Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.1491 Security Bulletin: TADDM 7.2.2.0 and 7.2.1.5: Vulnerabilities in embedded JRE. 22 October 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Tivoli Application Dependency Discovery Manager Publisher: IBM Operating System: AIX Linux variants Solaris Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Increased Privileges -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-4002 CVE-2013-3744 CVE-2013-3743 CVE-2013-3012 CVE-2013-3011 CVE-2013-3010 CVE-2013-3009 CVE-2013-3008 CVE-2013-3007 CVE-2013-3006 CVE-2013-2473 CVE-2013-2472 CVE-2013-2471 CVE-2013-2470 CVE-2013-2469 CVE-2013-2468 CVE-2013-2466 CVE-2013-2465 CVE-2013-2464 CVE-2013-2463 CVE-2013-2462 CVE-2013-2460 CVE-2013-2459 CVE-2013-2458 CVE-2013-2457 CVE-2013-2456 CVE-2013-2455 CVE-2013-2454 CVE-2013-2453 CVE-2013-2452 CVE-2013-2451 CVE-2013-2450 CVE-2013-2449 CVE-2013-2448 CVE-2013-2447 CVE-2013-2446 CVE-2013-2444 CVE-2013-2443 CVE-2013-2442 CVE-2013-2437 CVE-2013-2412 CVE-2013-2407 CVE-2013-2400 CVE-2013-1571 CVE-2013-1500 CVE-2013-300 CVE-2013-245 Reference: ASB-2013.0113 ASB-2013.0075 ESB-2013.1466 ESB-2013.1458 ESB-2013.1428 ESB-2013.1404 ESB-2013.1301 ESB-2013.1291 ESB-2013.1270 ESB-2013.1237 ESB-2013.1236 ESB-2013.1194 ESB-2013.1175 ESB-2013.1134 ESB-2013.1125 ESB-2013.1099 ESB-2013.1096 ESB-2013.1077 ESB-2013.0936 ESB-2013.0883 ESB-2013.0882 ESB-2013.0881 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21652561 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: TADDM 7.2.2.0 and 7.2.1.5: Vulnerabilities in embedded JRE. Flash (Alert) Document information Tivoli Application Dependency Discovery Manager Software version: 7.2.1, 7.2.2 Operating system(s): AIX, Linux, Solaris, Windows Reference #: 1652561 Modified date: 2013-10-18 Abstract Multiple security vulnerabilities exist in the Java Runtime Environments (JREs) IBM JRE 5.0 Service Release 16 FP2 and IBM JRE 7 SR4 FP2 or earlier, and non-IBM Java 5.0 and Java 7 or earlier, that can affect the security of IBM Tivoli Application Dependency Discovery Manager. Content VULNERABILITY DETAILS: CVEID: CVE-2013-1500 (CVSS 3.2) Description: Some native internal implementation code in the AWT component creates a shared memory segment with world read/write permissions. This allows potentially sensitive data to be accessed and modified by a local user. CVSS Base Score: 3.6 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85062 CVSS Environmental Score*: Undefined CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:N) CVEID: CVE-2013-1571 (CVSS 4.3) / PSIRT Advisory 1025 Description: The Javadoc tool is used to generate documentation for Java code. Current versions of Javadoc generate HTML with embedded javascript that contains a security vulnerability. The vulnerability allows an attacker to craft a malicious link to the documentation which injects arbitrary content into the main frame. The injected content appears to originate from the site hosting the documentation, but in fact it is hosted elsewhere, and may contain malicious links or content. This type of attack is known as "clickjacking". The fix corrects the Javadoc tool such that it produces secure javascript that validates target pages correctly. CVSS Base Score: 4.3 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/84715 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) CVEID: CVE-2013-2400 (CVSS 5) Description: Code listed in the progress-class JNLP attribute is executed before any warning dialog is presented. The fix prevents this from happening. CVSS Base Score: 5 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85050 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) CVEID: CVE-2013-2407 (CVSS 6.4) Description: XML Signatures contain features intended to cover many different use cases. Unfortunately, some of these features can be abused by creating hostile signatures that may cause potential security issues when processing them, such as DOS attacks. See http://www.w3.org/TR/xmldsig-bestpractices/ for more information. A new secure validation mode has been added whereby signatures are rejected and not processed if they contain potentially hostile constructs. A new private property (org.jcp.xml.dsig.secureValidation) can be set to enable this mode by calling the DOMValidateContext.setProperty method. This property will be set to true by default when running under a SecurityManager. CVSS Base Score: 6.4 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85044 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P) CVEID: CVE-2013-2412 (CVSS 5) Description: The RMI connection dialogue box in JConsole sends the username/password in the clear. The fix updates the code to give the user the option to use SSL for a connection. CVSS Base Score: 5 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85059 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVEID: CVE-2013-2437 (CVSS 5) Description: Unsigned applets and Web Start applications do not have permission to list files in the local directory, but this vulnerability allows a list to be obtained via brute force guessing of file names. CVSS Base Score: 5 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85049 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVEID: CVE-2013-2442 (CVSS 7.5) Description: An applet with code from multiple origins may allow Same Origin Policy