Date: 09 May 2013
References: ASB-2012.0143 ASB-2012.0144 ESB-2013.0432 ESB-2013.0437 ESB-2013.0619 ESB-2013.0621 ESB-2013.0646
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0653
Security Bulletin: The Java version bundled with IBM OpenPages GRC Platform
version 6.2 is susceptible to multiple vulnerabilities in
the Java Runtime Environment (JRE)
9 May 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM OpenPages GRC
Publisher: IBM
Operating System: AIX
Linux variants
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Overwrite Arbitrary Files -- Remote/Unauthenticated
Delete Arbitrary Files -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2012-5089 CVE-2012-5086 CVE-2012-5084
CVE-2012-5083 CVE-2012-5081 CVE-2012-5079
CVE-2012-5077 CVE-2012-5075 CVE-2012-5073
CVE-2012-5072 CVE-2012-5071 CVE-2012-5069
CVE-2012-5068 CVE-2012-4416 CVE-2012-3216
CVE-2012-3159 CVE-2012-3143 CVE-2012-1533
CVE-2012-1532 CVE-2012-1531
Reference: ASB-2012.0144
ASB-2012.0143
ESB-2013.0646
ESB-2013.0621
ESB-2013.0619
ESB-2013.0437
ESB-2013.0432
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21636462
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: The Java version bundled with IBM OpenPages GRC Platform
version 6.2 is susceptible to multiple vulnerabilities in the Java Runtime
Environment (JRE)
Flash (Alert)
Document information
OpenPages GRC Platform
Software version:
6.2.1
Operating system(s):
AIX, Linux, Windows
Reference #:
1636462
Modified date:
2013-05-07
Abstract
The version of Java included with OpenPages GRC Platform version 6.2 has
reported vulnerabilities that allow remote attackers to affect confidentiality,
integrity, and availability of the Java platform via various vectors.
CVE-2012-1531, CVE-2012-1532, CVE-2012-1533, CVE-2012-3143, CVE-2012-3159,
CVE-2012-3216, CVE-2012-4416, CVE-2012-5068, CVE-2012-5069, CVE-2012-5071,
CVE-2012-5072, CVE-2012-5073, CVE-2012-5075, CVE-2012-5077, CVE-2012-5079,
CVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5086, CVE-2012-5089
Content
VULNERABILITY DETAILS:
CVEID: CVE-2012-1531
Description: Remote attackers could affect confidentiality, integrity, and
availability via unknown vectors related to 2D.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79413 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2012-1532
Description: Remote attackers could affect confidentiality, integrity, and
availability via unknown vectors related to Deployment.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79417 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2012-1533
Description: Remote attackers could affect confidentiality, integrity, and
availability via unknown vectors related to Deployment.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79416 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2012-3143
Description: Remote attackers could affect confidentiality, integrity, and
availability, related to JMX.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79419 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2012-3159
Description: Remote attackers could affect confidentiality, integrity, and
availability via unknown vectors related to Deployment.
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79424 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2012-3216
Description: Remote attackers could affect confidentiality via unknown vectors
related to Libraries.
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79436 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVEID: CVE-2012-4416
Description: Remote attackers could affect confidentiality and integrity via
unknown vectors related to Hotspot.
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78432 for the
current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:L/Au:N/C:P/I:P/A:N)
CVEID: CVE-2012-5068
Description: Remote attackers could affect confidentiality, integrity, and
availability via unknown vectors related to Libraries.
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79425 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2012-5069
Description: Remote attackers could affect confidentiality and integrity via
unknown vectors related to Concurrency.
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79428 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVEID: CVE-2012-5071
Description: Remote attackers could affect confidentiality and integrity,
related to JMX.
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79427 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)
CVEID: CVE-2012-5072
Description: Remote attackers could affect confidentiality via unknown vectors
related to Security.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79329 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2012-5073
Description: Remote attackers could affect integrity via unknown vectors
related to Libraries.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79432 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2012-5075
Description: Remote attackers could affect confidentiality, related to JMX.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79431 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2012-5077
Description: An undisclosed vulnerability exists in a portion of the JRE
related to Security.
CVSS Base Score 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79437 for the
current score
CVSS Environmental Score*: undefined
CVSS Vector (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVEID: CVE-2012-5079
Description: Remote attackers could affect integrity via unknown vectors
related to Libraries.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79433 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2012-5081
Description: Remote attackers could affect availability, related to JSSE.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79435 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2012-5083
Description: Remote attackers could affect confidentiality, integrity, and
availability via unknown vectors related to 2D.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79412 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2012-5084
Description: Remote attackers could affect confidentiality, integrity, and
availability via unknown vectors related to Swing.
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79423 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CVEID: CVE-2012-5086
Description: Remote attackers could affect confidentiality, integrity, and
accessibility through unknown vectors related to Beans.
CVSS Base Score 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79414 for the
current score
CVSS Environmental Score*: undefined
CVSS Vector (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2012-5089
Description: Remote attackers could affect confidentiality, integrity, and
availability, related to JMX.
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79422 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
AFFECTED PRODUCTS AND VERSIONS:
IBM OpenPages GRC Platform version 6.2
REMEDIATION:
Fixes:
Download and install IBM OpenPages GRC Platform version 6.2.1 from Passport
Advantage. Download information is available on the Downloading IBM OpenPages
GRC 6.2.1 from Passport Advantage page.
Workaround(s):
None known; apply fixes.
Mitigation(s):
None known
REFERENCES:
Complete CVSS Guide
On-line Calculator V2
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1531
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1532
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1533
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3143
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3159
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3216
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4416
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5068
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5069
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5071
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5072
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5073
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5075
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5077
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5079
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5081
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5083
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5084
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5089
RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
CHANGE HISTORY
7 May 2013: Original Copy Published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUYr1K+4yVqjM2NGpAQKhNRAAhQrfqD9VprHDcu6Ir93e72c72JbxR8X2
5e34zson7UtvPGStpVt+9LcCE8PY1ISuxTJ9Gb/+ErAdg3kdxbKaw0UCbavqp0uH
ciBAJ3v3Dog16TJKnei5i3p/wU9iiU5/cEHpMytiY67wvq7cRJVRO8n1FhTysrIF
Pxl4MuInvKmhJ+8eraqxUAk/D08cuMEBSZ4z+e7+EX9JNgCSEDaFj65L9sEDCx4l
iN56B421YJ0BTtld2ZK5RdPIGpAgfOQ5mOG680llYsF0pjEFDi0qvZyb3lUihkhh
scqNQdQjSoozyqdY/CJNlRzz0hHsFdB+lRwY4R4P3FmjNi2IslDHBfS0pdC7NPkb
fCzopVkTkFgDosbEz6FVAQzsMH5YYec+xYozJtHIePblrvwdMAjDs/Rz5XN4UR96
kbF0kO3BPCwVSVY/nVZtW2Xfh/G6nCt3QrOb1FbRn2Jn7eAm+ic4XzBaGw7OrmW/
tPwdE5y2zyc5IVmzDYWjtIYhDO559F0mav2n2aoT9Bm1V1UJI3TY5MOp09pI80lm
Y6VoM1D7qUghSyLDZmtzbOM8Qjq+s0CUK+bGOlFF5O87Fighy68FycQG5O7oXGVC
d+sVad0rrBSneSzO8oxsCybBQrF0LetlJINNRbhB0v9TtQa7Zgh0dcR+/G/uHVsn
LQ8ZkisHbmA=
=STbT
-----END PGP SIGNATURE-----
|