Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1696
Security Bulletin: Multiple vulnerabilities in current IBM
Java SDK for WebSphere Application Server
27 November 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM WebSphere Application Server
Publisher: IBM
Operating System: AIX
HP-UX
Linux variants
Solaris
Windows
Impact/Access: Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-5803 CVE-2013-5780 CVE-2013-5372
Reference: ASB-2013.0124
ASB-2013.0113
ESB-2013.1635
ESB-2013.1594
ESB-2013.1593
ESB-2013.1592
ESB-2013.1589
ESB-2013.1577
ESB-2013.1511
ESB-2013.1499
ESB-2013.1493
ESB-2013.1492
ESB-2013.1480
ESB-2013.1468
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=swg21655990
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Multiple vulnerabilities in current IBM Java SDK for
WebSphere Application Server
Flash (Alert)
Document information
WebSphere Application Server
Java SDK
Software version:
6.1, 7.0, 8.0, 8.5
Operating system(s):
AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS
Software edition:
Base, Developer, Express, Network Deployment
Reference #:
1655990
Modified date:
2013-11-25
Abstract
Multiple security vulnerabilities exist in the IBM Java SDK that is shipped
with IBM WebSphere Application Server
Content
The IBM WebSphere Application Server is shipped with an IBM Java SDK that
is based on the Oracle JDK. Oracle has released October 2013 critical patch
updates (CPU) which contain security vulnerability fixes. The IBM Java
SDK has been updated to incorporate these fixes. The IBM Java SDK has also
been updated to fix security vulnerabilities specific to the IBM Java SDK.
Vulnerability Details
CVEID: CVE-2013-5780
Description: Potential information disclosure vulnerability in JSSE.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88001 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVEID: CVE-2013-5372
Description: Potential denial of service vulnerability in XML. This is
specific to the IBM Java SDK.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86662 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVEID: CVE-2013-5803
Description: Potential denial of service vulnerability in JSSE.
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88008 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:N/A:P)
The following advisories are included in the SDK but WebSphere Application
Server is not vulnerable to them. You will need to evaluate your own code to
determine if you are vulnerable. Please refer to the Reference section for
more information on the advisories not applicable to WebSphere Application
Server:
CVE-2013-5456
CVE-2013-5457
CVE-2013-5458
CVE-2013-4041
CVE-2013-5375
CVE-2013-5843
CVE-2013-5789
CVE-2013-5830
CVE-2013-5829
CVE-2013-5787
CVE-2013-5788
CVE-2013-5824
CVE-2013-5842
CVE-2013-5782
CVE-2013-5817
CVE-2013-5809
CVE-2013-5814
CVE-2013-5832
CVE-2013-5850
CVE-2013-5838
CVE-2013-5802
CVE-2013-5812
CVE-2013-5804
CVE-2013-5783
CVE-2013-3829
CVE-2013-5823
CVE-2013-5831
CVE-2013-5820
CVE-2013-5819
CVE-2013-5818
CVE-2013-5848
CVE-2013-5776
CVE-2013-5774
CVE-2013-5825
CVE-2013-5840
CVE-2013-5801
CVE-2013-5778
CVE-2013-5851
CVE-2013-5800
CVE-2013-5784
CVE-2013-5849
CVE-2013-5790
CVE-2013-5797
CVE-2013-5772
Versions affected:
SDK shipped with IBM WebSphere Application Server Version 8.5.0.0
through 8.5.5.1, Version 8.0.0.0 through 8.0.0.7, Version 7.0.0.0
through 7.0.0.30, Version 6.1.0.0 through 6.1.0.47
This does not occur on SDK versions shipped with WebSphere Application
Servers fix pack 8.5.5.2, 8.0.0.8 and 7.0.0.31 or later.
Warning:
For mixed cells that contain WebSphere Application Server version
6.0.2 nodes where java 2 security is enabled, ensure APAR PM92206 or its
circumvention is applied to the Deployment Manager to prevent sync operation
failure. PM92206 has been delivered with an Interim Fix or with WebSphere
Application Server Fix Packs 8.5.5.1 and 8.0.0.7. It will also be shipped
in WebSphere Application Server 7.0.0.31 available 14 January 2014.