violations. CVSS Base Score: 7.5 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85041 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVEID: CVE-2013-2443 (CVSS 5) Description: Under certain circumstances, data used in permission checks (canonicalised file names, resolved IP addresses etc.) can be accessed by malicious code. CVSS Base Score: 5 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85054 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVEID: CVE-2013-2444 (CVSS 5) Description: java.awt.Font creates temporary files while processing fonts. These files are deleted in a finally {} block, but that code is not guaranteed to be executed. As a result, malicious Java code can indirectly consume filesystem resources and potentially cause a DoS. CVSS Base Score: 5 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85047 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVEID: CVE-2013-2446 (CVSS 5) Description: The org.omg.CORBA_2_3.portable.OutputStream is an abstract class. It can be extended by 3rd party code and may be used in conjunction with the javax.rmi.CORBA.ValueHandler class to create malicious code whereby serializable objects passed over a CORBA - IIOP stream may be intercepted (and possibly modified). The solution is to add a Permission check to the org.omg.CORBA_2_3.portable.OutputStream default constructor. Applications extending this class (or subclasses) will require an extra Permission to continue if a SecurityManager is installed. A new new system property has been created to restore the old behaviour when set to any value other than "false". The system property is "jdk.corba.allowOutputStreamSubclass". CVSS Base Score: 5 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85048 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVEID: CVE-2013-2447 (CVSS 5) Description: Unlike InetAddress.getLocalHost(), Socket.getLocalAddress() discloses the local IP address without checking for the relevant permission. The fix adds the appropriate permission check. CVSS Base Score: 5 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85056 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVEID: CVE-2013-2448 (CVSS 7.6) Description: This CVE covers several vulnerabilities in the MIDI sound area. CVSS Base Score: 7.6 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85040 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-2449 (CVSS 4.3) Description: The java.nio.file.Files.probeContentType() API may expose file existence under GNOME 2.2+ to untrusted code under certain circumstances. The fix adds an appropriate permission check. CVSS Base Score: 4.3 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85060 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) CVEID: CVE-2013-2450 (CVSS 5) Description: Specially crafted serialized data containing a self-referencing or circular class hierarchy may cause a denial-of-service condition in a Java application that deserializes untrusted data. CVSS Base Score: 5 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85057 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVEID: CVE-2013-2451 (CVSS 3.7) Description: Under certain circumstances, malicious Java code can "steal" a port that is in use by another process and access the information being sent/received on that port. CVSS Base Score: 3.7 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85061 CVSS Environmental Score*: Undefined CVSS Vector: (AV:L/AC:H/Au:N/C:P/I:P/A:P) CVEID: CVE-2013-2452 (CVSS 5) Description: It is possible for untrusted code to reverse engineer the host IP addressfrom the RMI VMID. This undermines the security manager protection to block access to this information, and is a confidentiality leak. CVSS Base Score: 5 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85055 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVEID: CVE-2013-2453 (CVSS 5) Description: Part of the internal implementation of the JMX component can be used to gain access to interfaces that should be restricted. The fix adds an appropriate package access check. CVSS Base Score: 5 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85053 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) CVEID: CVE-2013-2454 (CVSS 5.8) Description: Part of the javax.sql.rowset APi allows untrusted code to access fields in restricted classes under certain limited circumstances. The fix adds appropriate permission checks to secure the API. CVSS Base Score: 5.8 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85045 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N) CVEID: CVE-2013-2455 (CVSS 5) Description: Incorrect handling of the EnclosingMethod attribute when parsing a class file enables access to declared Method objects of arbitrary classes. The fix ensures that the EnclosingMethod attribute is processed correctly. CVSS Base Score: 5 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/84146 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVEID: CVE-2013-2456 (CVSS 5) Description: An attacker can use the ObjectStreamClass to gain access to classes that should be restricted. The fix adds package access checks to secure the relevant APIs. CVSS Base Score: 5 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85058 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVEID: CVE-2013-2457 (CVSS 5) Description: A class in the JMX component does