AusCERT - ESB-2013.0653 - [Win][Linux][AIX] IBM OpenPages GRC: Multiple vulnerabilities

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ESB-2013.0653 - [Win][Linux][AIX] IBM OpenPages GRC: Multiple vulnerabilities
Date: 09 May 2013
References: ASB-2012.0143 ASB-2012.0144 ESB-2013.0432 ESB-2013.0437 ESB-2013.0619 ESB-2013.0621 ESB-2013.0646

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.0653
Security Bulletin: The Java version bundled with IBM OpenPages GRC Platform
         version 6.2 is susceptible to multiple vulnerabilities in
                    the Java Runtime Environment (JRE)
                                9 May 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM OpenPages GRC
Publisher:         IBM
Operating System:  AIX
                   Linux variants
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Modify Arbitrary Files          -- Remote/Unauthenticated
                   Overwrite Arbitrary Files       -- Remote/Unauthenticated
                   Delete Arbitrary Files          -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-5089 CVE-2012-5086 CVE-2012-5084
                   CVE-2012-5083 CVE-2012-5081 CVE-2012-5079
                   CVE-2012-5077 CVE-2012-5075 CVE-2012-5073
                   CVE-2012-5072 CVE-2012-5071 CVE-2012-5069
                   CVE-2012-5068 CVE-2012-4416 CVE-2012-3216
                   CVE-2012-3159 CVE-2012-3143 CVE-2012-1533
                   CVE-2012-1532 CVE-2012-1531 

Reference:         ASB-2012.0144
                   ASB-2012.0143
                   ESB-2013.0646
                   ESB-2013.0621
                   ESB-2013.0619
                   ESB-2013.0437
                   ESB-2013.0432

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21636462

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: The Java version bundled with IBM OpenPages GRC Platform 
version 6.2 is susceptible to multiple vulnerabilities in the Java Runtime 
Environment (JRE)

Flash (Alert)

Document information

OpenPages GRC Platform

Software version:
6.2.1

Operating system(s):
AIX, Linux, Windows

Reference #:
1636462

Modified date:
2013-05-07

Abstract

The version of Java included with OpenPages GRC Platform version 6.2 has 
reported vulnerabilities that allow remote attackers to affect confidentiality, 
integrity, and availability of the Java platform via various vectors.

CVE-2012-1531, CVE-2012-1532, CVE-2012-1533, CVE-2012-3143, CVE-2012-3159,
CVE-2012-3216, CVE-2012-4416, CVE-2012-5068, CVE-2012-5069, CVE-2012-5071,
CVE-2012-5072, CVE-2012-5073, CVE-2012-5075, CVE-2012-5077, CVE-2012-5079,
CVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5086, CVE-2012-5089
Content

VULNERABILITY DETAILS:

CVEID: CVE-2012-1531
Description: Remote attackers could affect confidentiality, integrity, and 
availability via unknown vectors related to 2D.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79413 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-1532
Description: Remote attackers could affect confidentiality, integrity, and 
availability via unknown vectors related to Deployment.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79417 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-1533
Description: Remote attackers could affect confidentiality, integrity, and 
availability via unknown vectors related to Deployment.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79416 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-3143
Description: Remote attackers could affect confidentiality, integrity, and 
availability, related to JMX.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79419 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-3159
Description: Remote attackers could affect confidentiality, integrity, and 
availability via unknown vectors related to Deployment.
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79424 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2012-3216
Description: Remote attackers could affect confidentiality via unknown vectors 
related to Libraries.
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79436 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)

CVEID: CVE-2012-4416
Description: Remote attackers could affect confidentiality and integrity via 
unknown vectors related to Hotspot.
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78432 for the 
current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:L/Au:N/C:P/I:P/A:N)

CVEID: CVE-2012-5068
Description: Remote attackers could affect confidentiality, integrity, and 
availability via unknown vectors related to Libraries.
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79425 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2012-5069
Description: Remote attackers could affect confidentiality and integrity via 
unknown vectors related to Concurrency.
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79428 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVEID: CVE-2012-5071
Description: Remote attackers could affect confidentiality and integrity, 
related to JMX.
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79427 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)

