Operating System:

[WIN][LINUX][AIX]

Published:

07 August 2014

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2014.1338 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1338
Security Bulletin: Rational Reporting for Development Intelligence - Oracle
              CPU January 2014 (CVE-2014-0416, CVE-2014-0423)
                               7 August 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Rational Reporting for Development Intelligence
Publisher:         IBM
Operating System:  AIX
                   Linux variants
                   Windows
Impact/Access:     Modify Arbitrary Files   -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
                   Denial of Service        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0423 CVE-2014-0416 

Reference:         ASB-2014.0005
                   ESB-2014.1262
                   ESB-2014.1121
                   ESB-2014.0114
                   ESB-2014.0102
                   ESB-2014.0065
                   ESB-2014.0058

Original Bulletin: 
   https://www-304.ibm.com/support/docview.wss?uid=swg21679287

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Rational Reporting for Development Intelligence -
Oracle CPU January 2014 (CVE-2014-0416, CVE-2014-0423)

Security Bulletin

Document information

More support for:
Rational Reporting for Development Intelligence
Report Server

Software version:
1.0.2, 2.0, 2.0.1, 2.0.3, 2.0.4, 2.0.5, 2.0.6

Operating system(s):
AIX, Linux, Windows

Reference #:
1679287

Modified date:
2014-07-30

Summary
Multiple security vulnerabilities exist in the IBM JRE that is shipped
with the Rational Reporting for Development Intelligence (RRDI). The same
security vulnerabilities also exist in the IBM Java SDK that is shipped
with the IBM WebSphere Application Server (WAS).

Vulnerability Details

The IBM JRE installed with RRDI is based on the Oracle JRE and the
IBM Java SDK installed with WAS is based on the Oracle JDK. Oracle has
released Critical Patch Updates (CPU) January 2014 which contain security
vulnerability fixes and the IBM JRE and Java SDK have been updated to
incorporate those updates.

See
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html#AppendixJAVA
for the list of security vulnerabilities fixed by the Oracle CPU January
2014.

Note: WAS itself is not vulnerable to all the advisories. However, RRDI
is vulnerable to the following two advisories:

CVE ID: CVE-2014-0416

Description: javax.security.auth.Subject is serializable but does not
validate deserialized data properly. Malicious code could exploit this to
construct an invalid Subject instance with content that differs from the
advertised properties. In addition, if a server deserializes serialized
data from untrusted sources, an attacker could insert an invalid instance
of Subject class into a server Java process.

CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90349 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)


CVE ID: CVE-2014-0423

Description: The DocumentHandler used by the java.beans.XMLDecoder
implementation allows the use of external entities by default. This
facilitates a variety of attacks via malicious XML data.

CVSS Base Score: 5.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90340 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:P)

Affected Products and Versions
RRDI 1.0.2, 1.0.2.1, 2.0, 2.0.0.1, 2.0.1, 2.0.3, 2.0.4, 2.0.5 and 2.0.6

Remediation/Fixes
Apply the recommended fixes to all affected versions of RRDI as soon
as practical.

RRDI 1.0.2 and 1.0.2.1
Download and install the Cognos 8 Business Intelligence 8.4.1 Interim Fix 6.
Review technote 1679270: Install a Cognos 8 Business Intelligence 8.4.1
fix package in RRDI 1.0.2.x and Rational Insight 1.0.1.x for instructions
for patch application.


RRDI 2.0, 2.0.0.1, 2.0.1, 2.0.3 and 2.0.4

Download the Cognos Business Intelligence 10.1.1 Interim Fix 6.
Review technote 1679281: Install a Cognos Business Intelligence 10.1.1
fix package in Rational Reporting for Development Intelligence 2.0.x and
Rational Insight 1.1.1.x for the detailed instructions for patch application.

Download RRDI 2.0.x JRE Patch, IBM JRE Security Hot Fix (Oracle CPU January
and April 2014). Review technote 1679268: Install the RRDI JRE Patch in
Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational
Insight 1.1.1.x for the detailed instructions for patch application.


RRDI 2.0.5 and 2.0.6

Download the Cognos Business Intelligence 10.2.1 Interim Fix 5.
Review technote 1679283: Install a Cognos Business Intelligence 10.2.1
fix package in Rational Reporting for Development Intelligence 2.0.x and
Rational Insight 1.1.1.x for the detailed instructions for patch application.

Download RRDI 2.0.x JRE Patch, IBM JRE Security Hot Fix (Oracle CPU January
and April 2014). Review technote 1679268: Install the RRDI JRE Patch in
Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational
Insight 1.1.1.x for the detailed instructions for patch application.

Workarounds and Mitigations
None

References
Complete CVSS Guide
On-line Calculator V2

Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement
None

Change History
* 30 July 2014: Original copy published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU+Mg5xLndAQH1ShLAQJeGQ//bVvs2LhJicdNRRMZ0dGTgQxhybM1UOBz
oYUTqRgKD3Ld4dk3PwfSnyIcC/WYInoXRoxo5W2RDw0QsQj8Slou1NIzytkOQRGX
D108Im//09S2/3CM+2jmbsDE/LaiuBqFcgvZEQKV3G7bTdMo3bZ5oZw8v5s4Xu+D
U2jPpxDWxykRbE2l5D3B0htyW6Yyfs4vaM9SM5OMsc+VtY1e59pSqUzyGVKuVSTV
kXNKqUmrxCdYrEnLybpiyJZSDIXSAS9qp7KWXYTthwI1SdyQ6BUwETgNyktB/suD
M0iHihoZtZKrhlEGOcZZsWWmGlbISU4Axc2KvqKv0OUiWLAiTf7DdtfVWu5Vb80j
Du/ibHlG3KoOqiUisf8mktzHxMAJ5WbBTTpIe8Gt8xoFgwQM6HI9EcZC4j/DxGFR
gaW0L4sp6ZtP8S6XY8M7ra861L6W19ZNP2FAUwers+GeGD26O4+Z2AJ9XbX8LwF8
Zs9+aE39Dkiu4sWO6YSWiTDoojtOsvZmZV8Pd6oeZR8aRRy+Gpml+QJo+mlTtNnD
zAeLRMblVZKZrxWWGYsXvlcN6w0djJo+lNE3hDsFf46Mxh+Gr7g+hSn5ZT6/tjFX
22zbkk5P78ZVEEsIFuwUAMLx4CSteTx937p3TZbc70df+ueoYk6ztdh+vzbMiSoM
NKyysgqoaYE=
=/JyN
-----END PGP SIGNATURE-----