not perform adequate validation during deserialization. This provides a way for attackers to bypass the validation that is present in the class constructors, and construct classes that could be used to access sensitive information. CVSS Base Score: 5 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85052 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) CVEID: CVE-2013-2458 (CVSS 5.8) Description: Untrusted code can exploit a vulnerability in the MethodHandles API to gain access to restricted methods. The fix adds appropriate permission checks to secure the API. CVSS Base Score: 5.8 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85046 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N) CVEID: CVE-2013-2459 (CVSS 10) Description: An attacker can create a malicious java.awt.Shape object which triggers an integer overflow. The resulting memory corruption might facilitate arbitrary code execution. CVSS Base Score: 10 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85033 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-2460 (CVSS 9.3) Description: Untrusted code can use part of the com.sun.tracing.ProviderFactory API to invoke static methods in restricted classes. The fix adds appropriate permission checks to secure the API. CVSS Base Score: 9.3 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85038 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-2462 (CVSS 9.3) Description: A correctly crafted JNLP file can set system properties based on an untrusted source. CVSS Base Score: 9.3 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85037 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-2463 (CVSS 10) Description: Malicious code can extend part of the java.awt.image API and override a method to prevent detection of malformed images (such images may facilitate to memory corruption or arbitrary code execution). The fix corrects the AWT code so that validation is always carried out correctly. CVSS Base Score: 10 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85029 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-2464 (CVSS 10) Description: Malicious code can cause heap corruption by constructing invalid image objects. The fix ensures that these invalid objects are detected and rejected gracefully. CVSS Base Score: 10 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85030 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-2465 (CVSS 10) Description: Malicious code can cause heap corruption by constructing invalid image objects. The fix ensures that these invalid objects are detected and rejected gracefully. CVSS Base Score: 10 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85031 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-2466 (CVSS 10) Description: Under certain circumstances, signed applet or Web Start application jar files may be redeployed with higher permissions than the signer intended. CVSS Base Score: 10 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85035 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-2468 (CVSS 10) Description: Incorrect handling of the java-vm-args JNLP property allows user data to appear on the command line when the plugin reinvokes java. The fix ensures that arguments are processed and validated correctly. CVSS Base Score: 10 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85034 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-2469 (CVSS 10) Description: Malicious code can cause heap corruption by constructing invalid image objects. The fix ensures that these invalid objects are detected and rejected gracefully. CVSS Base Score: 10 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85032 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-2470 (CVSS 10) Description: Untrusted code can use part of the java.awt.image.BufferedImage API to access arbitrary memory addresses. This may allow execution of arbitrary code. The fix adds code to validate the relevant input correctly. CVSS Base Score: 10 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85025 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-2471 (CVSS 10) Description: Untrusted code can use part of the java.awt.image.Raster API to write beyond the limits of an array. This will cause memory corruption and may allow execution of arbitrary code. The fix adds code to validate the relevant input correctly. CVSS Base Score: 10 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85026 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-2472 (CVSS 10) Description: Untrusted code can use part of the java.awt.image.Raster API to write beyond the limits of an array. This will cause memory corruption and may allow execution of arbitrary code. The fix adds code to validate the relevant input correctly. CVSS Base Score: 10 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85027 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-2473 (CVSS 10) Description: Untrusted code can use part of the java.awt.image.Raster API to write beyond the limits of an array. This will cause memory corruption and may allow execution of arbitrary code. The fix adds code to validate the relevant input correctly. CVSS Base Score: 10 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85028 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-3006 (CVSS 9.3) Description: The absence of a receiver binding for protect methods in