Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1081
Security Bulletin: Various security vulnerabilities have been identified in
Oracle Java that affect Tivoli Provisioning Manager
7 August 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Tivoli Provisioning Manager
Publisher: IBM
Operating System: AIX
Linux variants
Solaris
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Delete Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-2432 CVE-2013-2430 CVE-2013-2429
CVE-2013-2424 CVE-2013-2420 CVE-2013-2419
CVE-2013-2417 CVE-2013-2394 CVE-2013-2384
CVE-2013-2383 CVE-2013-1569 CVE-2013-1557
CVE-2013-1537 CVE-2013-1518 CVE-2013-1491
CVE-2013-0401
Reference: ASB-2013.0058
ASB-2013.0057
ESB-2013.1077
ESB-2013.0986
ESB-2013.0935
ESB-2013.0915
ESB-2013.0805
ESB-2013.0742
ESB-2013.0728
ESB-2013.0723
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21645425
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Various security vulnerabilities have been identified in
Oracle Java that affect Tivoli Provisioning Manager
Flash (Alert)
Document information
Tivoli Provisioning Manager
Software version:
5.1.1.3, 7.1.1, 7.2.1
Operating system(s):
AIX, Linux, Solaris, Windows
Reference #:
1645425
Modified date:
2013-07-31
Abstract
Tivoli Provisioning Manager Common Agent Services component together with the
bundled WebSphere Application Server is shipped with an IBM Java SDK. Oracle has
released April 2013 critical patch updates (CPU) which contain security
vulnerability fixes and the IBM Java SDK that Tivoli Provisioning Manager ships
is affected.
Content
VULNERABILITY DETAILS:
This Security Bulletin addresses the security vulnerabilities in the IBM SDK
that are addressed by the Oracle April 2013 critical patch updates (CPU):
CVEID: CVE-2013-2432
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83559
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-1518
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83566
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-1537
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83571
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-1557
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83572
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-1491
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82820
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-0401
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82823
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-2383
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83555
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-2384
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83556
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-1569
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83557
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-2420
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83560
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-2394
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83576
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-2419
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83581
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-2430
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83577
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-2429
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83578
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-2424
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83582
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2013-2417
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83586
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
AFFECTED PRODUCTS AND VERSIONS:
Tivoli Provisioning Manager for Software 5.1 - 5.1.1.3
Tivoli Provisioning Manager 7.1 - 7.1.1
Tivoli Provisioning Manager 7.2 - 7.2.1
REMEDIATION:
For WebSphere Application Server, refer to the security bulletin :
Security Bulletin: WebSphere Application Server-Oracle CPU April 2013
For Common Agent Services, the recommended solution is to upgrade the product
to the version VRMF noted below and then apply the relative remediation fix to
upgrade to IBM Java 5.0 SR16 FP2.
Product VRMF APAR Remediation/First Fix
Tivoli Provisioning Manager for Software 5.1.1.3-TIV-TPMFSW-IF00007 None Contact IBM customer support to request the Limited Availability Patch
Tivoli Provisioning Manager 7.1.1.TIV-TPM-IF00007 None Contact IBM customer support to request the Limited Availability Patch
Tivoli Provisioning Manager 7.2.1.0 None 7.2.1-TIV-TPM-IF00005
WORKAROUNDS & MITIGATIONS:
None known
REFERENCES:
Complete CVSS Guide
On-line Calculator V2
Security Bulletin: WebSphere Application Server-Oracle CPU April 2013
CVE-2013-2432
CVE-2013-1518
CVE-2013-1537
CVE-2013-1557
CVE-2013-1491
CVE-2013-0401
CVE-2013-2383
CVE-2013-2384
CVE-2013-1569
CVE-2013-2420
CVE-2013-2394
CVE-2013-2419
CVE-2013-2430
CVE-2013-2429
CVE-2013-2424
CVE-2013-2417
http://xforce.iss.net/xforce/xfdb/83559
http://xforce.iss.net/xforce/xfdb/83566
http://xforce.iss.net/xforce/xfdb/83571
http://xforce.iss.net/xforce/xfdb/83572
http://xforce.iss.net/xforce/xfdb/82820
http://xforce.iss.net/xforce/xfdb/82823
http://xforce.iss.net/xforce/xfdb/83555
http://xforce.iss.net/xforce/xfdb/83556
http://xforce.iss.net/xforce/xfdb/83557
http://xforce.iss.net/xforce/xfdb/83560
http://xforce.iss.net/xforce/xfdb/83576
http://xforce.iss.net/xforce/xfdb/83581
http://xforce.iss.net/xforce/xfdb/83577
http://xforce.iss.net/xforce/xfdb/83578
http://xforce.iss.net/xforce/xfdb/83582
http://xforce.iss.net/xforce/xfdb/83586
RELATED INFORMATION:
IBM Secure Engineering Web Portal
ACKNOWLEDGEMENT
None
CHANGE HISTORY
22 July 2013: Original Copy Published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines
Corp., registered in many jurisdictions worldwide. Other product and service
names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark information" at
www.ibm.com/legal/copytrade.shtml.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUgHMzhLndAQH1ShLAQK7Zg//ZXiGPJTyOeeKs5gxPAL2zFCS6JVTshmi
v7mSBDnCFNN94vXx52w9UvkZf9nl/tSrhvpmxoeu+6A2yrbhmEhe6+hdalqXE1Ox
YRx6+jMG9kPtIjJopARuQYRK6hg20ql4uTjl4P8/kgTaYM34TEKRbi7CWK6UTZZi
TXWI80jCuIDIF4x7F+99JJkqdzzliqAoWemvxPyXSysY42NzO+SY0tkV/juOx3p3
eECuWSEhLn51csypFrdBbwm3QZxgSyVrZYogF6pbXqNBQ3KHMzsAHoKduB9l9WwR
Q4o2yHUNIwWo8DpZdHMmqKR9Q7PphIm4GF7xVN7pmMnYWUygOQL2tPNP/3ilF8I4
zQYjNvYzqWHBo8vWKZXBOAfd7sHv+V8I0ZFdiRUJTyON+gM5IuUjRdUUlYnM4WBQ
X2BRuCt/VYxG+jG1uih3UhVxLh3FuvL2KUGP558YsRYn3tmC6JQCQm+u1xeA408T
2DvUWXObRFKVOiq2J00roufv8DPLpizh5GStDYsPSMKQZ0jHD2sAXWENCnfa8L72
AVRXe2C3l/lrsh+885hRyaxA2GqCTF+rqBetx1/kNmsmi/fhqjpOfik56igqymDh
0fU0zYK8V6rmj2RLeaUlLT8lpTgGId6lgVilVB0HVP9zIJ+boEPqtIx9Ey0EAY1f
/Ye46YwErWk=
=x5QC
-----END PGP SIGNATURE-----