Date: 19 March 2013
References: ASB-2012.0133 ASB-2013.0013 ASB-2013.0025 ASB-2013.0034 ESB-2013.0336 ESB-2013.0337 ESB-2013.0338 ESB-2013.0340 ESB-2013.0360 ESB-2013.0361
ESB-2013.0362 ESB-2013.0404 ESB-2013.0483 ESB-2013.0485
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0401
Security Bulletin: Tivoli Business Service Manager clients
affected by vulnerabilities in IBM JRE
19 March 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Tivoli Business Service Manager
Publisher: IBM
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-1493 CVE-2013-1487 CVE-2013-1486
CVE-2013-1485 CVE-2013-1484 CVE-2013-1481
CVE-2013-1480 CVE-2013-1478 CVE-2013-1475
CVE-2013-1473 CVE-2013-0809 CVE-2013-0450
CVE-2013-0446 CVE-2013-0445 CVE-2013-0444
CVE-2013-0442 CVE-2013-0441 CVE-2013-0440
CVE-2013-0438 CVE-2013-0437 CVE-2013-0434
CVE-2013-0433 CVE-2013-0432 CVE-2013-0431
CVE-2013-0429 CVE-2013-0428 CVE-2013-0427
CVE-2013-0426 CVE-2013-0425 CVE-2013-0424
CVE-2013-0423 CVE-2013-0419 CVE-2013-0409
CVE-2013-0351 CVE-2012-3213 CVE-2012-0419
CVE-2012-0409
Reference: ASB-2013.0034
ASB-2013.0025
ASB-2013.0013
ESB-2013.0362
ESB-2013.0361
ESB-2013.0360
ESB-2013.0340
ESB-2013.0338
ESB-2013.0337
ESB-2013.0336
ASB-2012.0133
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21628250
http://www-01.ibm.com/support/docview.wss?uid=swg24034507
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Tivoli Business Service Manager clients affected by
vulnerabilities in IBM JRE
Document information
Tivoli Business Service Manager
Software version:
4.2, 4.2.1, 6.1, 6.1.1
Operating system(s):
Windows
Reference #:
1628250
Modified date:
2013-03-15
Flash (Alert)
Abstract
These vulnerabilities are only applicable to Java deployments where untrusted
code may be executed under a security manager (e.g. Java applets running in a
web browser).
Content
VULNERABILITY DETAILS:
CVE IDs: CVE-2012-3213,CVE-2013-0351,CVE-2013-0409,CVE-2013-0419,CVE-2013-0423,
CVE-2013-0424,CVE-2013-0425,CVE-2013-0426,CVE-2013-0427,CVE-2013-0428,
CVE-2013-0429,CVE-2013-0431,CVE-2013-0432,CVE-2013-0433,CVE-2013-0434,
CVE-2013-0437,CVE-2013-0438,CVE-2013-0440,CVE-2013-0441,CVE-2013-0442,
CVE-2013-0444,CVE-2013-0445,CVE-2013-0446,CVE-2013-0450,CVE-2013-1473,
CVE-2013-1475,CVE-2013-1478,CVE-2013-1480,CVE-2013-1481,CVE-2013-1484,
CVE-2013-1485,CVE-2013-1486,CVE-2013-1487,CVE-2013-0809,CVE-2013-1493,
CVE-2013-1493,CVE-2013-0809,CVE-2013-1493
DESCRIPTION:
This bulletin lists the vunerabilities that affect TBSM and are remediated in
the IBM JRE release containing fixes for CVEs covered in Oracle's January 13,
February 1 and February 19 releases (2013). This also covers the "YAJ0, Yet
Another Java Zero-Day vulnerability", was reported publically on
February 28, 2013. Details about this issue and its successful exploitation are
available in a blog published by the reporter, FireEye Inc
http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html.
The vulnerabilities could occur when the IBM JRE is installed as the system
JRE, such that it may be used to execute untrusted Java applets or Web Start
applications in a browser.
