Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1491
Security Bulletin: TADDM 7.2.2.0 and 7.2.1.5:
Vulnerabilities in embedded JRE.
22 October 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Tivoli Application Dependency Discovery Manager
Publisher: IBM
Operating System: AIX
Linux variants
Solaris
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Increased Privileges -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Provide Misleading Information -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-4002 CVE-2013-3744 CVE-2013-3743
CVE-2013-3012 CVE-2013-3011 CVE-2013-3010
CVE-2013-3009 CVE-2013-3008 CVE-2013-3007
CVE-2013-3006 CVE-2013-2473 CVE-2013-2472
CVE-2013-2471 CVE-2013-2470 CVE-2013-2469
CVE-2013-2468 CVE-2013-2466 CVE-2013-2465
CVE-2013-2464 CVE-2013-2463 CVE-2013-2462
CVE-2013-2460 CVE-2013-2459 CVE-2013-2458
CVE-2013-2457 CVE-2013-2456 CVE-2013-2455
CVE-2013-2454 CVE-2013-2453 CVE-2013-2452
CVE-2013-2451 CVE-2013-2450 CVE-2013-2449
CVE-2013-2448 CVE-2013-2447 CVE-2013-2446
CVE-2013-2444 CVE-2013-2443 CVE-2013-2442
CVE-2013-2437 CVE-2013-2412 CVE-2013-2407
CVE-2013-2400 CVE-2013-1571 CVE-2013-1500
CVE-2013-300 CVE-2013-245
Reference: ASB-2013.0113
ASB-2013.0075
ESB-2013.1466
ESB-2013.1458
ESB-2013.1428
ESB-2013.1404
ESB-2013.1301
ESB-2013.1291
ESB-2013.1270
ESB-2013.1237
ESB-2013.1236
ESB-2013.1194
ESB-2013.1175
ESB-2013.1134
ESB-2013.1125
ESB-2013.1099
ESB-2013.1096
ESB-2013.1077
ESB-2013.0936
ESB-2013.0883
ESB-2013.0882
ESB-2013.0881
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21652561
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: TADDM 7.2.2.0 and 7.2.1.5: Vulnerabilities in embedded JRE.
Flash (Alert)
Document information
Tivoli Application Dependency Discovery Manager
Software version:
7.2.1, 7.2.2
Operating system(s):
AIX, Linux, Solaris, Windows
Reference #:
1652561
Modified date:
2013-10-18
Abstract
Multiple security vulnerabilities exist in the Java Runtime Environments
(JREs) IBM JRE 5.0 Service Release 16 FP2 and IBM JRE 7 SR4 FP2 or earlier,
and non-IBM Java 5.0 and Java 7 or earlier, that can affect the security of
IBM Tivoli Application Dependency Discovery Manager.
Content
VULNERABILITY DETAILS:
CVEID: CVE-2013-1500 (CVSS 3.2)
Description:
Some native internal implementation code in the AWT component creates a shared
memory segment with world read/write permissions. This allows potentially
sensitive data to be accessed and modified by a local user.
CVSS Base Score: 3.6
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85062
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:N)
CVEID: CVE-2013-1571 (CVSS 4.3) / PSIRT Advisory 1025
Description:
The Javadoc tool is used to generate documentation for Java code. Current
versions of Javadoc generate HTML with embedded javascript that contains a
security vulnerability.
The vulnerability allows an attacker to craft a malicious link to the
documentation which injects arbitrary content into the main frame. The
injected content appears to originate from the site hosting the documentation,
but in fact it is hosted elsewhere, and may contain malicious links or
content. This type of attack is known as "clickjacking".
The fix corrects the Javadoc tool such that it produces secure javascript that
validates target pages correctly.
CVSS Base Score: 4.3
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/84715
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2013-2400 (CVSS 5)
Description:
Code listed in the progress-class JNLP attribute is executed before any
warning dialog is presented.
The fix prevents this from happening.
CVSS Base Score: 5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85050
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2013-2407 (CVSS 6.4)
Description:
XML Signatures contain features intended to cover many different use cases.
Unfortunately, some of these features can be abused by creating hostile
signatures that may cause potential security issues when processing them, such
as DOS attacks. See http://www.w3.org/TR/xmldsig-bestpractices/ for more
information.
A new secure validation mode has been added whereby signatures are rejected
and not processed if they contain potentially hostile constructs. A new
private property (org.jcp.xml.dsig.secureValidation) can be set to enable this
mode by calling the DOMValidateContext.setProperty method.
