Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.0675
Security Bulletin: Tivoli Storage Productivity Center -
Oracle CPU October 2013
7 May 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Tivoli Storage Productivity Center
Publisher: IBM
Operating System: AIX
Linux variants
Windows
Impact/Access: Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-5851 CVE-2013-5850 CVE-2013-5849
CVE-2013-5848 CVE-2013-5843 CVE-2013-5842
CVE-2013-5840 CVE-2013-5838 CVE-2013-5832
CVE-2013-5831 CVE-2013-5830 CVE-2013-5829
CVE-2013-5825 CVE-2013-5824 CVE-2013-5823
CVE-2013-5820 CVE-2013-5819 CVE-2013-5818
CVE-2013-5817 CVE-2013-5814 CVE-2013-5812
CVE-2013-5809 CVE-2013-5804 CVE-2013-5803
CVE-2013-5802 CVE-2013-5801 CVE-2013-5800
CVE-2013-5797 CVE-2013-5790 CVE-2013-5789
CVE-2013-5788 CVE-2013-5787 CVE-2013-5784
CVE-2013-5783 CVE-2013-5782 CVE-2013-5780
CVE-2013-5778 CVE-2013-5776 CVE-2013-5774
CVE-2013-5772 CVE-2013-5458 CVE-2013-5457
CVE-2013-5456 CVE-2013-5375 CVE-2013-5372
CVE-2013-4041 CVE-2013-3829
Reference: ASB-2013.0124
ASB-2013.0113
ESB-2014.0559
ESB-2013.1492
ESB-2013.1480
ESB-2013.1468
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21664098
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Tivoli Storage Productivity Center - Oracle CPU
October 2013
Security Bulletin
Document information
More support for:
Tivoli Storage Productivity Center
Software version:
5.1, 5.1.1, 5.2
Operating system(s):
AIX, Linux, Windows
Reference #:
1664098
Modified date:
2014-04-30
Summary
Multiple security vulnerabilities exist in IBM SDK Java Technology Edition,
Version 6 that is shipped with Tivoli Storage Productivity Center.
Vulnerability Details
Tivoli Storage Productivity Center is shipped with IBM SDK Java Technology
Edition, Version 6 that is based on the Oracle JDK. Oracle has released
October 2013 critical patch updates (CPU) which contain security
vulnerability fixes. The IBM Java SDK has been updated to incorporate
these fixes. The IBM SDK Java Technology Edition, Version 6 has also been
updated to fix security vulnerabilities specific to the IBM SDK for Java.
CVEID: CVE-2013-5372
Description: Potential denial of service vulnerability in XML. This is
specific to IBM SDK Java Technology Edition, Version 6.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86662 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVEID: CVE-2013-5772
Description: Unspecified vulnerability allows remote attackers to affect
integrity via unknown vectors related to jhat.
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88007 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/H:Au/N:C/N:I/P:A/N)
CVEID: CVE-2013-5780
Description: Potential information disclosure vulnerability in JSSE.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88001 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVEID: CVE-2013-5802
Description: Unspecified vulnerability allows remote attackers to affect
confidentiality, integrity, and availability via vectors related to JAXP.
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87982 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/P)
CVEID: CVE-2013-5803
Description: Potential denial of service vulnerability in JSSE.
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88008 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:N/A:P)
This bulletin also covers all applicable CVEs published by Oracle as part
of their October 2013 Java SE Critical Patch Update. These may apply if you
have installed IBM SDK Java Technology Edition, Version 6 as the system JRE,
such as for use with the Tivoli Storage Productivity Center Java WebStart
GUI. For more information please refer to Oracle's October 2013 Java SE
CPU Advisory.
