Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0703 Multiple vulnerabilities have been identified in IBM WebSphere Message Broker & IBM Integration Bus 12 May 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM WebSphere Message Broker IBM Integration Bus Publisher: IBM Operating System: AIX HP-UX Linux variants Solaris Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-0428 CVE-2014-0424 CVE-2014-0423 CVE-2014-0422 CVE-2014-0418 CVE-2014-0417 CVE-2014-0416 CVE-2014-0415 CVE-2014-0411 CVE-2014-0410 CVE-2014-0403 CVE-2014-0387 CVE-2014-0376 CVE-2014-0375 CVE-2014-0373 CVE-2014-0368 CVE-2014-0050 CVE-2013-5910 CVE-2013-5907 CVE-2013-5902 CVE-2013-5899 CVE-2013-5898 CVE-2013-5889 CVE-2013-5888 CVE-2013-5887 CVE-2013-5878 CVE-2013-4322 CVE-2013-4286 CVE-2012-3544 CVE-2005-2090 Reference: ASB-2014.0005 ESB-2014.0680 ESB-2014.0678 ESB-2014.0677 ESB-2008.0024 ESB-2007.0773 ESB-2007.0339 ESB-2007.0319 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21671330 http://www-01.ibm.com/support/docview.wss?uid=swg21671348 Comment: This bulletin contains two (2) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- IBM WebSphere Message Broker and IBM Integration Bus Security Bulletin: Multiple Vulnerabilities in Apache Tomcat (CVE-2013-4286, CVE-2013-4322, CVE-2014-0050) Security Bulletin Document information More support for: WebSphere Message Broker Software version: 7.0, 8.0 Operating system(s): AIX, HP-UX, Linux, Solaris, Windows, z/OS Reference #: 1671330 Modified date: 2014-04-30 Summary Multiple security vulnerabilities identified in Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 (CVE-2013-4286, CVE-2013-4322, CVE-2014-0050) Vulnerability Details CVE ID: CVE-2013-4286 Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090. CVSS: CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/91426 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE ID: CVE-2013-4322 Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544. CVSS: CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/91625 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE ID: CVE-2014-0050 MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions. CVSS CVSS Base Score: 5.0 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90987 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Affected Products and Versions IBM WebSphere Message Broker V8.0 IBM WebSphere Message Broker for z/OS V8.0 IBM Integration Bus V9.0 IBM Integration Bus for z/OS V9.0 Remediation/Fixes For all affected products and versions please contact IBM Support for the fix available in APAR IC99947 For IBM WebSphere Message Broker V8.0 and IBM WebSphere Message Broker for z/OS V8.0 this fix is targeted to be available in fix pack V8.0.0.5. For IBM Integration Bus V9.0 and IBM Integration Bus for z/OS V9.0 this fix is targeted to be available in fix pack V9.0.0.3 Workarounds and Mitigations None Known References Complete CVSS Guide On-line Calculator V2 CVE-2013-4286 http://xforce.iss.net/xforce/xfdb/91426 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4286 CVE-2013-4322 http://xforce.iss.net/xforce/xfdb/91625 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322 CVE-2014-0050 http://xforce.iss.net/xforce/xfdb/90987 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 30 April 2014: original document published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Segment Product Component Platform Version Edition Business Integration IBM Integration Bus Security AIX, HP-UX,Linux, Solaris, Windows, z/OS 9.0 All Editions - ------------------------------------------------------------------------------- Security Bulletin for IBM Integration Bus and IBM WebSphere Message Broker: Multiple security vulnerabilities in IBM JREs 6 & 7 Security Bulletin Document information More support for: WebSphere Message Broker Security Software version: 7.0, 8.0 Operating system(s): AIX, HP-UX, Linux, Solaris, Windows Reference #: 1671348 Modified date: 2014-04-30 Summary Multiple security vulnerabilities exist in the IBM Java Runtime Environment component of WebSphere Message Broker for IBM JRE 6.0 SR15 (and earlier) and the IBM Java Runtime Environment component of IBM Integration Bus for JRE 7.0 SR6 (and earlier) Vulnerability Details All vulnerabilities are applicable to both IBM JRE 6.0 and IBM JRE 7.0 CVEID: CVE-2013-5878 Unspecified vulnerability in Oracle Java SE 6u65 and 7u45, Java SE Embedded 7u45, and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Security. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the Security component does not properly handle null XML namespace (xmlns) attributes during XML document canonicalization, which allows attackers to escape the sandbox. CVSS: CVSS Base Score: 7.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90335 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVEID: CVE-2013-5887 Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect availability via unknown vectors related to Deployment. CVSS: CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90345 for the current score CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P) CVEID: CVE-2013-5888 Unspecified vulnerability in Oracle Java SE 6u65 and 7u45, when running with GNOME, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. CVSS: CVSS Base Score: 4.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90354 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P) CVEID: CVE-2013-5889 Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5902, CVE-2014-0410, CVE-2014-0415, CVE-2014-0418, and CVE-2014-0424. CVSS: CVSS Base Score: 9.