Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.0559
Security Bulletin: InfoSphere Streams Applications Using Custom Java
Operators May Be Affected by Vulnerabilities in the IBM SDK,
Java Technology Edition
23 April 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM InfoSphere Streams
Publisher: IBM
Operating System: Linux variants
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Delete Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-5851 CVE-2013-5850 CVE-2013-5849
CVE-2013-5848 CVE-2013-5843 CVE-2013-5842
CVE-2013-5840 CVE-2013-5838 CVE-2013-5832
CVE-2013-5831 CVE-2013-5830 CVE-2013-5829
CVE-2013-5825 CVE-2013-5824 CVE-2013-5823
CVE-2013-5820 CVE-2013-5819 CVE-2013-5818
CVE-2013-5817 CVE-2013-5814 CVE-2013-5812
CVE-2013-5809 CVE-2013-5804 CVE-2013-5803
CVE-2013-5802 CVE-2013-5801 CVE-2013-5800
CVE-2013-5797 CVE-2013-5790 CVE-2013-5789
CVE-2013-5788 CVE-2013-5787 CVE-2013-5784
CVE-2013-5783 CVE-2013-5782 CVE-2013-5780
CVE-2013-5778 CVE-2013-5776 CVE-2013-5774
CVE-2013-5772 CVE-2013-5458 CVE-2013-5457
CVE-2013-5456 CVE-2013-5375 CVE-2013-5372
CVE-2013-4041 CVE-2013-3829
Reference: ASB-2013.0113
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21664964
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: InfoSphere Streams Applications Using Custom Java Operators
May Be Affected by Vulnerabilities in the IBM SDK, Java Technology Edition
Document information
More support for:
InfoSphere Streams
Software version:
1.0, 1.0.1, 1.2, 2.0, 3.0, 3.1, 3.2
Operating system(s):
Linux
Software edition:
All Editions
Reference #:
1664964
Modified date:
2014-04-21
Security Bulletin
Summary
The IBM Developers Kit, Java Technology Edition that is shipped with
InfoSphere Streams has security vulnerabilities which can potentially impact
InfoSphere Streams applications. None of these vulnerabilities exist in
InfoSphere Streams code but might impact customers who implement custom Java
operators. Customers are advised to evaluate their custom operators and take
appropriate action if security exposures are found.
Vulnerability Details
IBM InfoSphere Streams bundles the IBM Developers Kit, Java Technology Edition
(IBM Developer Kit, Java). The IBM Developer Kit, Java is based on the Oracle
Java Developer Kit(TM) for which Oracle has released the October 2013 critical
patch updates (CPU). The October 2013 release contains security vulnerability
fixes and the IBM Java SDK has been updated to incorporate those updates and
also other security updates from IBM.
None of these security vulnerabilities exist in InfoSphere Streams code
however custom Java operators created and used as part of a Streams
application could contain one or more of these vulnerabilities. InfoSphere
Streams Development recommends that customers evaluate their Java(TM) code to
determine if it contains vulnerabilities. Refer to the References section and
the following advisories list for more information.
See the Remediation / Fixes section for steps to take to address any
vulnerabilities or vulnerability concerns.
The list below covers all applicable CVEs published by Oracle as part of their
October 2013 Java SE Critical Patch Update. For more information please refer
to Oracle's October 2013 Java SE CPU Advisory , Oracle's October 2013 Java
Risk Matix and the links provided in the advisory list below.
