Operating System:

[WIN]

Published:

09 September 2013

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2013.1236 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.1236
 Security Bulletin: Multiple vulnerabilities in IBM Rational Policy Tester
(CVE-2013-0531, CVE-2013-0440, CVE-2013-4062, CVE-2013-4061, CVE-2013-2407)
                             9 September 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Rational Policy Tester
Publisher:         IBM
Operating System:  Windows
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated
                   Modify Arbitrary Files         -- Existing Account      
                   Denial of Service              -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
                   Access Confidential Data       -- Remote/Unauthenticated
                   Unauthorised Access            -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-4062 CVE-2013-4061 CVE-2013-2407
                   CVE-2013-0531 CVE-2013-0440 

Reference:         ASB-2013.0075
                   ASB-2013.0013
                   ESB-2013.1194
                   ESB-2013.0847
                   ESB-2013.0496
                   ESB-2013.0495
                   ESB-2013.0483
                   ESB-2013.0404
                   ESB-2013.0401
                   ESB-2013.0282

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21648481

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Multiple vulnerabilities in IBM Rational Policy Tester 
(CVE-2013-0531, CVE-2013-0440, CVE-2013-4062, CVE-2013-4061, CVE-2013-2407)

Flash (Alert)

Document information

Rational Policy Tester
General Support Issues

Software version:
5.6, 8.0, 8.5

Operating system(s):
Windows

Reference #:
1648481

Modified date:
2013-09-03

Abstract

Previous releases of IBM Rational Policy Tester are affected by multiple 
vulnerabilities reported in 3rd party components bundled with the product as 
well as in proprietary IBM code. These vulnerabilities include Java components, 
weak cipher suites, invalid certificate warnings and URL spoofing.

Content

VULNERABILITY DETAILS:

CVE ID:
CVE-2013-0531

DESCRIPTION: 
The Policy Tester server supports SSL cipher suites that use weak encryption 
algorithms. An attacker may therefore be able to decrypt the secure 
communication between the client and the server, or successfully execute a 
"man-in-the-middle" attack on the client, enabling them to view sensitive 
information and perform actions on behalf of the client.

The attack does not require local network access nor does it require 
authentication, but some degree of specialized knowledge and techniques are 
required. An exploit would not impact the confidentiality of information or 
the availability of the system, but the integrity of the data could be 
compromised. 


CVSS:

CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84707 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)


AFFECTED PLATFORMS: 
Running on Microsoft Windows:
Versions 5.6 through 8.5 of Rational Policy Tester

REMEDIATION:
The recommended solution is to apply the fix for each named product as soon 
as practical. Please see below for information about the fixes available.

Vendor Fix(es): 
For version 5.6 to 8.5 of Policy Tester
Upgrade to version 8.5.0.5

If you are unable to upgrade, contact IBM Technical Support. 

Workaround(s): 
Not applicable; upgrade to version 8.5.0.5 for Policy Tester 

Mitigation(s): 
None 


- ------ 

CVE ID: 
CVE-2013-0440 

DESCRIPTION: 
Unspecified vulnerability in IBM Java Runtime Environment may allow remote 
attackers to affect availability via vectors related to JSSE. 

The attack does not require local network access nor does it require 
authentication, but some degree of specialized knowledge and techniques are 
required. An exploit would not impact the confidentiality of information or 
the integrity of data, but the availability of the system could be 
compromised. 

CVSS: 

CVSS Base Score: 5 
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81799 for the 
current score 
CVSS Environmental Score*: Undefined 
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) 

AFFECTED PLATFORMS: 
Running on Microsoft Windows:
Version 8.5 of Rational Policy Tester

REMEDIATION:
The recommended solution is to apply the fix for each named product as soon 
as practical. Please see below for information about the fixes available.

Vendor Fix(es): 
For version 8.5 of Policy Tester
Upgrade to version 8.5.0.5
If you are unable to upgrade, contact IBM Technical Support. 

Workaround(s): 
Not applicable; upgrade to version 8.5.0.5 for Policy Tester 

Mitigation(s): 
None 


- ------ 

CVE ID: 
CVE-2013-4062 

DESCRIPTION: 
Policy Tester allows connections to a Jazz Team Server with untrusted SSL 
certificate. This may allow an attacker to successfully execute a 
"man-in-the-middle" attack on the client 

The attack requires local network access, does not require authentication, but 
a high degree of specialized knowledge and techniques are required. An 
exploit would impact the confidentiality of information, the integrity of 
data and the availability of the system could be compromised. 


CVSS: 
CVSS Base Score: 3.7 
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86586 for the 
current score 
CVSS Environmental Score*: Undefined 
CVSS Vector: (AV:L/AC:H/Au:N/C:P/I:P/A:P) 


AFFECTED PLATFORMS: 
Running on Microsoft Windows:
Version 8.5 of Rational Policy Tester

REMEDIATION:
The recommended solution is to apply the fix for each named product as soon as 
practical. Please see below for information about the fixes available.

Vendor Fix(es): 
For version 8.5 of Policy Tester
Upgrade to version 8.5.0.5

If you are unable to upgrade, contact IBM Technical Support. 

