Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1843
Security Bulletin: IBM Lotus Expeditor fixes for multiple
vulnerabilities in IBM JRE
23 December 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Lotus Expeditor
Publisher: IBM
Operating System: Linux variants
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-3012 CVE-2013-3011 CVE-2013-3010
CVE-2013-3009 CVE-2013-3008 CVE-2013-3007
CVE-2013-3006 CVE-2013-2455 CVE-2013-2436
Reference: ASB-2013.0075
ASB-2013.0058
ESB-2013.1517
ESB-2013.1491
ESB-2013.1456
ESB-2013.1195
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21657606
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: IBM Lotus Expeditor fixes for multiple vulnerabilities in
IBM JRE
Document information
More support for:
Lotus Expeditor
Client for Desktop
Software version:
6.2.1, 6.2.2, 6.2.3
Operating system(s):
Linux, Windows
Reference #:
1657606
Modified date:
2013-12-18
Summary
IBM Lotus Expeditor 6.2.x is vulnerable to multiple attacks listed in the
Oracle Java SE Critical Patch Update Advisory (June 2013).
Vulnerability Details
The IBM Lotus Expeditor Interim Fix linked below addresses multiple attacks on
the IBM JRE. The Interim Fix contain the cumulative set of fixes to the JRE
from both Oracle and IBM as of 01 August 2013.
Summary Advisory for Oracle June 2013 Critical Patch Update
Client-Side IBM Java SDK/JRE Vulnerabilities reported by Security Explorations
(CVE-2013-3012, CVE-2013-3011, CVE-2013-3010, CVE-2013-3009, CVE-2013-3008,
CVE-2013-3007, CVE-2013-3006, CVE-2013-2455, CVE-2013-2436)
Oracle Java Critical Patch Update for June 2013
DESCRIPTION: Summary Advisory for Oracle Java Critical Patch Update June 2013
This Critical Patch Update contains 40 new security fixes across Java SE
products of which 4 are applicable to server deployments of Java and of which
12 have a CVSS score > 9.3. Resolving the full set of issues will require
updating IBM Lotus Expeditor. For a description of the fixes, CVE IDs and
CVSS Scoring, see Summary Advisory for Oracle June 2013 CPU
AFFECTED PLATFORMS:
IBM Lotus Expeditor 6.2.x
REMEDIATION:
Fix:
This issue is being tracked by Quality Engineering as SPR# SHAH972ECX. A fix
for the issue is introduced in the following releases.
- -- Interim Fix 1 for IBM Lotus Expeditor 6.2.3
Fix Central ID
File name & download link
XPD-6.2.3.0-Client-IFix1
Expeditor-6.2.3.0-Client-IFix1
- -- Interim Fix 1 for IBM Lotus Expeditor 6.2.2
Fix Central ID
File name & download link
XPD-6.2.2.0-Client-IFix1
Expeditor-6.2.2.0-Client-IFix1
- -- Interim Fix 1 for IBM Lotus Expeditor 6.2.1
Fix Central ID
File name & download link
XPD-6.2.1.0-Client-IFix1
Expeditor-6.2.1.0-Client-IFix1
Workaround:
None
Mitigation(s):
None
Client-Side IBM Java SDK/JRE Vulnerabilities Reported by Security Explorations
CVE IDs: CVE-2013-2436, CVE-2013-2455, CVE-2013-3006, CVE-2013-3007,
CVE-2013-3008, CVE-2013-3009, CVE-2013-3010, CVE-2013-3011, CVE-2013-3012
DESCRIPTION: A flaw in the java.lang.invoke API allows untrusted code to invoke
methods that should be inaccessible. The fix adds a permission check to prevent
the problem.
CVE ID: CVE-2013-2436
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83575 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Access Vector: Network Access Complexity: Medium
Authentication: No Confidentiality Impact: Complete
Integrity Impact: Complete Availability Impact: Complete
DESCRIPTION: Incorrect handling of the EnclosingMethod attribute when parsing
a class file enables access to declared Method objects of arbitrary classes
CVE ID: CVE-2013-2455
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84146 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Access Vector: Network Access Complexity: Low
Authentication: No Confidentiality Impact: Partial
Integrity Impact: None Availability Impact: None
DESCRIPTION: Improper binding for protect methods allows the invocation of
protected methods of arbitrary objects. The fix ensures that the protected
methods are bound correctly.
CVE ID: CVE-2013-3006
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84147 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Access Vector: Network Access Complexity: Medium
Authentication: No Confidentiality Impact: Complete
Integrity Impact: Complete Availability Impact: Complete
DESCRIPTION: Unsafe implementation of deserialization functionality allows
access to arbitrary fields of certain classes. The fix ensures that the
deserialization is implemented safely.
CVE ID: CVE-2013-3007
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84148 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Access Vector: Network Access Complexity: Medium
Authentication: No Confidentiality Impact: Complete
Integrity Impact: Complete Availability Impact: Complete
DESCRIPTION: Unsafe deserialization of certain objects allows objects to be
mutated. The fix prevents modification of internal parameters.