This property will be set to true by default when running under a
SecurityManager.
CVSS Base Score: 6.4
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85044
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)
CVEID: CVE-2013-2412 (CVSS 5)
Description:
The RMI connection dialogue box in JConsole sends the username/password in the
clear.
The fix updates the code to give the user the option to use SSL for a
connection.
CVSS Base Score: 5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85059
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2013-2437 (CVSS 5)
Description:
Unsigned applets and Web Start applications do not have permission to list
files in the local directory, but this vulnerability allows a list to be
obtained via brute force guessing of file names.
CVSS Base Score: 5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85049
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2013-2442 (CVSS 7.5)
Description:
An applet with code from multiple origins may allow Same Origin Policy
violations.
CVSS Base Score: 7.5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85041
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2013-2443 (CVSS 5)
Description:
Under certain circumstances, data used in permission checks (canonicalised
file names, resolved IP addresses etc.) can be accessed by malicious code.
CVSS Base Score: 5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85054
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2013-2444 (CVSS 5)
Description:
java.awt.Font creates temporary files while processing fonts. These files are
deleted in a finally {} block, but that code is not guaranteed to be executed.
As a result, malicious Java code can indirectly consume filesystem resources
and potentially cause a DoS.
CVSS Base Score: 5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85047
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2013-2446 (CVSS 5)
Description:
The org.omg.CORBA_2_3.portable.OutputStream is an abstract class. It can be
extended by 3rd party code and may be used in conjunction with the
javax.rmi.CORBA.ValueHandler class to create malicious code whereby
serializable objects passed over a CORBA - IIOP stream may be intercepted (and
possibly modified).
The solution is to add a Permission check to the
org.omg.CORBA_2_3.portable.OutputStream default constructor.
Applications extending this class (or subclasses) will require an extra
Permission to continue if a SecurityManager is installed.
A new new system property has been created to restore the old behaviour when
set to any value other than "false". The system property is
"jdk.corba.allowOutputStreamSubclass".
CVSS Base Score: 5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85048
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2013-2447 (CVSS 5)
Description:
Unlike InetAddress.getLocalHost(), Socket.getLocalAddress() discloses the
local IP address without checking for the relevant permission. The fix adds
the appropriate permission check.
CVSS Base Score: 5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85056
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2013-2448 (CVSS 7.6)
Description:
This CVE covers several vulnerabilities in the MIDI sound area.
CVSS Base Score: 7.6
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85040
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-2449 (CVSS 4.3)
Description:
The java.nio.file.Files.probeContentType() API may expose file existence under
GNOME 2.2+ to untrusted code under certain circumstances.
The fix adds an appropriate permission check.
CVSS Base Score: 4.3
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85060
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVEID: CVE-2013-2450 (CVSS 5)
Description:
Specially crafted serialized data containing a self-referencing or circular
class hierarchy may cause a denial-of-service condition in a Java application
that deserializes untrusted data.
CVSS Base Score: 5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85057
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2013-2451 (CVSS 3.7)
Description:
Under certain circumstances, malicious Java code can "steal" a port that is in
use by another process and access the information being sent/received on that
port.
CVSS Base Score: 3.7
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85061
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:P/I:P/A:P)
CVEID: CVE-2013-2452 (CVSS 5)
Description:
It is possible for untrusted code to reverse engineer the host IP addressfrom
the RMI VMID. This undermines the security manager protection to block access
to this information, and is a confidentiality leak.
CVSS Base Score: 5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85055
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2013-2453 (CVSS 5)
Description:
Part of the internal implementation of the JMX component can be used to gain
access to interfaces that should be restricted.
The fix adds an appropriate package access check.
CVSS Base Score: 5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85053
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2013-2454 (CVSS 5.8)
Description:
Part of the javax.sql.rowset APi allows untrusted code to access fields in
restricted classes under certain limited circumstances.
The fix adds appropriate permission checks to secure the API.
CVSS Base Score: 5.8
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85045
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVEID: CVE-2013-2455 (CVSS 5)
Description:
Incorrect handling of the EnclosingMethod attribute when parsing a class file
enables access to declared Method objects of arbitrary classes.
The fix ensures that the EnclosingMethod attribute is processed correctly.
CVSS Base Score: 5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/84146
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2013-2456 (CVSS 5)
Description:
An attacker can use the ObjectStreamClass to gain access to classes that
should be restricted.
The fix adds package access checks to secure the relevant APIs.
