in JRE component allows remote attackers to
affect confidentiality, integrity, and availability via unknown vectors
related to Beans
CVE-2013-0445
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81756
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality, integrity, and availability via vectors related
to AWT
CVE-2013-0446
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81762
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality, integrity, and availability via unknown vectors
related to Deployment
CVE-2013-0449
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81789
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality via unknown vectors related to Deployment
CVE-2013-0450
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81764
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality, integrity, and availability via vectors related
to JMX
CVE-2013-0809
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82515
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Unspecified vulnerability in the JRE component allows remote attackers to
execute arbitrary code via unknown vectors
CVE-2013-1473
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81790
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Unspecified vulnerability in the JRE component allows remote attackers to
affect integrity via unknown vectors related to Deployment
CVE-2013-1475
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81759
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality, integrity, and availability via vectors related
to CORBA
CVE-2013-1476
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81760
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality, integrity, and availability via vectors related
to CORBA
CVE-2013-1478
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81754
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality, integrity, and availability, related to JMX
CVE-2013-1480
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81757
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality, integrity, and availability via unknown vectors
related to 2D
CVE-2013-1481
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81770
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality, integrity, and availability via unknown vectors
related to Sound
CVE-2013-1484
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82179
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality, integrity, and availability via unknown vectors
related to Libraries
CVE-2013-1485
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82180
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Unspecified vulnerability in the JRE component allows remote attackers to
affect integrity via unknown vectors related to Libraries
CVE-2013-1486
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82178
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality, integrity, and availability via vectors related
to JMX
CVE-2013-1487
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82177
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Unspecified vulnerability in the JRE component allows remote attackers to
affect confidentiality, integrity, and availability via unknown vectors
related to Deployment
CVE-2013-1489
CVSS Base Score: 0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81802
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:N
Unspecified vulnerability in the JRE component allows remote attackers
to bypass the "Very High" security level of the Java Control Panel and
execute unsigned Java code without prompting the user
CVE-2013-1493
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82514
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
The color management (CMM) functionality in the 2D component allows remote
attackers to execute arbitrary code or cause a denial of service via an
image with crafted raster parameters, which triggers an out-of-bounds read
or memory corruption in the JVM
The developerWorks JavaTM Technology Security Alerts includes a link to
Oracle's February 2013 Critical Patch Update and March 2013 Security Alert.
VERSIONS AFFECTED:
The following Oracle Java versions, which are not IBM products, are affected:
Java SE JDK and JRE Version 7 Update 7 and earlier***
Java SE JDK and JRE Version 6 Update 35 and earlier
Java SEJDK and JRE Version 5 Update 36 and earlier
Java SE JDK and JRE Version 1.4.2_38 and earlier
The following IBM Java versions are affected:
IBM SDK Java Technology Edition Version 7***
IBM SDK Java Technology Edition Version 6
IBM SDK Java Technology Edition Version 5
IBM SDK Java Technology Edition Version 1.4.2
IBM supplied the Java Runtime Environment (JRE) from the IBM SDK Java
Technology Edition Versions with the following:
The 6.x versions of Maximo Asset Management, Maximo for Government, Maximo
for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences,
Maximo for Oil and Gas, Maximo for Utilities, Tivoli Asset Management for
IT, and Maximo Service Desk bundled the JRE from IBM SDK Java Technology
Edition Version 1.4.2.
The 7.1.x versions of Maximo Asset Management, Maximo Asset Management
Essentials, Maximo Asset Management for Energy Optimization, Maximo for
Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo
for Life Sciences, Maximo for Oil and Gas, Maximo for Utilities, Tivoli
Asset Management for IT, Tivoli Service Request Manager, and Tivoli Change
and Configuration Management Database bundled the JRE from IBM SDK Java
Technology Edition Version 5.
The 7.2.x versions of Tivoli Asset Management for IT, Tivoli Service
Request Manager, and Tivoli Change and Configuration Management Database
bundled the JRE from IBM SDK Java Technology Edition Version 5.
The 7.5.x versions of Maximo Asset Management, Maximo Asset Management
Essentials, Maximo for Nuclear Power, Maximo for Transportation, Maximo for
Life Sciences, Maximo for Oil and Gas, Maximo for Utilities, and SmartCloud
Control Desk bundled the JRE from IBM SDK Java Technology Edition Version 6.
Intelligent Building Management 1.1.x and TRIRIGA for Energy Optimization
1.2.x bundled the JRE from IBM SDK Java Technology Edition Version 6.
It is likely that earlier versions of affected products are also affected
by these vulnerabilities. Remediation is not provided for product versions
that are no longer supported. IBM recommends that customers upgrade to
the latest supported version of products in order to obtain remediation
for the vulnerabilities.
***Please note that the versions of the IBM products listed above do
not bundle JRE Version 7 or IBM SDK Java Technology Edition Version 7;
however, JRE Version 7 and IBM SDK Java Technology Edition Version 7 are
listed here because JRE Version 7 is relatively prevalent on the browser
and therefore can potentially impact access to these IBM product versions.