Description: There are a number of vulnerabilities in the IBM SDK Java
Technology Edition, Version 6 that affect various components. CVE-2013-5456,
CVE-2013-5457 and CVE-2013-5458 allow code running under a security
manager to escalate its privileges by modifying or removing the security
manager. CVE-2013-4041 and CVE-2013-5375 allow code running under a security
manager to access restricted classes. These vulnerabilities could occur
when untrusted code is executed under a security manager, or when the
IBM SDK Java Technology Edition, Version 6 has been associated with a web
browser for running applets and Web Start applications.
CVEID: CVE-2013-5456
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88255 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-5457
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88256 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-5458
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88257 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-4041
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86416 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVEID: CVE-2013-5375
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86901 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2013-5372
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86662 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVEID: CVE-2013-5843
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87971 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5789
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87968 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5830
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87961 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5829
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87963 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5787
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87967 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5788
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87966 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5824
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87965 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5842
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87970 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5782
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87960 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5817
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87969 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5809
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87962 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5814
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87964 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5832
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87972 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5850
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87973 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5838
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87974 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5812
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87985 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/P)
CVEID: CVE-2013-5804
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87984 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/N)
CVEID: CVE-2013-5783
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87987 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/N)
CVEID: CVE-2013-3829
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87986 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/N)
CVEID: CVE-2013-5823
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87989 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)
CVEID: CVE-2013-5831
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87995 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)
CVEID: CVE-2013-5820
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87996 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)
CVEID: CVE-2013-5819
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87994 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)
CVEID: CVE-2013-5818
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87993 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)
CVEID: CVE-2013-5848
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88000 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)
CVEID: CVE-2013-5776
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87992 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)
CVEID: CVE-2013-5774
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87999 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)
CVEID: CVE-2013-5825
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87988 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)
CVEID: CVE-2013-5840
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87998 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)
CVEID: CVE-2013-5801
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87991 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)
CVEID: CVE-2013-5778
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87990 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)
CVEID: CVE-2013-5851
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87997 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)
CVEID: CVE-2013-5800
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88002 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/N:A/N)
CVEID: CVE-2013-5784
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88005 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/N:I/P:A/N)
CVEID: CVE-2013-5849
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88003 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/N:A/N)
CVEID: CVE-2013-5790
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88004 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/N:A/N)
CVEID: CVE-2013-5797
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88006 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/S:C/N:I/P:A/N)
Affected Products and Versions
Tivoli Storage Productivity Center 5.2.0
Tivoli Storage Productivity Center 5.1.0 through 5.1.1.4
Tivoli Storage Productivity Center 4.2.0 through 4.2.2.178
Tivoli Storage Productivty Center 4.1.x
The versions listed above apply to all licensed offerings of Tivoli
Storage Productivity Center, including IBM SmartCloud Virtual Storage
Center Storage Analytics Engine.
System Storage Productivity Center is affected if it has one of the Tivoli
Storage Productivity Center versions listed above installed on it.
Remediation/Fixes
The solution is to apply an appropriate Tivoli Storage Productivity
Center fix pack for each named product and execute the manual steps listed
below. The solution should be implemented as soon as practicable.
Note: It is always recommended to have a current backup before applying
any update procedure.
Tivoli Storage Productivity Center V5
Apply the Tivoli Storage Productivity Center fix pack as soon as
practicable. (See Latest Downloads.)
Affected TPC Version APAR Fixed TPC Version Availability
5.2.0 IT00485 5.2.1 March 2014
5.1.x IT00485 5.1.1.5 July 2014*
If you have downloaded and installed an IBM JRE from an older version of
Tivoli Storage Productivity Center, you should download it again after
applying the fix pack and reinstall the IBM JRE.
Do not use the IBM JRE 1.6.0 or IBM SDK 1.6.0 links provided with the
affected Tivoli Storage Productivity Center versions. Once you have
upgraded your Tivoli Storage Productivity Center components to a level
with the fix, you can use the links again as they will then allow you to
download an updated version of IBM SDK Java Technology Edition, Version 6.
* Until Tivoli Storage Productivity Center 5.1.1.5 is available, you can
apply updates manually.