Advisories List:
CVEID: CVE-2013-5456
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88255 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-5457
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88256 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-5458
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88257 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-4041
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86416 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVEID: CVE-2013-5375
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86901 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2013-5372
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86662 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVEID: CVE-2013-5843
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87971 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5789
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87968 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5830
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87961 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5829
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87963 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5787
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87967 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5788
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87966 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5824
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87965 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5842
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87970 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5782
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87960 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5817
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87969 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5809
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87962 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5814
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87964 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5832
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87972 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5850
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87973 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5838
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87974 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5802
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87982 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/P)
CVEID: CVE-2013-5812
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87985 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/P)
CVEID: CVE-2013-5804
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87984 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/N)
CVEID: CVE-2013-5783
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87987 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/N)
CVEID: CVE-2013-3829
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87986 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/N)
CVEID: CVE-2013-5823
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87989 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)
CVEID: CVE-2013-5831
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87995 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)
CVEID: CVE-2013-5820
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87996 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)
CVEID: CVE-2013-5819
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87994 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)
CVEID: CVE-2013-5818
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87993 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)
CVEID: CVE-2013-5848
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88000 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)
CVEID: CVE-2013-5776
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87992 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)
CVEID: CVE-2013-5774
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87999 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)
CVEID: CVE-2013-5825
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87988 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)
CVEID: CVE-2013-5840
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87998 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)
CVEID: CVE-2013-5801
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87991 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)
CVEID: CVE-2013-5778
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87990 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)
CVEID: CVE-2013-5851
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87997 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)
CVEID: CVE-2013-5800
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88002 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/N:A/N)
CVEID: CVE-2013-5784
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88005 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/N:I/P:A/N)
CVEID: CVE-2013-5849
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88003 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/N:A/N)
CVEID: CVE-2013-5790
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88004 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/N:A/N)
CVEID: CVE-2013-5780
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88001 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/N:A/N)
CVEID: CVE-2013-5797
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88006 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/S:C/N:I/P:A/N)
CVEID: CVE-2013-5803
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88008 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/H:Au/N:C/N:I/N:A/P)
CVEID: CVE-2013-5772
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88007 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/H:Au/N:C/N:I/P:A/N)
Affected Products and Versions
IBM InfoSphere Streams, all versions
Remediation/Fixes
Customers who have implemented custom Java operators in InfoSphere Streams
applications and are concerned about any of these vulnerabilities should take
the appropriate action for their version as indicated below.
- - Version 3.2: Apply fix pack 3.2.1.0 or later and set JAVA_HOME to this
install location to insure this installation is used with InfoSphere Streams
- - Version 3.1: Apply version 3.1 fix pack 2 (3.1.0.2) or later and set
JAVA_HOME to this install location to insure this installation is used with
InfoSphere Streams
- - Version 3.0: Apply fix pack 3.0.0.0-Patch_for_IBM_Java6_SR15 and set
JAVA_HOME to this install location to insure this installation is used with
InfoSphere Streams
- - Versions 1.0 and 2.0: Upgrade to the latest version of InfoSphere Streams
for which a Java fix has been released.
- For assistance performing an upgrade contact IBM Technical Support.
- Customers who cannot upgrade and need to secure their installation
should open a PMR with IBM Technical Support and request assistance
securing their InfoSphere Streams system against the vulnerabilities
identified in the October 2013 Oracle Java CPU. IBM will assist in
securing your installation against the Java vulnerabilities identified
in your InfoSphere Steams applications.
Workarounds and Mitigations
None
References
Complete CVSS Guide
On-line Calculator V2
IBM Developer Kit Security Bulletin
Oracle October 2013 Java SE Critical Patch Update Advisory
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
18 Apr 2014: Original version published
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU1ceTxLndAQH1ShLAQJXfw/+PX452zJaQO1875BSfC9Goq1Z2a37WyaP
0KI9EVLWiTsXJHHI/tEXwYwedQbok97jY4ReihZDXCQPf3ccqKfyBpFMQ+f3KPSu
BvkFBy1ksbgLxUQca7kHTh9euMAsGL2qudIU+AZUtpWV6taPd9W9J85nZHQxcFld
k59Nlval4WZ2Vf9SEzIjtDgdBvN0yQ/xottt2yHNx667ICsBjqbV/ZG/1wSweUSI
Z0pyYwJVgm5nqp4ps9hSPcIJxKR8xFEdDyZ7zngGGCsCzr+skTB2ooNLkQmxv2id
wlN3XwylkjcO1G9BASkfSWFB4fW5CImNT3CfaAY0/4VTF2m96LOWk7tN/lFzBlHw
4CDOYnp8Re6YF/HeoZOzPCfwwhrxGi6JGNg6p15+crK52fqt+u6JhL/Xub0zezgK
TWof6gI8ie49olqS6dTiuOWeOBtFC8J3bB0B/pcw/ugfRKeee9jtvNCBzWOuDSed
ZVcGovj6GnRwH5zSzH+KS22yEb07CGWOai7NR3qH7wynu4MGKJYtRt4eX9P1szeW
rhuKGDB4fJggZXSmXEjnnFEfAmKSJuiL950QkwEeXBjOz2nZBV63ZJlR8Mtv84sk
9kLK/uyAZ9H7R7MzXy8G68aA8wDGsFHjXzLEJNYJiP12JxQgHxVm2WxZqewZh2EO
/2YVsYrc1Eo=
=uIwx
-----END PGP SIGNATURE-----