MethodHandles.lookup allows the invocation of protected methods of arbitrary objects. The fix ensures that the protected methods are bound correctly. CVSS Base Score: 9.3 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/84147 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-3007 (CVSS 9.3) Description: Unsafe implementation of deserialization functionality in the ORB allows access to arbitrary fields of Serializable classes. The fix ensures that the deserialization is implemented safely. CVSS Base Score: 9.3 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/84148 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-3008 (CVSS 9.3) Description: Unsafe deserialization of MethodType objects allows MethodType objects to be mutated. The fix clones the arguments array preventing modification of internal parameters. CVSS Base Score: 9.3 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/84149 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-3009 (CVSS 9.3) Description: Insecure use of the invoke method of java.lang.reflect.Method class in the ORB allows arbitrary method invocation inside AccessController's doPrivileged block. The fix ensures that invoke is used securely. CVSS Base Score: 9.3 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/84150 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-3010 (CVSS 9.3) Description: Insecure implementation of reflective Field access in the ORB allows privileged access to arbitrary fields of Serializable classes. The fix implements reflection safely. CVSS Base Score: 9.3 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/84151 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-3011 (CVSS 9.3) Description: XSLT unsafely allows calls to Java extension functions. The fix makes these calls safely. CVSS Base Score: 9.3 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/84152 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-3012 (CVSS 9.3) Description: XSLT extends a ClassLoader unsafely. The fix extends the ClassLoader safely. CVSS Base Score: 9.3 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/84153 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-3743 (CVSS 9.3) Description: Some methods in the AWT component are being invoked under a different AppContext than the one they belong to. This can lead to privilege escalation and sandbox escape. CVSS Base Score: 9.3 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85036 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-3744 (CVSS 5) Description: LiveConnect enables Java APIs to be invoked from Javascript in the web browser. There is no way to sign the code in this scenario, and unsigned Java code is intentionally blocked as of 7 SR4-FP2 (Oracle 7u21) under the following conditions: - - Security slider at Very High - - Security slider at High (default/minimum recommended) and the JRE is flagged as "insecure", which is triggered by either being below the security baseline or past its built in expiration date. (The IBM Java SDK has no concept of a security baseline, but it does have an expiration date, which is set to 6 months after the build date.) This CVE deals with the fact that LiveConnect is not properly blocked by the security slider settings in 7 SR4-FP2 (Oracle 7u21). The fix, in 7 SR5 (Oracle 7u25), corrects this problem. This will break applications that use LiveConnect to make calls from Javascript to Java when they are launched under either of the two scenarios listed above. In a future release, additional constraints will be added to LiveConnect such that applications will need to identify the specific Java APIs that will be callable from Javascript, at that time the ability to use LiveConnect under these scenarios may be relaxed as long as the APIs are properly identified using this new mechanism. CVSS Base Score: 5 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85051 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) CVEID: CVE-2013-4002 (CVSS 7.1) Description: The Apache Xerces-J XML parser is vulnerable to a denial of service attack, triggered by malformed XML data. The malformed data causes the XML parser to consume CPU resource for several minutes before the data is eventually rejected. This behaviour can be used to launch a denial of service attack against any Java server application which processes XML data supplied by remote users. The same technique can be used to consume CPU resources on client deployments of Java. The IBM Java SDK ships a variant of the Apache Xerces-J XML parser (XML4J) which has the same vulnerability. The vulnerability applies to all versions of the IBM Java SDK. CVSS Base Score: 7.1 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85260 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C) AFFECTED PRODUCTS AND VERSIONS: TADDM 7.2.0.0 through 7.2.1.5 and TADDM 7.2.2.0 REMEDIATION: Fix* VRMF APAR How to acquire fix efix_jdk7_SR5.zip 7.2.2.0 None Download EFix efix_jdk1.5_SR16_FP3.zip 7.2.1.5 None Download EFix None 7.2.0.0 None Upgrade to 7.2.1.5 Please get familiar with EFix readme in etc/<efix_name>_readme.txt Workaround(s): None Mitigation(s): The only solution is to upgrade the JRE embedded with TADDM. EFixes are prepared to be installed only on top of TADDM 7.2.1.5 and TADDM 7.2.2.0 respectively. If you need EFix for other TADDM version, please contact IBM Support. JRE embedded in TADDM