REMEDIATION:
Fix:
There are two areas where the vulnerabilities in the Java SDK/JDK or JRE
may require remediation:
1. Application Server - Update the Websphere Application Server. Refer
to JDK Fixes for Websphere Application Server for additional information
on updating and maintaining the JDK component within Websphere. Customers
with Oracle Weblogic Server, which is not an IBM product and is not shipped
by IBM, will also want to update their server.
2. Browser Client - Update the Java plug-in used by the browser on client
systems, using the remediated JRE version referenced on developerWorks
JavaTM Technology Security Alerts or referenced on Oracle’s latest
Critical Patch Update (which can be accessed via developerWorks JavaTM
Technology Security Alerts). Updating the browser Java plug-in may impact
some applets such as Maximo Asset Management Scheduler. Download from IBM
FixCentral the latest Maximo Asset Management Scheduler Interim Fix for
Version 7.1 or the latest Maximo Asset Management Fix Pack for Version 7.5,
which includes the resolution for APAR IV11560.
Due to the threat posed by a successful attack, IBM strongly recommends
that customers apply fixes as soon as possible.
Workaround:
Until you apply the fixes, it may be possible to reduce the risk
of successful attack by restricting network protocols required by an
attack. For attacks that require certain privileges or access to certain
packages, removing the privileges or the ability to access the packages
from unprivileged users may help reduce the risk of successful attack. Both
approaches may break application functionality, so IBM strongly recommends
that customers test changes on non-production systems. Neither approach
should be considered a long-term solution as neither corrects the underlying
problem.
Mitigation:
None Known
REFERENCES:
Complete CVSS Guide
On-line Calculator V2
X-Force Vulnerability Database
CVE-2012-1541 - http:/xforce.iss.net/xforce/xfdb/81761
CVE-2012-3174 - http://xforce.iss.net/xforce/xfdb/81200
CVE-2012-3213 - http://xforce.iss.net/xforce/xfdb/81769
CVE-2012-3342 - http://xforce.iss.net/xforce/xfdb/78334
CVE-2013-0169 - http://xforce.iss.net/xforce/xfdb/74380
CVE-2013-0351 - http://xforce.iss.net/xforce/xfdb/81786
CVE-2013-0409 - http://xforce.iss.net/xforce/xfdb/81793
CVE-2013-0419 - http://xforce.iss.net/xforce/xfdb/81783
CVE-2013-0422 - http://xforce.iss.net/xforce/xfdb/81117
CVE-2013-0423 - http://xforce.iss.net/xforce/xfdb/81784
CVE-2013-0424 - http://xforce.iss.net/xforce/xfdb/81798
CVE-2013-0425 - http://xforce.iss.net/xforce/xfdb/81766
CVE-2013-0426 - http://xforce.iss.net/xforce/xfdb/81767
CVE-2013-0427 - http://xforce.iss.net/xforce/xfdb/81795
CVE-2013-0428 - http://xforce.iss.net/xforce/xfdb/81768
CVE-2013-0429 - http://xforce.iss.net/xforce/xfdb/81782
CVE-2013-0431 - http://xforce.iss.net/xforce/xfdb/81794
CVE-2013-0432 - http://xforce.iss.net/xforce/xfdb/81788
CVE-2013-0433 - http://xforce.iss.net/xforce/xfdb/81797
CVE-2013-0434 - http://xforce.iss.net/xforce/xfdb/81792
CVE-2013-0435 - http://xforce.iss.net/xforce/xfdb/81791
CVE-2013-0437 - http://xforce.iss.net/xforce/xfdb/81753
CVE-2013-0438 - http://xforce.iss.net/xforce/xfdb/81800
CVE-2013-0440 - http://xforce.iss.net/xforce/xfdb/81799
CVE-2013-0441 - http://xforce.iss.net/xforce/xfdb/81758
CVE-2013-0442 - http://xforce.iss.net/xforce/xfdb/81755
CVE-2013-0443 - http://xforce.iss.net/xforce/xfdb/81801
CVE-2013-0444 - http://xforce.iss.net/xforce/xfdb/81781
CVE-2013-0445 - http://xforce.iss.net/xforce/xfdb/81756
CVE-2013-0446 - http://xforce.iss.net/xforce/xfdb/81762
CVE-2013-0449 - http://xforce.iss.net/xforce/xfdb/81789
CVE-2013-0450 - http://xforce.iss.net/xforce/xfdb/81764
CVE-2013-0809 - http://xforce.iss.net/xforce/xfdb/82515
CVE-2013-1473 - http://xforce.iss.net/xforce/xfdb/81790
CVE-2013-1475 - http://xforce.iss.net/xforce/xfdb/81759
