-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1589
Security Bulletin: Multiple Security Vulnerabilities found in IBM Sterling
 Secure Proxy (CVE-2014-0878, CVE-2014-0107, CVE-2014-0453, CVE-2014-4263,
CVE-2014-4244) and Multiple Security Vulnerabilities found in IBM Sterling
              External Authentication Server (CVE-2014-0878,
        CVE-2014-0107, CVE-2014-0453, CVE-2014-4263, CVE-2014-4244)
                             15 September 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Sterling Secure Proxy
                   IBM Sterling External Authentication Server
Publisher:         IBM
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
                   Unauthorised Access             -- Remote/Unauthenticated
                   Reduced Security                -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-4263 CVE-2014-4244 CVE-2014-0878
                   CVE-2014-0453 CVE-2014-0107 

Reference:         ASB-2014.0077
                   ESB-2014.1585
                   ESB-2014.1501
                   ESB-2014.1489
                   ESB-2014.1407
                   ESB-2014.1307
                   ESB-2014.1016
                   ESB-2014.0398

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21682526
   http://www-01.ibm.com/support/docview.wss?uid=swg21682529

Comment: This bulletin contains two (2) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Multiple Security Vulnerabilities found in IBM Sterling 
Secure Proxy (CVE-2014-0878, CVE-2014-0107, CVE-2014-0453, CVE-2014-4263, 
CVE-2014-4244)

Security Bulletin

Document information

More support for:
Sterling Secure Proxy

Software version:
All

Operating system(s):
All

Reference #:
1682526

Modified date:
2014-09-12

Summary

IBM Sterling Secure Proxy is shipped with IBM Runtime Environment, Java 
Technology Edition (the “IBM JRE”), that is based on an Oracle Java 
Runtime Environment (JRE). Oracle has released the April and July 2014 
critical patch updates (CPU) that contain security vulnerability fixes for 
the JRE. The IBM JRE has been updated to incorporate these fixes and 
security fixes that are specific to the IBM JRE. IBM Sterling Secure Proxy 
is affected by four of the vulnerabilities in the CPU'S, and the IBM JRE 
shipped with IBM Sterling Secure Proxy has been updated to remediate the 
vulnerabilities.
The Apache Xalan-Java package used in IBM Sterling Secure Proxy has also 
been updated to correct a vulnerability.

Vulnerability Details

CVE ID: CVE-2014-0878

DESCRIPTION:
A vulnerability in the IBMSecureRandom implementation of the IBMJCE and 
IBMSecureRandom cryptographic providers potentially allows an attacker to 
predict the output of the random number generator under certain 
circumstances.

CVSS:
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/91084 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVE ID: CVE-2014-0107

DESCRIPTION:
Apache Xalan-Java could allow a remote attacker to bypass security 
restrictions, caused by the improper handling of output properties. An 
attacker could exploit this vulnerability to bypass the secure processing 
feature to load arbitrary restricted classes.

CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92023 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:N/I:P/A:N)

CVE ID: CVE-2014-0453

DESCRIPTION:
An unspecified vulnerability in Oracle Java SE related to the Security 
component has partial confidentiality impact, partial integrity impact, 
and no availability impact.

CVSS:
CVSS Base Score: 4.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92490 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVE ID: CVE-2014-4263

DESCRIPTION:
An unspecified vulnerability in Oracle Java SE and JRockit related to the 
Security component has partial confidentiality impact, partial integrity 
impact, and no availability impact.

CVSS:
CVSS Base Score: 4.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94606 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVE ID: CVE-2014-4244

DESCRIPTION:
An unspecified vulnerability in Oracle Java SE and JRockit related to the 
Security component has partial confidentiality impact, partial integrity 
impact, and no availability impact.

CVSS:
CVSS Base Score: 4.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94605 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

Affected Products and Versions

IBM Sterling Secure Proxy 3.4.1 through 3.4.1.8 iFix03
IBM Sterling Secure Proxy 3.4.0 through 3.4.0.6 iFix04
IBM Sterling Secure Proxy 3.3.01 through 3.3.01 Patch 23 iFix04

Remediation/Fixes

Fix*     VRMF      APAR   How to acquire fix
iFix 4   3.4.1.8   N/A    http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other+software&product=ibm/Other+software/Sterling+Secure+Proxy&release=3.4.1.8&platform=All&function=all
iFix 5   3.4.0.6   N/A    http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other+software&product=ibm/Other+software/Sterling+Secure+Proxy&release=3.4.0&platform=All&function=all
iFix 5   3.3.1.23  N/A    https://www14.software.ibm.com/webapp/iwm/web/reg/signup.do?source=swg-SterlngLegacyreq&lang=en_US

Workarounds and Mitigations

None.

References
Complete CVSS Guide
On-line Calculator V2
IBM Java SDK security bulletin for April 2014
IBM Java SDK security bulletin for July 2014

Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

12 September 2014: Original version published

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the 
impact of this vulnerability in their environments by accessing the links 
in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), 
the Common Vulnerability Scoring System (CVSS) is an "industry open 
standard designed to convey vulnerability severity and help to determine 
urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" 
WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF 
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE 
RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY 
VULNERABILITY.

