IBM IMS Enterprise Suite: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0350
    Multiple vulnerabilities exist in the SOAP Gateway component of IMS
              Enterprise Suite (CVE-2013-4002, CVE-2013-5825,
               CVE-2013-5372, CVE-2014-0416, CVE-2014-0411)
                               14 March 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM IMS Enterprise Suite
Publisher:         IBM
Operating System:  Linux variants
                   Windows
                   z/OS
Impact/Access:     Denial of Service              -- Remote/Unauthenticated      
                   Provide Misleading Information -- Remote with User Interaction
                   Unauthorised Access            -- Remote with User Interaction
                   Reduced Security               -- Unknown/Unspecified         
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0416 CVE-2014-0411 CVE-2013-5825
                   CVE-2013-5372 CVE-2013-4002 

Reference:         ASB-2014.0005
                   ASB-2013.0124
                   ASB-2013.0113

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21666275

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Multiple vulnerabilities exist in the SOAP Gateway 
component of IMS Enterprise Suite (CVE-2013-4002, CVE-2013-5825, 
CVE-2013-5372, CVE-2014-0416, CVE-2014-0411)

Security Bulletin

Document information

More support for:

IMS Enterprise Suite

SOAP Gateway

Software version:

2.1, 2.2, 3.1

Operating system(s):

Linux on System z, Windows, z/OS

Reference #:

1666275

Modified date:

2014-03-07

Summary

The SOAP Gateway component of IMS Enterprise Suite versions 2.1, 2.2, and 3.1
is affected by multiple vulnerabilities in IBM SDK, Java Technology Edition 
and could allow processing XML from untrusted sources, constructing invalid 
security subject instance, and TLS man-in-the-middle-attacks.

Vulnerability Details

CVE ID: CVE-2013-4002

DESCRIPTION:

A denial of service vulnerability in the Apache Xerces-J parser used by IBM 
SDK Java Technology Edition Version 7 and Version 6 could result in a complete
availability impact on the affected system.

CVSS:

CVE-2013-4002

CVSS Base Score: 7.1

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85260 for the 
current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)

CVE ID: CVE-2013-5825

DESCRIPTION:

An unspecified vulnerability in IBM SDK, Java Technology Edition related to 
the JAXP component could allow a remote attacker to cause a denial of service.

CVSS:

CVSS Base Score: 5

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87988 for the 
current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)

CVE ID: CVE-2013-5372

DESCRIPTION:

The XML4J parser in IBM SDK, Java Technology Edition is subject to a denial of
service attack. A remote attacker could exploit this vulnerability using a 
specially crafted XML document to cause the XML parser to run out of memory.

CVSS:

CVSS Base Score: 4.3

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86662 for the 
current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVE ID: CVE-2014-0416

DESCRIPTION:

An unspecified vulnerability in IBM SDK, Java Technology Edition related to 
the JAAS component has no confidentiality impact, partial integrity impact, 
and no availability impact.

CVSS:

CVSS Base Score: 5

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90349 for the 
current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)

CVE ID: CVE-2014-0411

DESCRIPTION:

An unspecified vulnerability in IBM SDK, Java Technology Edition related to 
the JSSE component has partial confidentiality impact, partial integrity 
impact, and no availability impact.

CVSS:

CVSS Base Score: 4

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90357 for the 
current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV/N:AC/H:Au/N:C/P:I/P:A/N)

Affected Products

The SOAP Gateway component of the IMS Enterprise Suite V3.1, V2.2, and V2.1 
are affected.

Workarounds/Mitigations

VENDOR FIX(ES):

Product					VRMF		APAR 	Download URL

IMS Enterprise Suite SOAP Gateway V3.1	3.1.0.1		N/A	https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite

IMS Enterprise Suite SOAP Gateway V2.2	2.2.0.3		N/A	https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite

IMS Enterprise Suite SOAP Gateway V2.1	2.1.0.6		N/A	https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite

Important note:

IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and 
integrity service. If you are not subscribed, see the instructions on the 
System z Security web site. Security and integrity APARs and associated fixes
will be posted to this portal. IBM suggests reviewing the CVSS scores and 
applying all security or integrity fixes as soon as possible to minimize any 
potential risk.

References:

Complete CVSS Guide

On-line Calculator V2

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Change History

07 March 2014: Original copy published

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the 
Reference section of this Security Bulletin.

Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUyKAwBLndAQH1ShLAQLcow//Zvi9gZSP1NJ4k3ipAuYiHQzjBgnHSjFN
ceiCu+fp9pM6YdAXWVqm8OJ4YKrTjtM4H/+8Pol1yV1AJbFvwF+j1xgQx0bD+kxi
8w8QRmjAKZ3Pxg1iTy1uT8CyKFspreOOx64GckjPC/1yXZiPGY/oVQ2b2i+0bsUn
w7HQDqmbqnscBbPC/neTCzI1gBVUs5PKUxTE38BdBBzqJ+WU5wR6W6pJ4CEQVAIc
wglMUoGWCqcOTsvgOJnpdjToncux2ZA6SAqmqB/ZmElJq2r5PWHV0MweYlAUDvv3
n6FOdmEEKczo1v7C5KXgu4g/u5NEn+qvDLyjfloeShw0gUc1l5qbmz1uE3SJ1Ci7
MKwEVgtdOeiRytKQuHj+DHLeICcPwFHao7uMbaxgUtPogTWfbHDMhPhcqz6TQ1aN
1SAROngez1HmfkhEOVGCX95UxilUk4kBXnVF00+CyuV/oBMd0yVKmujCQefmVMSU
FJFfV8kgcBfwORNt8THxOeRQRmX6mTIT0R/CwP7lU644mj+sjOqJZiCFjVfZhKsE
c5JkZ4DMStbDq3WcO7lmPNFyOD7d0AeQj6TZF1zDACkHwZILYOtI/al0XD65l3or
e+1qX7J8lyJ2KU0HdYJ4U7rzfu5+IAUQ6m5wLQTD1Kl7Dv9tv11EFAr1J0P6wqsC
t6WK3LBbtmI=
=b7Li
-----END PGP SIGNATURE-----