Date: 28 February 2013
References: ASB-2012.0085 ASB-2012.0143 ASB-2012.0144 ESB-2012.1011 ESB-2012.1039 ESB-2012.1097 ESB-2012.1129 ESB-2012.1168 ESB-2013.0051 ESB-2013.0053
ESB-2013.0123 ESB-2013.0156 ESB-2013.0157 ESB-2013.0356
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0298
Security Bulletin: Multiple vulnerabilities in IBM DB2 Performance Expert
and IBM InfoSphere Optim Performance Manager due to vulnerabilities in IBM
Java Runtime Environment (CVE-2012-1720, CVE-2012-5081)
28 February 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM DB2 Performance Expert
IBM InfoSphere Optim Performance Manager
Publisher: IBM
Operating System: Solaris
Impact/Access: Modify Arbitrary Files -- Existing Account
Delete Arbitrary Files -- Existing Account
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2012-5081 CVE-2012-1720
Reference: ESB-2013.0157
ESB-2013.0156
ESB-2013.0123
ESB-2013.0053
ESB-2013.0051
ASB-2012.0144
ASB-2012.0143
ASB-2012.0085
ESB-2012.1168
ESB-2012.1129
ESB-2012.1097
ESB-2012.1039
ESB-2012.1011
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21626504
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Multiple vulnerabilities in IBM DB2 Performance Expert and
IBM InfoSphere Optim Performance Manager due to vulnerabilities in IBM Java
Runtime Environment (CVE-2012-1720, CVE-2012-5081).
Document information
InfoSphere Optim Performance Manager
Software version:
4.1, 5.1, 5.1.1, 5.1.1.1
Operating system(s):
Solaris
Reference #:
1626504
Modified date:
2013-02-25
Abstract
DB2 Performance Expert and InfoSphere Optim Performance Manager use the
IBM Java Runtime Environment (JRE) and might be affected by vulnerabilities
in the IBM JRE.
Content
VULNERABILITY DETAILS:
CVE ID:
CVE-2012-1720
DESCRIPTION:
An unspecified vulnerability in the JRE component allows local users to affect
confidentiality, integrity, and availability through unknown vectors related to
Networking.
CVSS:
CVSS Base Score: 3.7
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/76250
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
AFFECTED PRODUCTS:
IBM DB2 Performance Expert for Multiplatforms 3.1 through 3.1.2
IBM DB2 Performance Expert for Linux, UNIX, and Windows 3.2 through 3.2.3
Optim Performance Manager for DB2 on Linux, UNIX, and Windows 4.1.0.1
through 4.1.1
IBM InfoSphere Optim Performance Manager for DB2 on Linux, UNIX, and
Windows 5.1 through 5.1.1.1
This vulnerability affects these products only when running on Sun Solaris
systems. All other supported platforms are unaffected.
REMEDIATION:
To overcome the security vulnerability, you must upgrade the IBM JRE.
To upgrade the IBM JRE, perform an upgrade installation to the next version or
an APAR fix level that contains the fix.
Affected Fix APAR Download URL
VRMF VRMF
4.1.0.1 4.1.1.1 IC89834 http://www-933.ibm.com/support/fixcentral/
through 4.1.1
5.1 5.1.1.1 IC89844 http://www-933.ibm.com/support/fixcentral/
through 5.1.1.1
For affected versions for which no fix is listed, contact IBM Software Support.
WORKAROUND(S):
None
MITIGATION(S):
None
VULNERABILITY DETAILS:
CVE ID:
CVE-2012-5081
DESCRIPTION:
Unspecified vulnerability allows remote attackers to affect availability
related to JSSE.
CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/79435
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
AFFECTED PRODUCTS:
IBM DB2 Performance Expert for Multiplatforms 3.1 through 3.1.2
IBM DB2 Performance Expert for Linux, UNIX, and Windows 3.2 through 3.2.3
Optim Performance Manager for DB2 on Linux, UNIX, and Windows 4.1.0.1
through 4.1.1
IBM InfoSphere Optim Performance Manager for DB2 on Linux, UNIX, and
Windows 5.1 through 5.2
REMEDIATION:
To overcome the security vulnerability, you must upgrade the IBM JRE. To
upgrade the IBM JRE, perform an upgrade installation to the next version
or an APAR fix level that contains the fix.
Affected Fix APAR Download URL
VRMF VRMF
4.1.0.1 4.1.1.1 IC89834 http://www-933.ibm.com/support/fixcentral/
through 4.1.1
5.1 5.1.1.1 IC89844 http://www-933.ibm.com/support/fixcentral/
through 5.1.1.1
5.2 5.2 IC89851 http://www-933.ibm.com/support/fixcentral/
For affected versions for which no fix is listed, contact IBM Software Support.
WORKAROUND(S):
None
MITIGATION(S):
None
REFERENCES:
Complete CVSS Guide (www.first.org/cvss/cvss-guide.html)
On-line Calculator V2 (http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2)
X-Force Vulnerability Database (http://xforce.iss.net/xforce/xfdb/79435)
CVE-2012-5081 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5081)
X-Force Vulnerability Database (http://xforce.iss.net/xforce/xfdb/76250)
CVE-2012-1720 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5081)
RELATED INFORMATION:
IBM Secure Engineering Web Portal (http://www-03.ibm.com/security/secure-engineering/)
IBM Product Security Incident Response Blog (https://www.ibm.com/blogs/PSIRT)
CHANGE HISTORY:
02/25/2013 Original Copy Published
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines
Corp., registered in many jurisdictions worldwide. Other product and service
names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark information"
at www.ibm.com/legal/copytrade.shtml.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUS7iZ+4yVqjM2NGpAQKMYRAAqOq6x6kUZ7o6U3781w5/XA0lDrDRYYwe
oKWVB8Q5sj0edHrsVX5M0pD9sSUl632sqdivC9YjHsF8wBUjTAJvVdqoDl8BDwvR
cd60TZg+j63K4KDW1wHLdW1hH1zd1vz7BDzkt+L1RKhSJtP75ydrQxc4JCSRHiLE
uW5jv3nx8ioy7dSEbI7JobE6SZ9DyUoOj5xM6jPgbLmmNBXDueC8IPp9cDlQthp/
kYbrtrvKRjn7cWsqe/5Tkswxg2jZ/txZmFNIU9trKjCzEZeSg83+PbtbC+rK0sO8
0ugZ8oZNiUSojj7vlEPUDVTWjPoud6tOyM4b/Bs9i3h/kN4jko+Da2yACglgzOF5
eKxAHs/IuTYlMz2yeaP5rIY/WJNV79CpVxcp+X0wifUYjruJdFYfNK6Xks+zZmr9
kXl5EHIJKxcCCS+Ca33he7DPo3qugoWRhCt4/ldGEjm1lF7jksbgVj+Ys54Wcz7B
hMqCO6ZOFf0MRBBLGcMIil2/uQT3gHI9S9IZZsHyncvOe8rmoNq1+KcZcviZw1WR
KD6rXo1CTMrM1+H+bz1nSu9ovnZZV9TGtD/Yb8whGRWjyDA3YPzEgKlnjDybcH53
lmCcV+6Aly+G7PEOfC9Y1BwfOOAT9FwsrmDOHvobegOf5Ui3bMJxXXmgara5FyRW
Bupm2ut1YuM=
=bdG/
-----END PGP SIGNATURE-----
|