Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1094
Security Bulletin: IBM OmniFind Enterprise Edition and IBM Content
Analytics Oracle Critical Patch Updates February 2013
(CVE-2013-0440, CVE-2013-0443, CVE-2013-0169)
9 August 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Content Analytics with Enterprise Search
Publisher: IBM
Operating System: AIX
Linux variants
Windows
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-0443 CVE-2013-0440 CVE-2013-0169
Reference: ASB-2013.0069
ASB-2013.0025
ASB-2013.0013
ESB-2013.1082
ESB-2013.1077
ESB-2013.0173
ESB-2013.0172
ESB-2013.0161
ESB-2013.0154
ESB-2013.0153
ESB-2013.0144
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21640615
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: IBM OmniFind Enterprise Edition and IBM Content Analytics
Oracle Critical Patch Updates February 2013 (CVE-2013-0440, CVE-2013-0443,
CVE-2013-0169)
Flash (Alert)
Document information
Content Analytics with Enterprise Search
Software version:
2.2, 3.0
Operating system(s):
AIX, Linux, Linux on System z, Windows
Software edition:
All Editions
Reference #:
1640615
Modified date:
2013-08-04
Abstract
Potential security vulnerabilities exist in the IBM Java SDK that is shipped
with the IBM OmniFind Enterprise Edition and IBM Content Analytics and
products.
Content
The products listed below may be affected by security vulnerabilities reported
by Oracle's February 2013 Critical Patch Updates:
IBM OmniFind Enterprise Edition
IBM Content Analytics
IBM Content Analytics with Enterprise Search
VULNERABILITY DETAILS:
CVE-2013-0440 - Unspecified vulnerability in Java Runtime Environment allows
remote attackers to affect availability via vectors related to JSSE.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81799
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2013-0443 - Unspecified vulnerability in Java Runtime Environment allows
remote attackers to affect confidentiality and integrity via vectors related
to JSSE.
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81801
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVE-2013-0169 - The TLS protocol does not properly consider timing side-channel
attacks, which allows remote attackers to conduct distinguishing attacks and
plain-text recovery attacks via statistical analysis of timing data for crafted
packets, also known as the "Lucky Thirteen" issue.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81902
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
AFFECTED PRODUCTS AND VERSIONS:
Product: IBM OmniFind Enterprise Edition, Version(s): V9.1 through
V9.1.0.4
Product: IBM Content Analytics, Version(s): V2.2 through V2.2.0.3
Product: IBM Content Analytics with Enterprise Search, Version(s): V3.0
through V3.0.0.2
REMEDIATION:
Apply the Following Fixes:
Fix* VRMF How to acquire fix
Interim Fix V9.1.0.4 www.ibm.com/support/fixcentral
Interim Fix V2.2.0.3 www.ibm.com/support/fixcentral
Fix Pack V3.0.0.3 www.ibm.com/support/docview.wss?uid=swg24035445
Workaround(s):
Recommend customers apply the fixes listed above.
Mitigation(s):
None.
REFERENCES:
Complete CVSS Guide
On-line Calculator V2
CVE-2013-0440
CVE-2013-0443
CVE-2013-0169
X-Force Vulnerability Database
http://xforce.iss.net/xforce/xfdb/81799
http://xforce.iss.net/xforce/xfdb/81801
http://xforce.iss.net/xforce/xfdb/81902
RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
*The CVSS Environment Score is customer environment-specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Segment Product Component Platform Version Edition
Enterprise Content OmniFind Enterprise AIX, Linux, Solaris, 9.1 All Editions
Management Edition Windows, Linux on
System z
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUgRmIRLndAQH1ShLAQLITQ//SUYnLAvE6dkEF2EKSJgOeODVabqH+ERq
9RGJ6UGIuLIaQP/A1aG1rec1FmyFHUjgCCQZ1sdAOvdJHbxNx2vLbG6oEdluh4eP
YfAqodkAhdfhJVU6iTvLTS3wOgPiqKemprQ6FOs/UM6ZpBqmIt02wwsXuvGLscmR
FYm1ks3GzHiEgaOtvZ/PhRaO/kzn6ykTz1VOl3+Ktbztxn5uOdWtkeT3XtG/AF6n
0Z7ZxU+eEu4RqQ/R4GAAYX+IzjPbpmFY3JHkQBTuOt0+/cnrMuzNZ0svZwzDgOox
oeLKyEAW9eI9lAwGglNscw/vhgTlGKb1zVCddAKzI0tzKisvwSfa/RFvfSVBwvuA
Mx6ACJGK/AtpMVCrwwW67BvJH3EYuIfOB1nNPgX7d6ZQFAxazTiG3cHGYQBnNFnu
YeelIknYGAAev1JgtA2irCwoZhK8x4avZN2tfbrvKa3XlefYA2DCMvJ/tdf36PVn
lKVDbF6V4qqX0tw7HCjwpfdUEUGw2H9MxFWF1slPJ9Rn+BmOgW0dIYV8n6L09b2D
Sm4MG+ns9QNOWJR9DSUukUFB/cmhE9DPoiM0w32t1HT+daTnJ38QDYDGP1ZcmeqE
20nfyTkVcPclCjWnz4gRXKmpum6B8scRVvlgnY1XG1K2/R4OrxPPULPSPVOTbbnF
z3EDa1N8ox4=
=JFbq
-----END PGP SIGNATURE-----