-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.0833
                SECURITY APAR CVE-2013-0440, CVE-2013-0443
                               14 June 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM InfoSphere Streams
Publisher:         IBM
Operating System:  Linux variants
Impact/Access:     Modify Arbitrary Files -- Remote/Unauthenticated
                   Delete Arbitrary Files -- Remote/Unauthenticated
                   Denial of Service      -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-0443 CVE-2013-0440 

Reference:         ASB-2013.0013
                   ESB-2013.0546
                   ESB-2013.0485
                   ESB-2013.0439
                   ESB-2013.0362
                   ESB-2013.0361
                   ESB-2013.0360
                   ESB-2013.0229
                   ESB-2013.0174
                   ESB-2013.0173
                   ESB-2013.0172
                   ESB-2013.0154
                   ESB-2013.0153
                   ESB-2013.0144

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg1IC92753
   http://www-01.ibm.com/support/docview.wss?uid=swg1IC92755
   http://www-01.ibm.com/support/docview.wss?uid=swg1IC92756

Comment: This bulletin contains three (3) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

C92753: SECURITY APAR CVE-2013-0440, CVE-2013-0443

Document information
InfoSphere Streams

Software version:
300

Reference #:
IC92753

Modified date:
2013-06-12
 
APAR status

Closed as program error.

Error description

There is a potential security exposure when using IBM InfoSphere
Streams, which is due to vulnerabilities in IBM Java SE Version
6 SDK.  Vulnerabilities in the Java Runtime Environment (JRE)
allow remote attackers to affect confidentiality, integrity, and
availability. For additional information on specific
vulnerabilities refer to the CVE references:
CVE-2013-0440, CVE-2013-0443

Local fix

The recommended solution is to apply the IBM SDK for Linux Java
SE Version 6 fix as soon as practical.  A patch for this APAR is
available from Fix Central and is named
3.0.0.0-Patch_for_IBM_Java6_SR13.

Problem summary

Apply 3.0.0.0-Patch_for_IBM_Java6_SR13

Problem conclusion

Apply 3.0.0.0-Patch_for_IBM_Java6_SR13

Temporary fix

Comments

APAR Information

APAR number						IC92753
Reported component name					INFOSPHERE STRE
Reported component ID					5724Y95IS
Reported release					300
Status							CLOSED PER
PE							NoPE
HIPER							NoHIPER
Special Attention					NoSpecatt
Submitted date						2013-06-03
Closed date						2013-06-12
Last modified date					2013-06-12
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:	IC92755 IC92756

Modules/Macros

Java

Fixed component name					INFOSPHERE STRE
Fixed component ID					5724Y95IS

Applicable component levels

R300 PSY  						UP

- ------------------------------------------------------------------------------

IC92755: SECURITY APAR CVE-2013-0440, CVE-2013-0443

Document information
InfoSphere Streams

Software version:
200

Reference #:
IC92755

Modified date:
2013-06-12
 
APAR status

Closed as program error.

Error description

There is a potential security exposure when using IBM InfoSphere
Streams, which is due to vulnerabilities in IBM Java SE Version
6 SDK.  Vulnerabilities in the Java Runtime Environment (JRE)
allow remote attackers to affect confidentiality, integrity, and
availability. For additional information on specific
vulnerabilities refer to the CVE references:
CVE-2013-0440, CVE-2013-0443

Local fix

The recommended solution is to apply the IBM SDK for Linux Java
SE Version 6 fix as soon as practical.  A patch for this APAR is
available from Fix Central and is named
2.0.0.0-Patch_for_IBM_Java6_SR13.

