Date: 11 March 2013
References: ASB-2012.0143 ASB-2012.0144 ESB-2013.0051 ESB-2013.0053 ESB-2013.0123 ESB-2013.0156 ESB-2013.0157 ESB-2013.0298 ESB-2013.0322 ESB-2013.0330
ESB-2013.0432
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0356
Security Bulletin: Potential security vulnerabilities in Rational Host
On-Demand products for the Oracle October 2012 CPU
11 March 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Rational Host On-Demand
Publisher: IBM
Operating System: AIX
HP-UX
Linux variants
Solaris
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2012-5089 CVE-2012-5088 CVE-2012-5087
CVE-2012-5086 CVE-2012-5085 CVE-2012-5084
CVE-2012-5083 CVE-2012-5081 CVE-2012-5079
CVE-2012-5077 CVE-2012-5076 CVE-2012-5075
CVE-2012-5074 CVE-2012-5073 CVE-2012-5072
CVE-2012-5071 CVE-2012-5070 CVE-2012-5069
CVE-2012-5068 CVE-2012-5067 CVE-2012-4416
CVE-2012-3216 CVE-2012-3159 CVE-2012-3143
CVE-2012-1533 CVE-2012-1532 CVE-2012-1531
Reference: ESB-2013.0330
ESB-2013.0322
ESB-2013.0298
ESB-2013.0157
ESB-2013.0156
ESB-2013.0123
ESB-2013.0053
ESB-2013.0051
ASB-2012.0144
ASB-2012.0143
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21625941
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Potential security vulnerabilities in Rational Host
On-Demand products for the Oracle October 2012 CPU
Document information
Rational Host On-Demand
General Information
Software version:
11.0, 11.0.1.0, 11.0.2.0, 11.0.3.0, 11.0.4.0, 11.0.5.0, 11.0.5.1, 11.0.6, 11.0.6.1
Operating system(s):
AIX, HP Itanium, HP-UX, Linux, Linux iSeries, Linux on System z, Linux pSeries,
OS/400, Solaris, Windows, i5/OS, z/OS
Reference #:
1625941
Modified date:
2013-03-06
Abstract
IBM Rational Host On-Demand provides an IBM JRE that is based on the Oracle
JRE as part of its server package for clients to download and install on
client machines. There are vulnerabilities that can occur when the affected
JRE is installed as the system JRE. Oracle has released October 2012 critical
patch updates (CPU) which contain security vulnerability fixes and the IBM JRE
that Rational Host On-Demand ships is affected.
Content
VULNERABILITY DETAILS
AFFECTED PRODUCTS:
IBM JRE shipped with Host On-Demand 11.0.0.0 through 11.0.6.1.
REMEDIATION:
Fix:
Customers should download the Host On-Demand Version 11.0.7 release from Fix
Central and update the existing Host On-Demand.
Workaround(s): None
Mitigation(s): None
REFERENCES
IBM Security Alerts: Oracle October 2012 Security Alert
Complete CVSS Guide
On-line Calculator V2 ( http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 )
RELATED INFORMATION
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
ACKNOWLEDGEMENT
None
CHANGE HISTORY
6 March 2013: Original publication
*The CVSS Environment Score is customer environment specific and will ultimately
impact the Overall CVSS Score. Customers can evaluate the impact of this
vulnerability in their environments by accessing the links in the References
section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Segment: Networking
Product: Rational Host On-Demand
Component: General Information
Platform: AIX, HP-UX, HP Itanium, i5/OS, Linux, Linux iSeries, Linux
on System z, Linux pSeries, OS/400, Solaris, Windows, z/OS
Version: 11.0, 11.0.1.0, 11.0.2.0, 11.0.3.0, 11.0.4.0, 11.0.5.0,
11.0.5.1, 11.0.6, 11.0.6.1
Edition:
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUT1RbO4yVqjM2NGpAQJt0A//VYbuQr/IDduBClmgrVJENXaUKjdK5i8p
BpxNqmZysCaxBDBTQB2rILm5YA5fqPEZb4WJEaiqJWRwg5XzfgJuIvXg/yBwiaCq
n9jLiby9FFJhgJRTzDLaeIhOUj17FAYa+2dPJGDH9+PBd/SfT99XaXTFo3IHtpLf
MH7D/t9zjsjhQxaOCTo7CM7LznYKpdUAGrx0wiFkKSvJ6Ph+FVXfAxr2WPrU3fkB
761s5XBtHHAEUA7Nddcx2iobRdah2nuaoo884DJjT4CiWw4IiI5MZpwmj2l24QY5
x1428WWDRqVFCrZjb2w+R+I3igAEMGGV0vKLpn/0nOBrF/hIkNkwsnYM+hHhVifd
lWIPP+wJEJ3jXronotANZJuLLDmQ1N217FsF6Vdb84ceKtj8FgihCnzvU1HhA+G4
gjb9pBM0zDB8hZlTuU6arwWyNYbmsp7MqcGFeq3sFcS6ThSWRqrrDBREV9InzTMZ
iM9EVxJ/KirpVpGmhdEHhrSWsiO5HDj1xw+dH3h3XvftLWvU6xB7tNJfGRBHdDhG
m3PD7CqtDk/9f7Mk4+GyG9aO8EW6oGo/idxRQGpz00DhBN4WZJiYtt6miW9MnvSF
Iqao7rCAU0oSTKdpqnQgqvTgX8maHBTmZ7ws61U29UVtHPMmzBBwSM5BBjXGYoWL
fESeIevtXac=
=Gia3
-----END PGP SIGNATURE-----
|