CVEID: CVE-2012-5072
Description: Remote attackers could affect confidentiality via unknown vectors 
related to Security.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79329 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2012-5073
Description: Remote attackers could affect integrity via unknown vectors 
related to Libraries.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79432 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2012-5075
Description: Remote attackers could affect confidentiality, related to JMX.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79431 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2012-5077
Description: An undisclosed vulnerability exists in a portion of the JRE 
related to Security.
CVSS Base Score 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79437 for the 
current score
CVSS Environmental Score*: undefined
CVSS Vector (AV:N/AC:H/Au:N/C:P/I:N/A:N)

CVEID: CVE-2012-5079
Description: Remote attackers could affect integrity via unknown vectors 
related to Libraries.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79433 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2012-5081
Description: Remote attackers could affect availability, related to JSSE.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79435 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2012-5083
Description: Remote attackers could affect confidentiality, integrity, and 
availability via unknown vectors related to 2D.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79412 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-5084
Description: Remote attackers could affect confidentiality, integrity, and 
availability via unknown vectors related to Swing.
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79423 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-5086
Description: Remote attackers could affect confidentiality, integrity, and 
accessibility through unknown vectors related to Beans.
CVSS Base Score 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79414 for the 
current score
CVSS Environmental Score*: undefined
CVSS Vector (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-5089
Description: Remote attackers could affect confidentiality, integrity, and 
availability, related to JMX.
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79422 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

AFFECTED PRODUCTS AND VERSIONS:
IBM OpenPages GRC Platform version 6.2

REMEDIATION:
Fixes:
Download and install IBM OpenPages GRC Platform version 6.2.1 from Passport 
Advantage. Download information is available on the Downloading IBM OpenPages 
GRC 6.2.1 from Passport Advantage page.

Workaround(s):
None known; apply fixes.

Mitigation(s):
None known

REFERENCES:
Complete CVSS Guide
On-line Calculator V2
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1531
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1532
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1533
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3143
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3159
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3216
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4416
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5068
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5069
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5071
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5072
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5073
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5075
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5077
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5079
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5081
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5083
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5084
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5089

RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

CHANGE HISTORY
7 May 2013: Original Copy Published

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of 
this vulnerability in their environments by accessing the links in the 
Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), 
the Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF 
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY 
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUYr1K+4yVqjM2NGpAQKhNRAAhQrfqD9VprHDcu6Ir93e72c72JbxR8X2
5e34zson7UtvPGStpVt+9LcCE8PY1ISuxTJ9Gb/+ErAdg3kdxbKaw0UCbavqp0uH
ciBAJ3v3Dog16TJKnei5i3p/wU9iiU5/cEHpMytiY67wvq7cRJVRO8n1FhTysrIF
Pxl4MuInvKmhJ+8eraqxUAk/D08cuMEBSZ4z+e7+EX9JNgCSEDaFj65L9sEDCx4l
iN56B421YJ0BTtld2ZK5RdPIGpAgfOQ5mOG680llYsF0pjEFDi0qvZyb3lUihkhh
scqNQdQjSoozyqdY/CJNlRzz0hHsFdB+lRwY4R4P3FmjNi2IslDHBfS0pdC7NPkb
fCzopVkTkFgDosbEz6FVAQzsMH5YYec+xYozJtHIePblrvwdMAjDs/Rz5XN4UR96
kbF0kO3BPCwVSVY/nVZtW2Xfh/G6nCt3QrOb1FbRn2Jn7eAm+ic4XzBaGw7OrmW/
tPwdE5y2zyc5IVmzDYWjtIYhDO559F0mav2n2aoT9Bm1V1UJI3TY5MOp09pI80lm
Y6VoM1D7qUghSyLDZmtzbOM8Qjq+s0CUK+bGOlFF5O87Fighy68FycQG5O7oXGVC
d+sVad0rrBSneSzO8oxsCybBQrF0LetlJINNRbhB0v9TtQa7Zgh0dcR+/G/uHVsn
LQ8ZkisHbmA=
=STbT
-----END PGP SIGNATURE-----