Problem summary

Apply 2.0.0.0-Patch_for_IBM_Java6_SR13

Problem conclusion

Apply 2.0.0.0-Patch_for_IBM_Java6_SR13

Temporary fix

Comments

APAR Information

APAR number						IC92755
Reported component name					INFOSPHERE STRE
Reported component ID					5724Y95IS
Reported release					200
Status							CLOSED PER
PE							NoPE
HIPER							NoHIPER
Special Attention					NoSpecatt
Submitted date						2013-06-03
Closed date						2013-06-12
Last modified date					2013-06-12
APAR is sysrouted FROM one or more of the following: 	IC92753
APAR is sysrouted TO one or more of the following:

Modules/Macros

Java

Fixed component name					INFOSPHERE STRE
Fixed component ID					5724Y95IS

Applicable component levels

R200 PSY   						UP

- ------------------------------------------------------------------------------

IC92756: SECURITY APAR CVE-2013-0440, CVE-2013-0443

Document information
InfoSphere Streams

Software version:
121

Reference #:
IC92756

Modified date:
2013-06-12
 
APAR status

Closed as program error.

Error description

There is a potential security exposure when using IBM InfoSphere
Streams, which is due to vulnerabilities in IBM Java SE Version
6 SDK.  Vulnerabilities in the Java Runtime Environment (JRE)
allow remote attackers to affect confidentiality, integrity, and
availability. For additional information on specific
vulnerabilities refer to the CVE references:
CVE-2013-0440, CVE-2013-0443

Local fix
The recommended solution is to apply the IBM SDK for Linux Java
SE Version 6 fix as soon as practical.  A patch for this APAR is
available from Fix Central and is named
1.2.1.0-Patch_for_IBM_Java6_SR13.

Problem summary

Apply 1.2.1.0-Patch_for_IBM_Java6_SR13

Problem conclusion

Apply 1.2.1.0-Patch_for_IBM_Java6_SR13

Temporary fix

Comments

APAR Information

APAR number						IC92756
Reported component name					INFOSPHERE STRE
Reported component ID					5724Y95IS
Reported release					121
Status							CLOSED PER
PE							NoPE
HIPER							NoHIPER
Special Attention					NoSpecatt
Submitted date						2013-06-03
Closed date						2013-06-12
Last modified date					2013-06-12
APAR is sysrouted FROM one or more of the following: 	IC92753
APAR is sysrouted TO one or more of the following:

Modules/Macros

Java

Fixed component name					INFOSPHERE STRE
Fixed component ID					5724Y95IS

Applicable component levels

R121 PSY   						UP

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUbpofe4yVqjM2NGpAQKZHA/9HJ7zVDJ4QtlQySRT8+f+r6NYmA5Ugaw0
Zn+5rrxes6obCBmPMC486VF7QhlDqaL8u3EgjyBYk8Nzn5zFK5HSvOkx27q5vWBQ
jtEZ47lWmuehLov11LcGsvUNnhCe1L8gxGMhmP6KJQalSfVrTEmsvmiDcaiFEoc7
sREFAQq66VcxeFjClH6z9Mvi+B0/ilrAx9qAujyJvKSj3UzQp3d7xfM2W8iDDbna
HsWnpd166rFxZo5m42OjIttpQD0I6GDfolBLnQ42r6GsmJ/hiuF3REPmMgPvbwUa
Wcg6Ww4mi2VW7q83wy8nhZuQ7XcsvdtjQqS4uUkGU6QkSCsN9D5XmMoOZpqrm9I2
KbFXAneQTR+JskM1nA6SR+sMgbdfucDeANDFsD0ZcT+7qe2PeWFp8zXSJcT2LPGL
6IVP75g7fP4oIZQtntLXtjLxWD+nMXd2IhqM8FVoDYtWYZrgelEslrIK9bB7sj7b
/S18Gs2NdkpE2dTsbRT7hsqoCu0p9tqJPfK+9rKYUG/bZuayI30acK0pl+ma8Z2T
3pTZffG3CbafYH9Pv+erelYsO7SJI2fBAYGD/a+bXz2rRiLjeomNwrCXotYsGygJ
SEOzOLZMqiYaMHrSDYSdzjYB7nY5fUKDeXvHdMvdzOMPff735EKvKPYpq2gUFlfQ
1nyVVxkZG3U=
=Khkd
-----END PGP SIGNATURE-----