Download and apply Tivoli Storage Productivity Center 5.1.1 interim fix
IT00485 on top of Tivoli Storage Productivity Center 5.1.1.3 or 5.1.1.4.
Apply WebSphere Application Server 7.0.0 interim fix PM98578 to Tivoli
Integrated Portal.
Download IBM SDK Java Technology Edition, Version 6 SR 15 (or higher)
and install it on any system where you are running the Java WebStart
GUI for Tivoli Storage Productivity Center. IBM SDK, Java Technology
Edition releases can be downloaded, subject to the terms of the
developerWorks license, from here or from Fix Central. Contact IBM
Support if the version you need is not available.
Tivoli Storage Productivity Center V4
Apply the Tivoli Storage Productivity Center fix pack as soon as practicable
(See Latest Downloads.) and follow the manual steps provided.
Affected TPC Version APAR Fixed TPC Version Availability
4.2.x IT00492 4.2.2 FP7 Manual update steps are
4.1.x required in addition to
applying 4.2.2 FP7.
Apply embedded WebSphere Application Server fix pack 6.1.0.47 to
Tivoli Storage Productivity Center for Replication if you have not
done so before. See Upgrade of embedded WebSphere Application Server
fix pack installation procedure for IBM Tivoli Productivity Center
for Replication V4.2.2.4 for directions.
Apply WebSphere Application Server interim fix PM98600 to update the
SDK for the Replication Server. See the WebSphere Application Server
security bulletin for more info.
If you have downloaded and installed an IBM JRE from an older version
of Tivoli Storage Productivity Center, you should download it again
after applying the fix pack and reinstall the IBM JRE. IBM SDK, Java
Technology Edition releases can be downloaded, subject to the terms
of the developerWorks license, from here. A minimum level of IBM SDK
Java Technology Edition, Version 6 SR15 must be used.
Do not use the IBM JRE 1.6.0 or IBM SDK 1.6.0 links provided with the
affected Tivoli Storage Productivity Center versions. Once you have
upgraded your Tivoli Storage Productivity Center components to a level
with the fix, you can use the links again as they will then allow you
to download an updated version of IBM SDK Java Technology Edition,
Version 6 .
* Until Tivoli Storage Productivity Center 4.2.2 FP7 is available, you
can manually apply all of the updates.
Apply WebSphere Application Server interim fix PM98600 to update
the SDK for the Device Server. See the WebSphere Application Server
security bulletin for more info.
Note: You must request and receive the 32-bit version of the interim
fix from support or it will not work, even if you are applying it on
a 64-bit system.
Download Update Installer for WebSphere Application
Server. The packages are at the end of the
page. http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24012718
Unzip the Update Installer for WebSphere Application server package
and install it following the directions provided.
Once Update Installer for WebSphere Application Server is installed, copy
the *.pak file you downloaded for the interim fix to the maintenance
directory in the Update Installer for WebSphere Application Server
installation location.
Stop the IBM Tivoli Storage Productivity Center Device Server process
for WebSphere Application Server.
Start Update Installer for WebSphere Application Server. When prompted
for the location of WebSphere Application Server, enter the path to
the Tivoli Storage Productivity Center location.
Windows:
<TPC_install_location>\device\apps\was
e.g. C:\Program Files\IBM\TPC\device\apps\was
AIX and Linux:
<TPC_install_location>/device/apps/was
e.g. /opt/IBM/TPC/device/apps/was
Update Installer for WebSphere Application Server will handle the rest.
Repeat steps 1-8 to apply the WebSphere Application Server interim
fix update for the Tivoli Integrated Portal component location.
Apply embedded WebSphere Application Server fix pack 6.1.0.47 to
Tivoli Storage Productivity Center for Replication if you have not
done so before. See Upgrade of embedded WebSphere Application Server
fix pack installation procedure for IBM Tivoli Productivity Center
for Replication V4.2.2.4 for directions.