CVE-2013-1476 - http://xforce.iss.net/xforce/xfdb/81760
CVE-2013-1478 - http://xforce.iss.net/xforce/xfdb/81754
CVE-2013-1480 - http://xforce.iss.net/xforce/xfdb/81757
CVE-2013-1481 - http://xforce.iss.net/xforce/xfdb/81770
CVE-2013-1484 - http://xforce.iss.net/xforce/xfdb/82179
CVE-2013-1485 - http://xforce.iss.net/xforce/xfdb/82180
CVE-2013-1486 - http://xforce.iss.net/xforce/xfdb/82178
CVE-2013-1487 - http://xforce.iss.net/xforce/xfdb/82177
CVE-2013-1489 - http://xforce.iss.net/xforce/xfdb/81802
CVE-2013-1493 - http://xforce.iss.net/xforce/xfdb/82514
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Change History
2 Apr 2013 Flash published
CROSS REFERENCE INFORMATION:
Segment Product Component/Platform Version
Systems and Asset Management Maximo Asset Management All 6.2.0 - 6.2.8
7.1.1.0 - 7.1.1.10
7.5.0.0 - 7.5.0.3
Systems and Asset Management Maximo Asset Management Essentials All 7.1.1.0 - 7.1.1.10
7.5.0.0 - 7.5.0.3
Systems and Asset Management Maximo Asset Management for Energy Optimization All 7.1.0.0 - 7.1.1.0
Systems and Asset Management Maximo for Government All 6.1.0.0
7.1.0.0
Systems and Asset Management Maximo for Nuclear Power All 6.3.0
7.1.0.0 - 7.1.1.0
7.5.0.0 - 7.5.1.0
Systems and Asset Management Maximo for Transportation All 6.3.0
7.1.0.0 - 7.1.1.0
7.5.0.0
Systems and Asset Management Maximo for Life Sciences All 6.4.0 - 6.5.0
7.1.0.0 - 7.1.2.0
7.5.0.0
Systems and Asset Management Maximo for Oil and Gas All 6.3.0 - 6.4.0
7.1.0.0 - 7.1.2.0
7.5.0.0 - 7.5.1.0
Systems and Asset Management Maximo for Utilities All 6.3.0
7.1.0.0 - 7.1.2.0
7.5.0.0
Systems and Asset Management Tivoli Service Request Manager All 7.1.0.0 - 7.1.1.10
Maximo Service Desk 7.2.0.0 - 7.2.1.3
6.2.0 - 6.2.8
Systems and Asset Management Tivoli Asset Management for IT All 6.2.0 - 6.2.8
7.1.0.0 - 7.1.1.10
7.2.0.0 - 7.2.2.1
Systems and Asset Management Change and Configuration Management Database All 7.1.0.0 - 7.1.1.10
7.2.0.0 - 7.2.1.2
Systems and Asset Management Intelligent Building Management All 1.1.0.0
Systems and Asset Management TRIRIGA for Energy Optimization All 1.2.0.0
Systems and Asset Management SmartCloud Control Desk All 7.5.0.0 - 7.5.1.0
Cross reference information
Segment Product
Systems and Asset Management IBM Maximo Asset Management Essentials
Systems and Asset Management IBM Maximo Asset Management for Energy Optimization
Systems and Asset Management IBM Maximo for Government
Systems and Asset Management IBM Maximo for Nuclear Power
Systems and Asset Management IBM Maximo for Transportation
Systems and Asset Management IBM Maximo for Life Sciences
Systems and Asset Management IBM Maximo for Oil and Gas
Systems and Asset Management IBM Maximo for Utilities
Systems and Asset Management Tivoli Service Request Manager
Systems and Asset Management Tivoli Asset Management for IT
Systems and Asset Management Tivoli Change and Configuration Management Database
Systems and Asset Management IBM SmartCloud Control Desk
Systems and Asset Management IBM TRIRIGA Energy Optimization
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUV5vhu4yVqjM2NGpAQKakxAAthc/J8UMZs2+3DXm3PayLlmo+QlC7NJi
617z+yQfBtFEWDBaKGn2DBMrjpWolfoo5NVXVF4eraZVr1DG+MjNHBLFAwZM2uWM
MDxh+BIL+PQzn420xXVE/SyBuMcv8jq2mQwy19fTSeNr5SsnrmgRKs190svVvnTD
yCzQjxzBd2fiduy5h+MJUoDoAeVm7Dbl4dJipytnMiS2Hj5HHnGySRPrZePG5E5/
gTX+srpoiR3kPzEJdXWphetJ/+elv8Cx+p4g2QC5R2DCTjyeSQMxZ/fEBn7VOXKH
dXthqdLdfpEFQpb20+ewYFBI0vIE2atyM/WNz9HCYPDaEI9205FgmmH+QUhUxCYr
hf7lTHMyX4crUecprreF2BJg01YGcZkhUiTBe4QSlp7D0abw5zykwuehMrVu2+gH
cPKQbgWbdj9k6rAfU0ub0TPrrRlFo3tElz92V1fDJvsILOKMRFKGowrGTo9kTHAM
jqwFJfEnPNf4g7PEziS+uNhJnfPdTzNIEbjVQr+ELIZZ/xdJPPcFxn6wh5vUM5da
okkk7SboByo3yWrQvm8FI0xadCIDvksNMaJxYgCHvVj9jgQf4Ia9C7P6dc88XMfs
grS9QigcXdn18FFLZf6aNXHnmIfwyu4HW5UeZmv0pDC41AAMvZjgLO7EKMUt0kHJ
Fj0mdlaN4Ek=
=3b0R
-----END PGP SIGNATURE-----