CVSS Base Score: 5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85058
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2013-2457 (CVSS 5)
Description:
A class in the JMX component does not perform adequate validation during
deserialization. This provides a way for attackers to bypass the validation
that is present in the class constructors, and construct classes that could be
used to access sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85052
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2013-2458 (CVSS 5.8)
Description:
Untrusted code can exploit a vulnerability in the MethodHandles API to gain
access to restricted methods.
The fix adds appropriate permission checks to secure the API.
CVSS Base Score: 5.8
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85046
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVEID: CVE-2013-2459 (CVSS 10)
Description:
An attacker can create a malicious java.awt.Shape object which triggers an
integer overflow. The resulting memory corruption might facilitate arbitrary
code execution.
CVSS Base Score: 10
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85033
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-2460 (CVSS 9.3)
Description:
Untrusted code can use part of the com.sun.tracing.ProviderFactory API to
invoke static methods in restricted classes.
The fix adds appropriate permission checks to secure the API.
CVSS Base Score: 9.3
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85038
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-2462 (CVSS 9.3)
Description:
A correctly crafted JNLP file can set system properties based on an untrusted
source.
CVSS Base Score: 9.3
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85037
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-2463 (CVSS 10)
Description:
Malicious code can extend part of the java.awt.image API and override a method
to prevent detection of malformed images (such images may facilitate to memory
corruption or arbitrary code execution).
The fix corrects the AWT code so that validation is always carried out
correctly.
CVSS Base Score: 10
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85029
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-2464 (CVSS 10)
Description:
Malicious code can cause heap corruption by constructing invalid image
objects.
The fix ensures that these invalid objects are detected and rejected
gracefully.
CVSS Base Score: 10
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85030
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-2465 (CVSS 10)
Description:
Malicious code can cause heap corruption by constructing invalid image
objects.
The fix ensures that these invalid objects are detected and rejected
gracefully.
CVSS Base Score: 10
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85031
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-2466 (CVSS 10)
Description:
Under certain circumstances, signed applet or Web Start application jar files
may be redeployed with higher permissions than the signer intended.
CVSS Base Score: 10
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85035
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-2468 (CVSS 10)
Description:
Incorrect handling of the java-vm-args JNLP property allows user data to
appear on the command line when the plugin reinvokes java.
The fix ensures that arguments are processed and validated correctly.
CVSS Base Score: 10
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85034
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-2469 (CVSS 10)
Description:
Malicious code can cause heap corruption by constructing invalid image
objects.
The fix ensures that these invalid objects are detected and rejected
gracefully.
CVSS Base Score: 10
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85032
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-2470 (CVSS 10)
Description:
Untrusted code can use part of the java.awt.image.BufferedImage API to access
arbitrary memory addresses. This may allow execution of arbitrary code.
The fix adds code to validate the relevant input correctly.
CVSS Base Score: 10
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85025
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-2471 (CVSS 10)
Description:
Untrusted code can use part of the java.awt.image.Raster API to write beyond
the limits of an array. This will cause memory corruption and may allow
execution of arbitrary code.
The fix adds code to validate the relevant input correctly.
CVSS Base Score: 10
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85026
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-2472 (CVSS 10)
Description:
Untrusted code can use part of the java.awt.image.Raster API to write beyond
the limits of an array. This will cause memory corruption and may allow
execution of arbitrary code.
The fix adds code to validate the relevant input correctly.
CVSS Base Score: 10
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85027
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-2473 (CVSS 10)
Description:
Untrusted code can use part of the java.awt.image.Raster API to write beyond
the limits of an array. This will cause memory corruption and may allow
execution of arbitrary code.
The fix adds code to validate the relevant input correctly.
CVSS Base Score: 10
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85028
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-3006 (CVSS 9.3)
Description:
The absence of a receiver binding for protect methods in MethodHandles.lookup
allows the invocation of protected methods of arbitrary objects.
The fix ensures that the protected methods are bound correctly.
CVSS Base Score: 9.3
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/84147
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-3007 (CVSS 9.3)
Description:
Unsafe implementation of deserialization functionality in the ORB allows
access to arbitrary fields of Serializable classes.
The fix ensures that the deserialization is implemented safely.
CVSS Base Score: 9.3
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/84148
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-3008 (CVSS 9.3)
Description:
Unsafe deserialization of MethodType objects allows MethodType objects to be
mutated.
The fix clones the arguments array preventing modification of internal
parameters.
CVSS Base Score: 9.3
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/84149
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-3009 (CVSS 9.3)
Description:
Insecure use of the invoke method of java.lang.reflect.Method class in the ORB
allows arbitrary method invocation inside AccessController's doPrivileged
block.
