Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.1696 Security Bulletin: Multiple vulnerabilities in current IBM Java SDK for WebSphere Application Server 27 November 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM WebSphere Application Server Publisher: IBM Operating System: AIX HP-UX Linux variants Solaris Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-5803 CVE-2013-5780 CVE-2013-5372 Reference: ASB-2013.0124 ASB-2013.0113 ESB-2013.1635 ESB-2013.1594 ESB-2013.1593 ESB-2013.1592 ESB-2013.1589 ESB-2013.1577 ESB-2013.1511 ESB-2013.1499 ESB-2013.1493 ESB-2013.1492 ESB-2013.1480 ESB-2013.1468 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=swg21655990 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Multiple vulnerabilities in current IBM Java SDK for WebSphere Application Server Flash (Alert) Document information WebSphere Application Server Java SDK Software version: 6.1, 7.0, 8.0, 8.5 Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS Software edition: Base, Developer, Express, Network Deployment Reference #: 1655990 Modified date: 2013-11-25 Abstract Multiple security vulnerabilities exist in the IBM Java SDK that is shipped with IBM WebSphere Application Server Content The IBM WebSphere Application Server is shipped with an IBM Java SDK that is based on the Oracle JDK. Oracle has released October 2013 critical patch updates (CPU) which contain security vulnerability fixes. The IBM Java SDK has been updated to incorporate these fixes. The IBM Java SDK has also been updated to fix security vulnerabilities specific to the IBM Java SDK. Vulnerability Details CVEID: CVE-2013-5780 Description: Potential information disclosure vulnerability in JSSE. CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88001 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) CVEID: CVE-2013-5372 Description: Potential denial of service vulnerability in XML. This is specific to the IBM Java SDK. CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86662 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) CVEID: CVE-2013-5803 Description: Potential denial of service vulnerability in JSSE. CVSS Base Score: 2.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88008 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:N/A:P) The following advisories are included in the SDK but WebSphere Application Server is not vulnerable to them. You will need to evaluate your own code to determine if you are vulnerable. Please refer to the Reference section for more information on the advisories not applicable to WebSphere Application Server: CVE-2013-5456 CVE-2013-5457 CVE-2013-5458 CVE-2013-4041 CVE-2013-5375 CVE-2013-5843 CVE-2013-5789 CVE-2013-5830 CVE-2013-5829 CVE-2013-5787 CVE-2013-5788 CVE-2013-5824 CVE-2013-5842 CVE-2013-5782 CVE-2013-5817 CVE-2013-5809 CVE-2013-5814 CVE-2013-5832 CVE-2013-5850 CVE-2013-5838 CVE-2013-5802 CVE-2013-5812 CVE-2013-5804 CVE-2013-5783 CVE-2013-3829 CVE-2013-5823 CVE-2013-5831 CVE-2013-5820 CVE-2013-5819 CVE-2013-5818 CVE-2013-5848 CVE-2013-5776 CVE-2013-5774 CVE-2013-5825 CVE-2013-5840 CVE-2013-5801 CVE-2013-5778 CVE-2013-5851 CVE-2013-5800 CVE-2013-5784 CVE-2013-5849 CVE-2013-5790 CVE-2013-5797 CVE-2013-5772 Versions affected: SDK shipped with IBM WebSphere Application Server Version 8.5.0.0 through 8.5.5.1, Version 8.0.0.0 through 8.0.0.7, Version 7.0.0.0 through 7.0.0.30, Version 6.1.0.0 through 6.1.0.47 This does not occur on SDK versions shipped with WebSphere Application Servers fix pack 8.5.5.2, 8.0.0.8 and 7.0.0.31 or later. Warning: For mixed cells that contain WebSphere Application Server version 6.0.2 nodes where java 2 security is enabled, ensure APAR PM92206 or its circumvention is applied to the Deployment Manager to prevent sync operation failure. PM92206 has been delivered with an Interim Fix or with WebSphere Application Server Fix Packs 8.5.5.1 and 8.0.0.7. It will also be shipped in WebSphere Application Server 7.0.0.31 available 14 January 2014. Solutions: Upgrade your SDK to an interim fix level as determined below: For IBM WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition : Download and apply the interim fix APARs below, for your appropriate release: For V8.5.0.0 through 8.5.5.1: Apply Interim Fix PM98572: Will upgrade you to SDK 7 SR6 - --OR- Apply Interim Fix PM98574: Will upgrade you to SDK 6 (J9 2.6) SR7 - --OR-- Apply Java SDK shipped with the WebSphere Application Server Fix pack 8.5.5.2 or later (targeted to be available 14 April 2014). For 8.0.0.0 through 8.0.0.6: Apply Interim Fix PM98576: Will upgrade you to SDK 6 (J9 2.6) SR7 - --OR-- Apply Java SDK shipped with WebSphere Application Server Fix pack 8 (8.0.0.8) or later (targeted to be available 13 January 2014). For V7.0.0.0 through 7.0.0.29: Apply Interim Fix PM98578: Will upgrade you to SDK 6 SR15 - --OR-- Apply Java SDK shipped with WebSphere Application Server Fix pack 31 (7.0.0.31) or later (targeted to be available 13 January 2014). For V6.1.0.0 through 6.1.0.45: Contact IBM Support and apply Interim Fix PM98600: Will upgrade you to SDK 5 SR16 FP4 For IBM WebSphere Application Server for i5/OS operating systems: The IBM Developer Kit for Java is prerequisite software for WebSphere Application Server for IBM i. Please refer to Java on IBM i for updates on when these fixes will be available. Important note: IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk. Change history 21 November 2013 Original publish date 25 November 2013 Add descriptions for CVEs REFERENCES: IBM Security Alerts Oracle Java SE Critical Patch Update Advisory - October 2013 IBM SDK Java Technology Edition Security Bulletin October 2013 Java on IBM i Complete CVSS Guide On-line Calculator V2 WebSphere Application Server Recommended Fixes Page * The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUpUzQRLndAQH1ShLAQKiZQ/8DaoRAnfhWyXnesWLizYShGl6hpKEl2cm pEli3WcWL6wFGYfWYI+RV2t+QHoyhlSql0h5UvYnb8fFyymyWlphlHXJtrX6wyyI uWgjBFWQwEu5WE872CiSYz8ce47XfavspAXqeJNbAj8xwsuLMtFUaT9V7GMFS7LD qdnnKf6VmS7ngr24igIjNc2q+10RDs4qEttW+pPpSsA7dAg5TXH60He1OhGV3wSY e9MtAqF7njQ3YiYG4UFQ30Vnl4M/aBoYpNAYlXhgrRloNawrKCGx06ooyHLxcXFy qS1xTxFRFHHBm97YEdXgPBo91drTHzc/hLqe90j0qzAWOKbqMLHxPNx/7PQ/3cWi 5z7eYMYLO8Gc26ldZqsFy0IMc+76TKCk0T9NVh0INB5oh2KX3hT7Sh9TeJrH2Qsg HbuiMIPWNr3AaQvRlAkCXqUHnhou6QlA4uxCbOcNztd0vwWH6ScHynawtcbk1JRc FkVuL3OdcP6hUBw7av9spW+RBu4uqVmI01EUS9MQ8cwS7z0PYA10dDA91DejBamc bvzXOLoPIbyxohqaugZxm03sYnB7AQ1NjuQiROFdQKhcIxu4lukoLcve1jmN4M8F oio/3MjK8KizFf8e58dcqQk/uB6XS5VHP9fGVMd2A9j/DFl1Wk1MImkC4V7YLkJB nA0IE9RoZgY= =zI9s -----END PGP SIGNATURE-----