Apply WebSphere Application Server interim fix PM98600 to update the
SDK for the Replication Server. See the WebSphere Application Server
security bulletin for more info.
If you have downloaded and installed an IBM JRE from an older version
of Tivoli Storage Productivity Center, you should download it again
after applying the fix pack and reinstall the IBM SDK Java Technology
Edition, Version 6 JRE. IBM SDK, Java Technology Edition releases can
be downloaded, subject to the terms of the developerWorks license,
from here. A minimum level of IBM SDK Java Technology Edition, Version
6 SR15 must be used.
Do not use the IBM SDK Java Technology Edition, Version 6 links provided
with the affected Tivoli Storage Productivity Center versions. Once you
have upgraded your Tivoli Storage Productivity Center components to a
level with the fix, you can use the links again as they will then allow
you to download an updated version of IBM SDK Java Technology Edition,
Version 6.
Note: If you are updating a System Storage Productivity Center (SSPC)
appliance, use the IBM SDK Java Technology Edition, Version 6 JRE downloaded
from your upgraded Tivoli Storage Productivity Center installation, as
referenced in steps 3 and 11, to also update the IBM SDK Java Technology
Edition, Version 6 JRE on that system.
Workarounds and Mitigations
None
Important note
IBM strongly suggests that all System z customers be subscribed to the
System z Security Portal to receive the latest critical System z security
and integrity service. If you are not subscribed, see the instructions
on the System z Security web site. Security and integrity APARs and
associated fixes will be posted to this portal. IBM suggests reviewing
the CVSS scores and applying all security or integrity fixes as soon as
possible to minimize any potential risk.
References
Complete CVSS Guide
On-line Calculator V2
Oracle October 2013 Java SE Critical Patch Update Advisory
IBM SDK, Java Technology Edition Security Alerts
Security Bulletin: Multiple vulnerabilities in current releases of the
IBM SDK, Java Technology Edition
Security Bulletin: Multiple vulnerabilities in current IBM SDK for Java
for WebSphere Application Server October 2013 CPU
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
30 April 2014: Original Copy Published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU2moEhLndAQH1ShLAQID0Q//VdEZaIbq2oxDAfocftAtlA/OjztwSzCe
G6W17E5qoqNcS+8PJqQTm2eVmgjb1j7D8euYFlcLQI2ca3PWly6aPsr4h2CBf/ys
TZFuo00nJmgTbd55DgIRehnzXY7wZyMYFRqLAeLZ8D4H2UnI0MVlEx52rbzzg9oQ
ElJumN8OaSg5cQwoRVqZzspB71nNcc4F9w8pnsgnWUF2/DY3Prx3m2whwa6pC+Il
cfRaTI8oEBDD48l2rEmnjexwi769dGkmB5DqjHl/unp95EujGDEJgbhn9aQxoNC1
TX/ziZ46ifPAnQk90hQZvJ/EqGbEbQ/ILaP4dkuYTkCHVooUsIrCuvbafu0+Is2F
PpNWE3kls6KBpOB6qSQ88zMYzja7e8B1fSNFRvQ50hMaZIATLpWXWdNBNDg0Xfl3
P46cWNhCv50GA8YIe5mtgXCFyJei4O7RrTfb60bhP80gP+LxCe9O95f/cCS8+XY5
aEsXPXuEL4tRIAELOdn5nKH+mxrE7hV58cGQpbZj7uu68V7a+FjnLPjAeTtJThpw
eewAPf3fBziubvmkhQQwNPR5ok26Tjcb2Fh5aAx6lmjALdIb/pJiR4bmF6payaPc
LKwX7WgqO8EoGdg1beJHXPq6rpAjQVf2Uvb79T29QfdxS7JNsaWtXWaju0fEC5JL
XL52JThh9cc=
=va9l
-----END PGP SIGNATURE-----