The fix ensures that invoke is used securely.
CVSS Base Score: 9.3
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/84150
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-3010 (CVSS 9.3)
Description:
Insecure implementation of reflective Field access in the ORB allows
privileged access to arbitrary fields of Serializable classes.
The fix implements reflection safely.
CVSS Base Score: 9.3
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/84151
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-3011 (CVSS 9.3)
Description:
XSLT unsafely allows calls to Java extension functions.
The fix makes these calls safely.
CVSS Base Score: 9.3
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/84152
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-3012 (CVSS 9.3)
Description:
XSLT extends a ClassLoader unsafely.
The fix extends the ClassLoader safely.
CVSS Base Score: 9.3
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/84153
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-3743 (CVSS 9.3)
Description:
Some methods in the AWT component are being invoked under a different
AppContext than the one they belong to. This can lead to privilege escalation
and sandbox escape.
CVSS Base Score: 9.3
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85036
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-3744 (CVSS 5)
Description:
LiveConnect enables Java APIs to be invoked from Javascript in the web
browser. There is no way to sign the code in this scenario, and unsigned Java
code is intentionally blocked as of 7 SR4-FP2 (Oracle 7u21) under the
following conditions:
- - Security slider at Very High
- - Security slider at High (default/minimum recommended) and the JRE is
flagged as "insecure", which is triggered by either being below the
security baseline or past its built in expiration date.
(The IBM Java SDK has no concept of a security baseline, but it does
have an expiration date, which is set to 6 months after the build
date.)
This CVE deals with the fact that LiveConnect is not properly blocked by the
security slider settings in 7 SR4-FP2 (Oracle 7u21). The fix, in 7 SR5 (Oracle
7u25), corrects this problem.
This will break applications that use LiveConnect to make calls from
Javascript to Java when they are launched under either of the two scenarios
listed above.
In a future release, additional constraints will be added to LiveConnect such
that applications will need to identify the specific Java APIs that will be
callable from Javascript, at that time the ability to use LiveConnect under
these scenarios may be relaxed as long as the APIs are properly identified
using this new mechanism.
CVSS Base Score: 5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85051
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2013-4002 (CVSS 7.1)
Description:
The Apache Xerces-J XML parser is vulnerable to a denial of service attack,
triggered by malformed XML data. The malformed data causes the XML parser to
consume CPU resource for several minutes before the data is eventually
rejected. This behaviour can be used to launch a denial of service attack
against any Java server application which processes XML data supplied by
remote users. The same technique can be used to consume CPU resources on
client deployments of Java.
The IBM Java SDK ships a variant of the Apache Xerces-J XML parser (XML4J)
which has the same vulnerability. The vulnerability applies to all versions of
the IBM Java SDK.
CVSS Base Score: 7.1
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85260
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)
AFFECTED PRODUCTS AND VERSIONS:
TADDM 7.2.0.0 through 7.2.1.5 and TADDM 7.2.2.0
REMEDIATION:
Fix* VRMF APAR How to acquire fix
efix_jdk7_SR5.zip 7.2.2.0 None Download EFix
efix_jdk1.5_SR16_FP3.zip 7.2.1.5 None Download EFix
None 7.2.0.0 None Upgrade to 7.2.1.5
Please get familiar with EFix readme in etc/<efix_name>_readme.txt
Workaround(s):
None
Mitigation(s):
The only solution is to upgrade the JRE embedded with TADDM. EFixes are
prepared to be installed only on top of TADDM 7.2.1.5 and TADDM 7.2.2.0
respectively.
If you need EFix for other TADDM version, please contact IBM Support.
JRE embedded in TADDM should not be used outside the product and never
installed as system JRE.