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90328 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-5898 Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-0375 and CVE-2014-0403. CVSS: CVSS Base Score: 4 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90356 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) CVEID: CVE-2013-5899 Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality via unknown vectors related to Deployment. CVSS: CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90346 for the current score CVSS Environmental Score*: Undefined CVSS Vector:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVEID: CVE-2013-5907 Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit R27.7.7 and R28.2.9; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is due to incorrect input validation in LookupProcessor.cpp in the ICU Layout Engine, which allows attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted font file. CVSS: CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90324 for the current score CVSS Environmental Score*: Undefined CVSS Vector:(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2013-5910 Unspecified vulnerability in Oracle Java SE 6u65 and 7u45, Java SE Embedded 7u45, and OpenJDK 7 allows remote attackers to affect integrity via unknown vectors related to Security. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that CanonicalizerBase.java in the XML canonicalizer allows untrusted code to access mutable byte arrays. CVSS: CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90352 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) CVEID: CVE-2014-0368 Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45, and Java SE Embedded 7u45, allows remote attackers to affect confidentiality via unknown vectors related to Networking. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to incorrect permission checks when listening on a socket, which allows attackers to escape the sandbox. CVSS: CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90351 for the current score CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N) CVEID: CVE-2014-0373 Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serviceability. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to throwing of an incorrect exception when SnmpStatusException should have been used in the SNMP implementation, which allows attackers to escape the sandbox. CVSS: CVSS Base Score: 7.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90334 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVEID: CVE-2014-0375 Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5898 and CVE-2014-0403. CVSS: CVSS Base Score: 5.8 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90339 for the current score CVSS Environmental Score*: Undefined CVSS Vector:(AV:N/AC:M/Au:N/C:P/I:P/A:N) CVEID: CVE-2014-0376 Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect integrity via vectors related to JAXP. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to an improper check for "code permissions when creating document builder factories." CVSS: CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90350 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) CVEID: CVE-2014-0387 Unspecified vulnerability in Oracle Java SE 6u65 and Java SE 7u45, when running on Firefox, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. CVSS: CVSS Base Score: 7.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90332 for the current score CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C) CVEID: CVE-2014-0403 Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5898 and CVE-2014-0375. CVSS: CVSS Base Score: 5.8 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90338 for the current score CVSS Environmental Score*: Undefined CVSS Vector:(AV:N/AC:M/Au:N/C:P/I:P/A:N) CVEID: CVE-2014-0410 Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5889, CVE-2013-5902, CVE-2014-0415, CVE-2014-0418, and CVE-2014-0424. CVSS: CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90322 for the current score CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2014-0411 Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit R27.7.7 and R28.2.9; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that this issue allows remote attackers to obtain sensitive information about encryption keys via a timing discrepancy during the TLS/SSL handshake. CVSS: CVSS Base Score: 4 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90357 for the current score CVSS Environmental Score*: Undefined CVSS Vector:(AV:N/AC:H/Au:N/C:P/I:P/A:N) CVEID: CVE-2014-0415 Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5889, CVE-2013-5902, CVE-2014-0410, CVE-2014-0418, and CVE-2014-0424. CVSS: CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90323 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2014-0416 Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect integrity via vectors related to JAAS. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to how principals are set for the Subject class, which allows attackers to escape the sandbox using deserialization of a crafted Subject instance. CVSS: CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90349 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) CVEID: CVE-2014-0417 Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JavaFX 2.2.45; and Java SE Embedded 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. CVSS: CVSS Base Score: 9.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90331 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) CVEID: CVE-2014-0422 Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JNDI. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to missing package access checks in the Naming / JNDI component, which allows attackers to escape the sandbox. CVSS: CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90326 for the current score CVSS Environmental Score*: Undefined CVSS Vector:(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2014-0423 Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit R27.7.7 and R28.2.9; Java SE Embedded 7u45; and OpenJDK 7 allows remote authenticated users to affect confidentiality and availability via unknown vectors related to Beans. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that this issue is an XML External Entity (XXE) vulnerability in DocumentHandler.java, related to Beans decoding. CVSS: CVSS Base Score: 5.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90340 for the current score CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:S/C:P/I:N/A:P) CVEID: CVE-2014-0424 Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5889, CVE-2013-5902, CVE-2014-0410, CVE-2014-0415, and CVE-2014-0418. CVSS: CVSS Base Score: 7.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90333 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVEID: CVE-2014-0428 Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to "insufficient security checks in IIOP streams," which allows attackers to escape the sandbox. CVSS: CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90325 for the current score CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C) Affected Products and Versions IBM WebSphere Message Broker V7.0 and V8.0 & IBM Integration Bus V9.0 are affected on all platforms except IBM z/OS. Remediation/Fixes For IBM WebSphere Message Broker V7.0 and V8.0 an interim fix for APAR IC99332 is available from IBM Fix Central: http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Message+Broker&release=All&platform=All&function=aparId&apars=IC99332 APAR IC99332 is targeted for availability in IBM WebSphere Message Broker V7.0.0.7 and V8.0.0.5 For IBM Integration Bus V9.0 an interim fix for APAR IC99333 available from IBM Fix Central: http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/Integration+Bus&release=All&platform=All&function=aparId&apars=IC99333 Please note this fix is not yet available on IBM Integration Bus V9.0 for HP, contact your IBM Support Centre for more details. APAR IC99333 is targeted for availability in IBM Integration Bus V9.0.0.2 Workarounds and Mitigations None Known References Complete CVSS Guide On-line Calculator V2 CVE-2013-5878 http://xforce.iss.net/xforce/xfdb/90335 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5878 CVE-2013-5887 http://xforce.iss.net/xforce/xfdb/90345 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5887 CVE-2013-5889 http://xforce.iss.net/xforce/xfdb/90328 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5889 CVE-2013-5899 http://xforce.iss.net/xforce/xfdb/90346 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5899 CVE-2013-5907 http://xforce.iss.net/xforce/xfdb/90324 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5907 CVE-2013-5910 http://xforce.iss.net/xforce/xfdb/90352 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5910 CVE-2014-0373 http://xforce.iss.net/xforce/xfdb/90334 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0373 CVE-2014-0375 http://xforce.iss.net/xforce/xfdb/90339 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0375 CVE-2014-0376 http://xforce.iss.net/xforce/xfdb/90350 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0376 CVE-2014-0387 http://xforce.iss.net/xforce/xfdb/90332 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0387 CVE-2014-0403 http://xforce.iss.net/xforce/xfdb/90338 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0403 CVE-2014-0410 http://xforce.iss.net/xforce/xfdb/90322 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0410 CVE-2014-0415 http://xforce.iss.net/xforce/xfdb/90323 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0415 CVE-2014-0416 http://xforce.iss.net/xforce/xfdb/90349 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0416 CVE-2014-0417 http://xforce.iss.net/xforce/xfdb/90331 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0417 CVE-2014-0422 http://xforce.iss.net/xforce/xfdb/90326 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0422 CVE-2014-0423 http://xforce.iss.net/xforce/xfdb/90340 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0423 CVE-2014-0424 http://xforce.iss.net/xforce/xfdb/90333 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0424 CVE-2014-0428 http://xforce.iss.net/xforce/xfdb/90325 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0428 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 30 - Apr - 2014: Original Copy Published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Segment Product Component Platform Version Edition Business Integration IBM Integration Bus Security AIX, HP-UX, Linux, Solaris, Windows 9.0 All Editions - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU3AgQBLndAQH1ShLAQKNUA//dARUN4o/KwGVAhSyYNlsg2+ZUgj+NKjU S2s/JiBBH67r6ja6cSjtkedxAVg+vpCqycMDNe3Ti+eiaKDINrPj06sBZJTTZAiU RhIgZPAVBLFe5ABbqGEsU1ACGDx9gvsBpt2X5gtJZCdvgALo/KDqc3aNsuYccZud vGC8FeU4D5fc3o28kxSlQAwFEYCnsL6Q6a1esKsWiksd3Ea336Bi8UNQa+d8AohR DgA8zBrbIhBOf2BHcDKbs4iqIRU96kfbgXE/4BXdvNzWThqvWdFeDQsFkUkgiCxU 5qjxeFGb3zCtIyCKjnrkge8Ul68OKdynXx8rRjP9CbudvwIanS7TDQqqLPQa97XG CikIfbGYULDp1fr10TXr6vR18iFg4zH/vtw9s4megD03MMl5nmI3S2ifrJ7lWVXn swI3rKjk4hayy3hocqwb3GJ+D8LQcToQZKLGXM+1d+EKplF3/O9HnHjj5J+2+vFL HdHmJOZC2jv2eI/EfV7uExKAt64Jjj+UP8jKIDf4TA/4KoilE4QRaI1mZKfC0o5Y J+GPY+PDCZ1neIBulu45epp8Ju8Y/1jEDI63KM4Z2/e5grmBi/cRuEQ78bjxkFfm bJWI5LSM44UQKX/RpZb9FvLisH4RXkhJebY/BhHYnDJOY3JI4X8dv/50ukiPuaP6 gBeMKmfdEzU= =tA6d -----END PGP SIGNATURE-----