Once the upgrade has been completed, add the following entry into the 
asc.properties file in the Policy Tester install folder (default directory - 
C:\Program Files (x86)\IBM\AppScan Enterprise\JazzTeamServer\server\conf\asc): 

allow.invalid.ssl=false 

Once this has been completed, restart the ‘IBM Security AppScan Enterprise 
Server – Tomcat’ service. 

If you are using your own certificate, makes sure that you add it the IBM 
certificate trust store so that it will be accepted successfully. 

Workaround(s): 
Not applicable; upgrade to version 8.5.0.5 for Policy Tester 

Mitigation(s): 
None 

- ------ 

CVE ID: 
CVE-2013-4061 

DESCRIPTION: 
Unauthorized users have the ability able to update allowed hosts used for 
authentication. This can be used to facilitate spoofing through URL 
redirection. 

The attack does not require local network access but does require single 
authentication. A high degree of specialized knowledge and techniques are 
required to exploit this issue. An exploit would not impact the availability 
of the system or the integrity of data, but the confidentiality of 
information could be compromised. 


CVSS: 
CVSS Base Score: 2.1 
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86585 for the 
current score 
CVSS Environmental Score*: Undefined 
CVSS Vector: (AV:N/AC:H/Au:S/C:P/I:N/A:N) 


AFFECTED PLATFORMS: 
Running on Microsoft Windows:
Version 8.5 of Rational Policy Tester

REMEDIATION:
The recommended solution is to apply the fix for each named product as soon 
as practical. Please see below for information about the fixes available.

Vendor Fix(es): 
For version 8.5 of Policy Tester
Upgrade to version 8.5.0.5
If you are unable to upgrade, contact IBM Technical Support. 

Workaround(s): 
Not applicable; upgrade to version 8.5.0.5 for Policy Tester 

Mitigation(s): 
None 

- ------ 

CVE ID: 
CVE-2013-2407 

DESCRIPTION: 
Unspecified vulnerability in the Java Runtime Environment (JRE) component 
allows remote attackers to affect confidentiality and availability via unknown 
vectors related to Libraries. 

The attack does not require specialized knowledge or techniques, nor does it 
require authentication, and network access required. An exploit could impact 
the confidentiality of information and the availability of the system, but the 
integrity of data is not compromised. 


CVSS: 
CVSS Base Score: 6.4 
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85044 for the 
current score 
CVSS Environmental Score*: Undefined 
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P) 



AFFECTED PLATFORMS: 
Running on Microsoft Windows:
Version 8.5 of Rational Policy Tester

REMEDIATION:
The recommended solution is to apply the fix for each named product as soon as 
practical. Please see below for information about the fixes available.

Vendor Fix(es): 
For version 8.5 of Policy Tester
Upgrade to version 8.5.0.5

If you are unable to upgrade, contact IBM Technical Support. 

Workaround(s): 
Not applicable; upgrade to version 8.5.0.5 for Policy Tester 

Mitigation(s): 
None 

REFERENCES: 

Complete CVSS Guide 
On-line Calculator V2 
CVE-2013-0531 
CVE-2013-0440 
CVE-2013-4062 
CVE-2013-4061 
CVE-2013-2407 
http://xforce.iss.net/xforce/xfdb/84707 
http://xforce.iss.net/xforce/xfdb/81799 
http://xforce.iss.net/xforce/xfdb/86586 
http://xforce.iss.net/xforce/xfdb/86585 
http://xforce.iss.net/xforce/xfdb/85044 



RELATED INFORMATION: 
IBM Secure Engineering Web Portal 
IBM Product Security Incident Response Blog 


*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of 
this vulnerability in their environments by accessing the links in the 
Reference section of this alert. 

Note: According to the Forum of Incident Response and Security Teams (FIRST), 
the Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUi1HEhLndAQH1ShLAQKYGw//VhX57Jurad363fempe19US+m8H9puP96
OFU9Wc2Cy5H+DBmcsXkX5Mm2MfZ334++3xD8T0EkYyPorcXn+uuKCJCEdXk45HeB
0YgmUjRXKKZVdO3JXiOT0xzGabpNaAgHq1+G1sZkiMWwp57wpwXi1r24oQviO/Qx
V3f0toUCGWUCjSykzToYMyLgm37ZJV4lIOhF8/OaOjSB4dMBELFIGxBBd2gvfl4q
YAafVJ4avRNk31T0dFMdKj1rpJIFSg0HLhhytt3B1dJq5s47+49dDPQMzOgfnFF0
D0zLKugkKeG/u6I/SMNd4VbIC+FJjmNFffkphNAwjAwbPGpaqqzqZHqjHuirv6u7
WFpFdK9RkTG6GWNSv/6t3suBSWaZqM39mHqOYGzYSL2wzxT2v9QqOqSX6k03qu2e
KNT8J4+pBuZmBJK1qxQATVjr8RdmhJZWUrcohCKrkKG8HQAXSYJei9kyCg1TjQQz
djq5Wr59mjSU/jUgov9Kq9OPIb5asnnlRrD6l0+8njpAPfHDx1UZBhuYtN4umtq1
hsiCrBhVKyMXgXEhhNNkVtcEWz5hW2TKwzL26dUChzTSv2xiOj7adQ7RGabPCNCW
aC+xy5PQNTRykS3+O29O6C57t36Hbzam1XvVx84rrLLrlS3qGPCJVSkOgfZxpnP1
Q1X/1n5EKww=
=/wxv
-----END PGP SIGNATURE-----