REFERENCES:
IBM Java security alerts
X-Force Vulnerability Database
http://xforce.iss.net/xforce/xfdb/85062
http://xforce.iss.net/xforce/xfdb/84715
http://xforce.iss.net/xforce/xfdb/85050
http://xforce.iss.net/xforce/xfdb/85044
http://xforce.iss.net/xforce/xfdb/85059
http://xforce.iss.net/xforce/xfdb/85049
http://xforce.iss.net/xforce/xfdb/85041
http://xforce.iss.net/xforce/xfdb/85054
http://xforce.iss.net/xforce/xfdb/85047
http://xforce.iss.net/xforce/xfdb/85048
http://xforce.iss.net/xforce/xfdb/85056
http://xforce.iss.net/xforce/xfdb/85040
http://xforce.iss.net/xforce/xfdb/85060
http://xforce.iss.net/xforce/xfdb/85057
http://xforce.iss.net/xforce/xfdb/85061
http://xforce.iss.net/xforce/xfdb/85055
http://xforce.iss.net/xforce/xfdb/85053
http://xforce.iss.net/xforce/xfdb/85045
http://xforce.iss.net/xforce/xfdb/84146
http://xforce.iss.net/xforce/xfdb/85058
http://xforce.iss.net/xforce/xfdb/85052
http://xforce.iss.net/xforce/xfdb/85046
http://xforce.iss.net/xforce/xfdb/85033
http://xforce.iss.net/xforce/xfdb/85038
http://xforce.iss.net/xforce/xfdb/85037
http://xforce.iss.net/xforce/xfdb/85029
http://xforce.iss.net/xforce/xfdb/85030
http://xforce.iss.net/xforce/xfdb/85031
http://xforce.iss.net/xforce/xfdb/85035
http://xforce.iss.net/xforce/xfdb/85034
http://xforce.iss.net/xforce/xfdb/85032
http://xforce.iss.net/xforce/xfdb/85025
http://xforce.iss.net/xforce/xfdb/85026
http://xforce.iss.net/xforce/xfdb/85027
http://xforce.iss.net/xforce/xfdb/85028
http://xforce.iss.net/xforce/xfdb/84147
http://xforce.iss.net/xforce/xfdb/84148
http://xforce.iss.net/xforce/xfdb/84149
http://xforce.iss.net/xforce/xfdb/84150
http://xforce.iss.net/xforce/xfdb/84151
http://xforce.iss.net/xforce/xfdb/84152
http://xforce.iss.net/xforce/xfdb/84153
http://xforce.iss.net/xforce/xfdb/85036
http://xforce.iss.net/xforce/xfdb/85051
http://xforce.iss.net/xforce/xfdb/85260
Common Vulnerabilities and Exposures (CVE)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2400
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2407
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2412
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2437
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2442
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2443
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2444
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2446
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2447
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2448
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2449
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2451
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2452
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2453
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2454
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-245
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2456
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2457
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2458
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2459
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2460
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2462
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2463
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2464
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2466
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2470
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2471
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2472
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2473
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-300
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3007
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3008
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3009
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3010
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3011
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3012
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3743
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3744
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002
RELATED INFORMATION:
IBM Secure Engineering Web Portal
ACKNOWLEDGEMENT
None
CHANGE HISTORY
17 October 2013: Original Copy Published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business
Machines Corp., registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies. A current list of
IBM trademarks is available on the Web at "Copyright and trademark
information" at www.ibm.com/legal/copytrade.shtml.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUmXLABLndAQH1ShLAQLA8RAAqFHjgh08I22v5AlW0hKONOnt8E8Ol6YG
OxiBcnPhC86L9hB7Egh4Ij3NgOI7swrgU+uAarLgf+o5yaCnkBGZYgsELJA6CwXm
nsmONK8+VHVjIVMtaaz02xySHW2kWmRERc+8kplJYG8nxrgkvklTyhKRzTDCLnF/
5Hvq1+1uM+x9tWKoh+09APv1yx2a+R0MoCVDeScI3yS0P/TxZrX+utRAuMaH0GSb
hCT8RCbN0W8dGKnPd5AZXc2+o6Y2/SM4kvkGz0w7JOmx1RI0BbxMNkrdhLIjCBYW
tTPS5AMX6lemRuHhwsHsP5krgGFH2kU2UPbY88ZxnjrbCZ+EQzi9pTNGW81Dvol2
WinvylziuiadJGoAnGTZoqCWCZbXg7yN4r1Mc8F/2GVEo9jejn7g5Awnr/+/HDyp
shg4MgfIhWD861rlEDzAzp+F0hSLCKzWCeDgPQN8xniDdpxG4A1eeLV3tgsnBE7g
XBZtfxxqJTUu6I5/DMsciI68Wh1KZFjFrsFRc0A+Hmx5e69CC3aW+J43t7DQpKRf
37vwC0EEBGVGnFfgSNrt40qGOiL2adOrS0ClUEJ8E9uiFzRu/XKvO/jD3L2x7tvK
Uv4ao7x3NVXPgdQluDql/tZN406Z2rs+uLPJ7UQeddaUpFNGEIHcySNx1pVw48t3
rjJpJpxGU74=
=eo5q
-----END PGP SIGNATURE-----