CVEID: CVE-2012-3213
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81769
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-0351
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81786
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2013-0409
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81793
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2013-0419
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81783
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-0423
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81784
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-0424
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81798
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2013-0425
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81766
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-0426
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81767
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-0427
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81795
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2013-0428
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81768
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-0429
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81782
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-0431
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81794
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2013-0432
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81788
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)
CVEID: CVE-2013-0433
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81797
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2013-0434
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81792
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2013-0437
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81753
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-0438
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81800
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVEID: CVE-2013-0440
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81799
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2013-0441
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81758
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-0442
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81755
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-0444
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81781
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-0445
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81756
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-0446
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81762
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-0450
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81764
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-1473
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81790
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2013-1475
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81759
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-1478
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81754
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-1480
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81757
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-1481
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81770
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-1484
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82179
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-1485
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82180
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2013-1486
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82178
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-1487
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82177
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-0809
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82515
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-1493
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82514
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
AFFECTED PRODUCTS AND VERSIONS:
Tivoli Business Service Manager V4.2.0
Tivoli Business Service Manager V4.2.1
Tivoli Business Service Manager V6.1.0
Tivoli Business Service Manager V6.1.1
REMEDIATION:
Fix* VRMF APAR How to acquire fix Availability Date
IBM Tivoli Business Service Manager V6.1.1.0 Intr Fix1 6.1.1.0 IV37700 http://www-01.ibm.com/support/docview.wss?uid=swg24034507 March 15,2013
IBM Tivoli Business Service Manager V6.1.0.1 Intr Fix 5 6.1.0.1 IV37700 http://www-01.ibm.com/support/docview.wss?uid=swg24034555 April 15,2013
IBM Tivoli Business Service Manager V4.2.1.3 Intr Fix 7 4.2.1.3 IV37700 http://www-01.ibm.com/support/docview.wss?uid=swg24034554 April 30,2013
IBM Tivoli Business Service Manager V4.2.0 Intr Fix 10 4.2.0 IV37700 http://www-01.ibm.com/support/docview.wss?uid=swg24034553 April 30, 2013
Workaround(s):
None.
Mitigation(s):
None
REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2
· CVE-2012-3213
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81769
· CVE-2013-0351
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81786
· CVE-2012-0409
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81793
· CVE-2012-0419
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81783
· CVE-2013-0423
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81784
· CVE-2013-0424
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81798
· CVE-2013-0425
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81766
· CVE-2013-0426
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81767
· CVE-2013-0427
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81795
· CVE-2013-0428
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81768
· CVE-2013-0429
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81782
· CVE-2013-0431
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81794
· CVE-2013-0432
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81788
· CVE-2013-0433
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81797
· CVE-2013-0434
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81792
· CVE-2013-0437
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81753
· CVE-2013-0438
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81800
· CVE-2013-0440
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81799
· CVE-2013-0441
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81758
· CVE-2013-0442
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81755
· CVE-2013-0444
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81781
· CVE-2013-0445
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81756
· CVE-2013-0446
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81762
· CVE-2013-0450
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81764
· CVE-2013-1473
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81790
· CVE-2013-1475
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81759
· CVE-2013-1478
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81754
· CVE-2013-1480
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81757
· CVE-2013-1481
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81770
· CVE-2013-1484
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/82179
· CVE-2013-1485
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/82180
· CVE-2013-1486
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/82178
· CVE-2013-1487
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/82177
· CVE-2013-0809
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/82515
· CVE-2013-1493
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/82514
RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
ACKNOWLEDGEMENT
None
CHANGE HISTORY
Original Copy Published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines
Corp., registered in many jurisdictions worldwide. Other product and service
names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark information" at
www.ibm.com/legal/copytrade.shtml.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUUevgO4yVqjM2NGpAQK9nA//eFBO1P0ySZrkiPgep464dqDqpk55DSfH
hmyOmIqrfMOs2AQmmpXSp/KT6JJfzcU1ZHjQEj2KjAIu+iBb+GzVwEKBNpd72fPS
1uFduNCESLVdjuOmcP8LLlm+TKD0MqgA0Lo6BPQ3f0j48Fh3iTrjv3YfDHcngknD
DGsR82SgCumQl1f2ua2/5RbpTdGaYUh+nICSv+tDbVvmqRbzeOGeAvmzvRON967k
KaVhD3ecuvStwBNYBnsLYe/N3ZHqcdXFFs3DiVHz1d1Y4Fj3gGDfssQNNMbE1QoN
HJzawS3oubuUG+WMTseOOHNbhw4O/3tngRh6XdFNw/XiT0eyTI9N9HIybaak17XU
YefgIRUWFu+TxKMuHXwVCbGM5CX9PXrgLRNq2LVFLKkJrEjlLoW7246wFU5L+HZz
NiqgUVYn39LS5MsZoL1JR3p4s6zAzAQu+U/SvDxSSu9xAqMkpiaUB2AQ0RvGV8xq
BF8et+YlPdNWCop7sQ4421psYxG44CUGRDl27mHTG47WAE7uq5JfaA9KkzJ8r+QX
sFMY/XkeYJ3iL1gySsRzohhyTmslZjXgs+Km9kcciyNKVhEGgVNViQ4HZzdUb0yJ
okbRZaH8jZoA7hJLJ3xAjgUhPLAxqstE6mWi84LWdaet0WyxDhOfqfOggQpf5e+y
r9a32LykPcU=
=nER9
-----END PGP SIGNATURE-----
|