CVE ID: CVE-2013-3008
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84149 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Access Vector: Network Access Complexity: Medium
Authentication: No Confidentiality Impact: Complete
Integrity Impact: Complete Availability Impact: Complete
DESCRIPTION: Insecure use of the invoke method of java.lang.reflect.Method
class in the ORB allows arbitrary method invocation inside AccessController's
doPrivileged block. The fix ensures that invoke is used securely.
CVE ID: CVE-2013-3009
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84150 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Access Vector: Network Access Complexity: Medium
Authentication: No Confidentiality Impact: Complete
Integrity Impact: Complete Availability Impact: Complete
DESCRIPTION: Insecure implementation of reflective Field access allows
privileged access to arbitrary fields of some classes. The fix implements
reflection safely.
CVE ID: CVE-2013-3010
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84151 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Access Vector: Network Access Complexity: Medium
Authentication: No Confidentiality Impact: Complete
Integrity Impact Complete Availability Impact: Complete
DESCRIPTION: XSLT unsafely allows calls to Java extension functions. The fix
makes these calls safely.
CVE ID: CVE-2013-3011
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84152 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Access Vector: Network Access Complexity: Medium
Authentication: No Confidentiality Impact: Complete
Integrity Impact: Complete Availability Impact: Complete
DESCRIPTION: XSLT extends a ClassLoader unsafely. The fix extends the
ClassLoader safely.
CVE ID: CVE-2013-3012
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84153 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Access Vector: Network Access Complexity: Medium
Authentication: No Confidentiality Impact: Complete
Integrity Impact: Complete Availability Impact: Complete
AFFECTED PLATFORMS:
IBM Lotus Expeditor 6.2.x
REMEDIATION:
Fix:
This issue is also tracked as SPR# SHAH972ECX. The same fix listed above will
resolve this issue.
Workaround:
None
Mitigation(s):
None
REFERENCES:
CVE-2013-2436
CVE-2013-2455
CVE-2013-3006
CVE-2013-3007
CVE-2013-3008
CVE-2013-3009
CVE-2013-3010
CVE-2013-3011
CVE-2013-3012
On-line Calculator V2
Complete CVSS Guide
X-Force Vulnerability Database
http://xforce.iss.net/xforce/xfdb/82515
http://xforce.iss.net/xforce/xfdb/84146
http://xforce.iss.net/xforce/xfdb/82514
http://xforce.iss.net/xforce/xfdb/83575
http://xforce.iss.net/xforce/xfdb/84147
http://xforce.iss.net/xforce/xfdb/84148
http://xforce.iss.net/xforce/xfdb/84149
http://xforce.iss.net/xforce/xfdb/84150
http://xforce.iss.net/xforce/xfdb/84151
http://xforce.iss.net/xforce/xfdb/84152
http://xforce.iss.net/xforce/xfdb/84153
RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
ACKNOWLEDGEMENT:
The vulnerabilities described by the following CVEs were reported to IBM by
Adam Gowdiak of Security Explorations: CVE-2013-2436, CVE-2013-2455,
CVE-2013-3006, CVE-2013-3007,CVE-2013-3008, CVE-2013-3009, CVE-2013-3010,
CVE-2013-3011, CVE-2013-3012
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Affected Products
IBM Lotus Expeditor 6.2.x
References:
Complete CVSS Guide
On-line Calculator V2
Related information
Summary Advisory For Oracle June Critical Patch Update
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUreFdxLndAQH1ShLAQLU0A//ZPY6+YaLYl7Ra0nDoH7kCY1djR4MMCD1
fmEdKZV3o3hkXddS1ugVam67tgjtArBUlHA3LRyeB9NcdLpYdKas+eQpTn5DMLr5
IS3Uh0/cuokryCjgdBB/+EFhhWkFB4/lHap1JDj4mlQJpVSBV2diXM4KAU/UIEFY
um6Z+KcQoCvgE+DX03cUIgaw5t1T9S3T0/+rMgM6OYl/gI+SJ7sRlpafsPp5mrKU
cXAoMUBPCtY+pOS9kvsrAlnfx1ymaxZuqUeHL3ctkeqqLoaCXb3pSnc/k2O2VjXS
Kqn5OXSWS2bA9D1P1M9Y9K0XUxNJgkCmz2ZWccqAInR4m3VdQUZfGUXGadqjqY3w
6J+r9GcAlUtFWAiHcmPyN7y4SlGNEnM0x+/EggAaCRzE6Ita4zyVJOs3R+1qOGya
oEn0ZtXEwas848GdmEMxa1xaKAQu5UucnAJVVClnFNdM7IxXF3+bKsGYVtmsBOzW
RuUXLMy+UEq4XurC9p5SeOpYNlDHteZTUbZ6I2Q8LfbNQP1x5bGw1COtp8m2VmeX
T97O4K9sKDhYUT/BdkGhsxw7A1Q/mtvTPuprCLyuT+r5OYhp++JM6nzIhnYMqrf6
YpIW7fMLOw75AwmjCEkeMRIQuw0haiZLZR6qrJG3xwLkdIeteVmyPPBMxNnYiHm6
mys6zfbspGk=
=Tu6w
-----END PGP SIGNATURE-----