Operating System:

[WIN][LINUX][HP-UX][Solaris][AIX]

Published:

05 August 2013

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2013.1065 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.1065
WebSphere eXtreme Scale can be affected by three vulnerabilities in the IBM
  Java Runtime Environment (CVE-2013-0440, CVE-2013-0443, CVE-2013-0169)
                               5 August 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM WebSphere eXtreme Scale
Publisher:         IBM
Operating System:  AIX
                   HP-UX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-0443 CVE-2013-0440 CVE-2013-0169

Reference:         ASB-2013.0069
                   ASB-2013.0025
                   ASB-2013.0013
                   ESB-2013.1052
                   ESB-2013.1051
                   ESB-2013.0980
                   ESB-2013.0935
                   ESB-2013.0932
                   ESB-2013.0161
                   ESB-2013.0154
                   ESB-2013.0153
                   ESB-2013.0144

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21644596

- --------------------------BEGIN INCLUDED TEXT--------------------

WebSphere eXtreme Scale can be affected by three vulnerabilities in the IBM 
Java Runtime Environment (CVE-2013-0440, CVE-2013-0443, CVE-2013-0169)

Flash (Alert)

Document information

WebSphere eXtreme Scale

General

Software version:
7.1.1.1, 8.5.0.3

Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows

Reference #:
1644596

Modified date:
2013-07-22

Abstract

Multiple security vulnerabilities in the TLS implementation of the Java Runtime
Environment shipped with WebSphere eXtreme Scale might allow attackers access 
to sensitive data.

Content

VULNERABILITY DETAILS:

CVE-2013-0440 - Unspecified vulnerability in Java Runtime Environment allows 
remote attackers to affect availability via vectors related to JSSE.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81799
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-2013-0443 - Unspecified vulnerability in Java Runtime Environment allows 
remote attackers to affect confidentiality and integrity via vectors related 
to JSSE.
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81801
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVE-2013-0169 - The TLS protocol does not properly consider timing side-channel
attacks, which allows remote attackers to conduct distinguishing attacks and 
plain-text recovery attacks via statistical analysis of timing data for crafted
packets, also known as the "Lucky Thirteen" issue.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81902
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

AFFECTED PRODUCTS AND VERSIONS:

All levels of WebSphere eXtreme Scale through V8.6.0.1.

REMEDIATION:

If running WebSphere eXtreme Scale 7.1.1 or 8.5 with the Java Runtime 
Environment shipped with those versions of the product, apply one of the 
following interim fixes:

Product Release 		Interim Fix
WebSphere eXtreme Scale 7.1.1 	PM87563
WebSphere eXtreme Scale 8.5 	PM88607

If running WebSphere eXtreme Scale V8.6.0 or V8.6.0.1, upgrade to WebSphere 
eXtreme Scale V8.6.0.2 or later.

The WebSphere eXtreme Scale Client is used to communicate with the WebSphere 
DataPower XC10 Appliance, and the recommended fix level described here should 
be applied to the client when used with the appliance as well.

Information on obtaining the required software updates is available at this 
link: http://www-01.ibm.com/support/docview.wss?uid=swg27018991

If running WebSphere eXtreme Scale Client or server within a WebSphere 
Application Server process, apply a fix as described in the WebSphere 
Application Server security bulletin for these vulnerabilities:
http://www-01.ibm.com/support/docview.wss?uid=swg21627634

If running WebSphere eXtreme Scale Client or server using a Java Runtime 
Environment obtained separately, obtain a fix for that Java Runtime Environment
from the Java vendor.

Workarounds:
None

Mitigations:
None

REFERENCES:
	Complete CVSS Guide
	On-line Calculator V2
	CVE-2013-0440
	CVE-2013-0443
	CVE-2013-0169
	http://xforce.iss.net/xforce/xfdb/81799
	http://xforce.iss.net/xforce/xfdb/81801
	http://xforce.iss.net/xforce/xfdb/81902
	IBM Security Alerts
	http://www-01.ibm.com/support/docview.wss?uid=swg21627634

RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

CHANGE HISTORY
xx-xx-xxxx Original Version Published

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact 
of this vulnerability in their environments by accessing the links in the 
Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), 
the Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


Copyright and trademark information

IBM, the IBM logo and ibm.com are trademarks of International Business 
Machines Corp., registered in many jurisdictions worldwide. Other product and 
service names might be trademarks of IBM or other companies. A current list of 
IBM trademarks is available on the Web at "Copyright and trademark information" 
at www.ibm.com/legal/copytrade.shtml.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUf8YwxLndAQH1ShLAQLRfRAAr+HRCw030m1TLg2J4FngkYt88pPFcm4X
iS43VyhiVeI8WH+ptS9tFh/iwmN935y2HB2sDrTFYB/5nTfPAMtquX78/HnvSOiD
FvMR1wvtpfd/4mPThTSld3XDycawyEfjg8S3Bchy4SDh/yE9/P7EgisQETxlvarQ
hKbbN4y7cqImzTdpLeVH+zpw8tquAyUqcYVFB6YwAwpS3ZMe2sR8937XRluywVCr
L8pCDpMoI23Jl1U6LDNvcP8KJBnEzGDAItUNw4owZuXpfJJLxAF9IUj6euOxYzhd
HuHCzeOFb1qjrInA4sJ6kOrgI81mO4+ZiMMnKtKeWJnOM9g6QULWFvJT/pLp9jXl
7kOLsY4OGjkPGT9YA4THj+Z4C70gUdFDfT0a8kMhKEajlR/8PDgRTSB14S6S7DCm
ymniwopU8vGD72y20WDayXpM19yQyRhItu2XgK+a9UbAaVIpeBvDKAuQuz9cYl9T
VFk8MmHd90f3NprOY9v47RyiM/pDETGA0TVcXpm0088gOLRZi0fHcUXqaSo7i3HV
JETdNEMxrkL0tu9HGOm5QcVMExBYDnCs3zjdqo+JclJBin58Jcuk87+I9e0intCe
6myV62/ZG76kk+3kOfJUTS5bE9gYEvZcxehNsotWImzT1vskJY8G8VhPjLLpD2m9
satDD4v6id8=
=dn/2
-----END PGP SIGNATURE-----