should not be used outside the product and never installed as system JRE. REFERENCES: IBM Java security alerts X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/85062 http://xforce.iss.net/xforce/xfdb/84715 http://xforce.iss.net/xforce/xfdb/85050 http://xforce.iss.net/xforce/xfdb/85044 http://xforce.iss.net/xforce/xfdb/85059 http://xforce.iss.net/xforce/xfdb/85049 http://xforce.iss.net/xforce/xfdb/85041 http://xforce.iss.net/xforce/xfdb/85054 http://xforce.iss.net/xforce/xfdb/85047 http://xforce.iss.net/xforce/xfdb/85048 http://xforce.iss.net/xforce/xfdb/85056 http://xforce.iss.net/xforce/xfdb/85040 http://xforce.iss.net/xforce/xfdb/85060 http://xforce.iss.net/xforce/xfdb/85057 http://xforce.iss.net/xforce/xfdb/85061 http://xforce.iss.net/xforce/xfdb/85055 http://xforce.iss.net/xforce/xfdb/85053 http://xforce.iss.net/xforce/xfdb/85045 http://xforce.iss.net/xforce/xfdb/84146 http://xforce.iss.net/xforce/xfdb/85058 http://xforce.iss.net/xforce/xfdb/85052 http://xforce.iss.net/xforce/xfdb/85046 http://xforce.iss.net/xforce/xfdb/85033 http://xforce.iss.net/xforce/xfdb/85038 http://xforce.iss.net/xforce/xfdb/85037 http://xforce.iss.net/xforce/xfdb/85029 http://xforce.iss.net/xforce/xfdb/85030 http://xforce.iss.net/xforce/xfdb/85031 http://xforce.iss.net/xforce/xfdb/85035 http://xforce.iss.net/xforce/xfdb/85034 http://xforce.iss.net/xforce/xfdb/85032 http://xforce.iss.net/xforce/xfdb/85025 http://xforce.iss.net/xforce/xfdb/85026 http://xforce.iss.net/xforce/xfdb/85027 http://xforce.iss.net/xforce/xfdb/85028 http://xforce.iss.net/xforce/xfdb/84147 http://xforce.iss.net/xforce/xfdb/84148 http://xforce.iss.net/xforce/xfdb/84149 http://xforce.iss.net/xforce/xfdb/84150 http://xforce.iss.net/xforce/xfdb/84151 http://xforce.iss.net/xforce/xfdb/84152 http://xforce.iss.net/xforce/xfdb/84153 http://xforce.iss.net/xforce/xfdb/85036 http://xforce.iss.net/xforce/xfdb/85051 http://xforce.iss.net/xforce/xfdb/85260 Common Vulnerabilities and Exposures (CVE) http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1500 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2400 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2407 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2412 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2437 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2442 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2443 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2444 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2446 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2448 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2449 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2450 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2451 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2452 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2453 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2454 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-245 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2456 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2457 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2458 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2459 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2460 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2462 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2463 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2464 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2465 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2466 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2470 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2471 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2472 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2473 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-300 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3007 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3008 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3009 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3010 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3011 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3012 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3743 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3744 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002 RELATED INFORMATION: IBM Secure Engineering Web Portal ACKNOWLEDGEMENT None CHANGE HISTORY 17 October 2013: Original Copy Published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Copyright and trademark information IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUmXLABLndAQH1ShLAQLA8RAAqFHjgh08I22v5AlW0hKONOnt8E8Ol6YG OxiBcnPhC86L9hB7Egh4Ij3NgOI7swrgU+uAarLgf+o5yaCnkBGZYgsELJA6CwXm nsmONK8+VHVjIVMtaaz02xySHW2kWmRERc+8kplJYG8nxrgkvklTyhKRzTDCLnF/ 5Hvq1+1uM+x9tWKoh+09APv1yx2a+R0MoCVDeScI3yS0P/TxZrX+utRAuMaH0GSb hCT8RCbN0W8dGKnPd5AZXc2+o6Y2/SM4kvkGz0w7JOmx1RI0BbxMNkrdhLIjCBYW tTPS5AMX6lemRuHhwsHsP5krgGFH2kU2UPbY88ZxnjrbCZ+EQzi9pTNGW81Dvol2 WinvylziuiadJGoAnGTZoqCWCZbXg7yN4r1Mc8F/2GVEo9jejn7g5Awnr/+/HDyp shg4MgfIhWD861rlEDzAzp+F0hSLCKzWCeDgPQN8xniDdpxG4A1eeLV3tgsnBE7g XBZtfxxqJTUu6I5/DMsciI68Wh1KZFjFrsFRc0A+Hmx5e69CC3aW+J43t7DQpKRf 37vwC0EEBGVGnFfgSNrt40qGOiL2adOrS0ClUEJ8E9uiFzRu/XKvO/jD3L2x7tvK Uv4ao7x3NVXPgdQluDql/tZN406Z2rs+uLPJ7UQeddaUpFNGEIHcySNx1pVw48t3 rjJpJpxGU74= =eo5q -----END PGP SIGNATURE-----