Solutions:
Upgrade your SDK to an interim fix level as determined below:
For IBM WebSphere Application Server and IBM WebSphere Application Server
Hypervisor Edition :
Download and apply the interim fix APARs below, for your appropriate release:
For V8.5.0.0 through 8.5.5.1:
Apply Interim Fix PM98572: Will upgrade you to SDK 7 SR6
- --OR-
Apply Interim Fix PM98574: Will upgrade you to SDK 6 (J9 2.6) SR7
- --OR--
Apply Java SDK shipped with the WebSphere Application Server Fix pack
8.5.5.2 or later (targeted to be available 14 April 2014).
For 8.0.0.0 through 8.0.0.6:
Apply Interim Fix PM98576: Will upgrade you to SDK 6 (J9 2.6) SR7
- --OR--
Apply Java SDK shipped with WebSphere Application Server Fix pack 8
(8.0.0.8) or later (targeted to be available 13 January 2014).
For V7.0.0.0 through 7.0.0.29:
Apply Interim Fix PM98578: Will upgrade you to SDK 6 SR15
- --OR--
Apply Java SDK shipped with WebSphere Application Server Fix pack 31
(7.0.0.31) or later (targeted to be available 13 January 2014).
For V6.1.0.0 through 6.1.0.45:
Contact IBM Support and apply Interim Fix PM98600: Will upgrade you
to SDK 5 SR16 FP4
For IBM WebSphere Application Server for i5/OS operating systems:
The IBM Developer Kit for Java is prerequisite software for WebSphere
Application Server for IBM i. Please refer to Java on IBM i for updates
on when these fixes will be available.
Important note: IBM strongly suggests that all System z customers be
subscribed to the System z Security Portal to receive the latest critical
System z security and integrity service. If you are not subscribed, see
the instructions on the System z Security web site. Security and integrity
APARs and associated fixes will be posted to this portal. IBM suggests
reviewing the CVSS scores and applying all security or integrity fixes as
soon as possible to minimize any potential risk.
Change history
21 November 2013 Original publish date
25 November 2013 Add descriptions for CVEs
REFERENCES:
IBM Security Alerts
Oracle Java SE Critical Patch Update Advisory - October 2013
IBM SDK Java Technology Edition Security Bulletin October 2013
Java on IBM i
Complete CVSS Guide
On-line Calculator V2
WebSphere Application Server Recommended Fixes Page
* The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUpUzQRLndAQH1ShLAQKiZQ/8DaoRAnfhWyXnesWLizYShGl6hpKEl2cm
pEli3WcWL6wFGYfWYI+RV2t+QHoyhlSql0h5UvYnb8fFyymyWlphlHXJtrX6wyyI
uWgjBFWQwEu5WE872CiSYz8ce47XfavspAXqeJNbAj8xwsuLMtFUaT9V7GMFS7LD
qdnnKf6VmS7ngr24igIjNc2q+10RDs4qEttW+pPpSsA7dAg5TXH60He1OhGV3wSY
e9MtAqF7njQ3YiYG4UFQ30Vnl4M/aBoYpNAYlXhgrRloNawrKCGx06ooyHLxcXFy
qS1xTxFRFHHBm97YEdXgPBo91drTHzc/hLqe90j0qzAWOKbqMLHxPNx/7PQ/3cWi
5z7eYMYLO8Gc26ldZqsFy0IMc+76TKCk0T9NVh0INB5oh2KX3hT7Sh9TeJrH2Qsg
HbuiMIPWNr3AaQvRlAkCXqUHnhou6QlA4uxCbOcNztd0vwWH6ScHynawtcbk1JRc
FkVuL3OdcP6hUBw7av9spW+RBu4uqVmI01EUS9MQ8cwS7z0PYA10dDA91DejBamc
bvzXOLoPIbyxohqaugZxm03sYnB7AQ1NjuQiROFdQKhcIxu4lukoLcve1jmN4M8F
oio/3MjK8KizFf8e58dcqQk/uB6XS5VHP9fGVMd2A9j/DFl1Wk1MImkC4V7YLkJB
nA0IE9RoZgY=
=zI9s
-----END PGP SIGNATURE-----