- ----------------------------------------------------------------------

Security Bulletin: Multiple Security Vulnerabilities found in IBM Sterling 
External Authentication Server (CVE-2014-0878, CVE-2014-0107, 
CVE-2014-0453, CVE-2014-4263, CVE-2014-4244)

Security Bulletin

Document information

More support for:
Sterling Secure Proxy
External Authentication Server

Software version:
All

Operating system(s):
All

Reference #:
1682529

Modified date:
2014-09-12

Summary

IBM Sterling External Authentication Server is shipped with IBM Runtime 
Environment, Java Technology Edition (the “IBM JRE”), that is based on an 
Oracle Java Runtime Environment (JRE). Oracle has released the April and 
July 2014 critical patch updates (CPU) that contain security vulnerability 
fixes for the JRE. The IBM JRE has been updated to incorporate these fixes 
and security fixes that are specific to the IBM JRE. IBM Sterling External 
Authentication Server is affected by four of the vulnerabilities in the 
CPUs, and the IBM JRE shipped with IBM Sterling External Authentication 
Server has been updated to remediate the vulnerabilities.
The Apache Xalan-Java package used in IBM Sterling External Authentication 
Server has also been updated to correct a vulnerability.

Vulnerability Details

CVE ID: CVE-2014-0878

DESCRIPTION:
A vulnerability in the IBMSecureRandom implementation of the IBMJCE and 
IBMSecureRandom cryptographic providers potentially allows an attacker to 
predict the output of the random number generator under certain 
circumstances.

CVSS:
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/91084 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVE ID: CVE-2014-0107

DESCRIPTION:
Apache Xalan-Java could allow a remote attacker to bypass security 
restrictions, caused by the improper handling of output properties. An 
attacker could exploit this vulnerability to bypass the secure processing 
feature to load arbitrary restricted classes.

CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92023 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:N/I:P/A:N)

CVE ID: CVE-2014-0453

DESCRIPTION:
An unspecified vulnerability in Oracle Java SE related to the Security 
component has partial confidentiality impact, partial integrity impact, 
and no availability impact.

CVSS:
CVSS Base Score: 4.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92490 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVE ID: CVE-2014-4263

DESCRIPTION:
An unspecified vulnerability in Oracle Java SE and JRockit related to the 
Security component has partial confidentiality impact, partial integrity 
impact, and no availability impact.

CVSS:
CVSS Base Score: 4.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94606 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVE ID: CVE-2014-4244

DESCRIPTION:
An unspecified vulnerability in Oracle Java SE and JRockit related to the 
Security component has partial confidentiality impact, partial integrity 
impact, and no availability impact.

CVSS:
CVSS Base Score: 4.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94605 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

Affected Products and Versions

IBM Sterling External Authentication Server 2.4.1 through 2.4.1.8 iFix 02
IBM Sterling External Authentication Server 2.4.0 through 2.4.0.4 iFix 04
IBM Sterling External Authentication Server 2.3.01 through 2.3.01 Patch 11 
iFix 03

Remediation/Fixes

Apply the applicable maintenance packages listed in the table below:

Fix*    VRMF      APAR   How to acquire fix
iFix 3  2.4.1.8   N/A    http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other+software&product=ibm/Other+software/Sterling+External+Authentication+Server&release=2.4.1.8&platform=All&function=all
iFix 5  2.4.0.4   N/A    http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other+software&product=ibm/Other+software/Sterling+External+Authentication+Server&release=2.4.0&platform=All&function=all
iFix 4  2.3.1.11  N/A    https://www14.software.ibm.com/webapp/iwm/web/reg/signup.do?source=swg-SterlngLegacyreq&lang=en_US

Workarounds and Mitigations

None

References
Complete CVSS Guide
On-line Calculator V2
IBM Java SDK security bulletin for April 2014
IBM Java SDK security bulletin for July 2014

Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

12 September 2014: Original version published.

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the 
impact of this vulnerability in their environments by accessing the links 
in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), 
the Common Vulnerability Scoring System (CVSS) is an "industry open 
standard designed to convey vulnerability severity and help to determine 
urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" 
WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF 
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE 
RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY 
VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVBZ55BLndAQH1ShLAQJQHBAApeC79aoiEurymMgmJV8WJt4acbz5fQXP
GN5XviooTXjqgRwzed8zwhOzYWT3ODtooCO6IcSQA8QfohOcaGUXaee/t61fSh4o
c91N1RKTmZdlF4s26J0SwAATpvRhbWQFxiBrAiM/byg+izyn0Q5mTWgPKnx2Iyfi
MDnkx9mBmmJYbMhHJKMOXbH0TrBDLFqrT0D7scH7z3WK32FhOYfHgVvdh20V2yyG
fsZ+/YtX14tDK5mG8Wea+FC15KUYpLFHSNdh5dICoVVNfVn3lustETvz1pjn1p45
KObQMdyHln4Uaj69n6ZJhs0N/HqKX8zi8C9CpLVBodZ6YlijtgbRr3YjF1XpGBsR
M4IAZHbXWMo92cSftoPjnrrBXcgdXYNYZdLJEMnUtsu7FjAWMptRMfTlyOhn3ydr
8Cid6lkOF5Y7R0BOzMGCOQhy+EIzNf4OmxK5IDxc0p7mAtZPLC0eTaaxuEk6pLB0
+eiPwd6cRUzAIHL2oquz+dW4E9QC7dpSTi2MIjA5Hj218XcwkuwPCF0NS/3KD8R3
P4cbrgAX3GnTiyArgW/LvuHL9KcZ5F/3Zu33oNtG+xKZyQO8vjPxNYUdQqm5UnIK
Mb01N7X6Lk9r95OGw5N7hBVAZhdY8kJtxo9cCcPQl11vj/Dv5G/z6wW3N7qVJD6g
cISjeOJrPvs=
=Hx2+
-----END PGP SIGNATURE-----