copyright
|
disclaimer
|
privacy
|
contact
HOME
About
AusCERT
Membership
Contact Us
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
Login »
Become a member »
Home
»
Security Bul...
»
Security Bul...
»
AusCERT Exte...
» ESB-2013.0653 - [Win][Linux][AIX] IBM OpenPages GRC:...
ESB-2013.0653 - [Win][Linux][AIX] IBM OpenPages GRC: Multiple vulnerabilities
Date:
09 May 2013
References
:
ASB-2012.0143
ASB-2012.0144
ESB-2013.0432
ESB-2013.0437
ESB-2013.0619
ESB-2013.0621
ESB-2013.0646
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0653 Security Bulletin: The Java version bundled with IBM OpenPages GRC Platform version 6.2 is susceptible to multiple vulnerabilities in the Java Runtime Environment (JRE) 9 May 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM OpenPages GRC Publisher: IBM Operating System: AIX Linux variants Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Overwrite Arbitrary Files -- Remote/Unauthenticated Delete Arbitrary Files -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-5089 CVE-2012-5086 CVE-2012-5084 CVE-2012-5083 CVE-2012-5081 CVE-2012-5079 CVE-2012-5077 CVE-2012-5075 CVE-2012-5073 CVE-2012-5072 CVE-2012-5071 CVE-2012-5069 CVE-2012-5068 CVE-2012-4416 CVE-2012-3216 CVE-2012-3159 CVE-2012-3143 CVE-2012-1533 CVE-2012-1532 CVE-2012-1531 Reference: ASB-2012.0144 ASB-2012.0143 ESB-2013.0646 ESB-2013.0621 ESB-2013.0619 ESB-2013.0437 ESB-2013.0432 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21636462 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: The Java version bundled with IBM OpenPages GRC Platform version 6.2 is susceptible to multiple vulnerabilities in the Java Runtime Environment (JRE) Flash (Alert) Document information OpenPages GRC Platform Software version: 6.2.1 Operating system(s): AIX, Linux, Windows Reference #: 1636462 Modified date: 2013-05-07 Abstract The version of Java included with OpenPages GRC Platform version 6.2 has reported vulnerabilities that allow remote attackers to affect confidentiality, integrity, and availability of the Java platform via various vectors. CVE-2012-1531, CVE-2012-1532, CVE-2012-1533, CVE-2012-3143, CVE-2012-3159, CVE-2012-3216, CVE-2012-4416, CVE-2012-5068, CVE-2012-5069, CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5075, CVE-2012-5077, CVE-2012-5079, CVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5086, CVE-2012-5089 Content VULNERABILITY DETAILS: CVEID: CVE-2012-1531 Description: Remote attackers could affect confidentiality, integrity, and availability via unknown vectors related to 2D. CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79413 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2012-1532 Description: Remote attackers could affect confidentiality, integrity, and availability via unknown vectors related to Deployment. CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79417 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2012-1533 Description: Remote attackers could affect confidentiality, integrity, and availability via unknown vectors related to Deployment. CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79416 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2012-3143 Description: Remote attackers could affect confidentiality, integrity, and availability, related to JMX. CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79419 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2012-3159 Description: Remote attackers could affect confidentiality, integrity, and availability via unknown vectors related to Deployment. CVSS Base Score: 7.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79424 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVEID: CVE-2012-3216 Description: Remote attackers could affect confidentiality via unknown vectors related to Libraries. CVSS Base Score: 2.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79436 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) CVEID: CVE-2012-4416 Description: Remote attackers could affect confidentiality and integrity via unknown vectors related to Hotspot. CVSS Base Score: 6.4 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78432 for the current score CVSS Environmental Score*: Undefined CVSS String: (AV:N/AC:L/Au:N/C:P/I:P/A:N) CVEID: CVE-2012-5068 Description: Remote attackers could affect confidentiality, integrity, and availability via unknown vectors related to Libraries. CVSS Base Score: 7.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79425 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVEID: CVE-2012-5069 Description: Remote attackers could affect confidentiality and integrity via unknown vectors related to Concurrency. CVSS Base Score: 5.8 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79428 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N) CVEID: CVE-2012-5071 Description: Remote attackers could affect confidentiality and integrity, related to JMX. CVSS Base Score: 6.4 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79427 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N) CVEID: CVE-2012-5072 Description: Remote attackers could affect confidentiality via unknown vectors related to Security. CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79329 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVEID: CVE-2012-5073 Description: Remote attackers could affect integrity via unknown vectors related to Libraries. CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79432 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) CVEID: CVE-2012-5075 Description: Remote attackers could affect confidentiality, related to JMX. CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79431 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVEID: CVE-2012-5077 Description: An undisclosed vulnerability exists in a portion of the JRE related to Security. CVSS Base Score 2.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79437 for the current score CVSS Environmental Score*: undefined CVSS Vector (AV:N/AC:H/Au:N/C:P/I:N/A:N) CVEID: CVE-2012-5079 Description: Remote attackers could affect integrity via unknown vectors related to Libraries. CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79433 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) CVEID: CVE-2012-5081 Description: Remote attackers could affect availability, related to JSSE. CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79435 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVEID: CVE-2012-5083 Description: Remote attackers could affect confidentiality, integrity, and availability via unknown vectors related to 2D. CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79412 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2012-5084 Description: Remote attackers could affect confidentiality, integrity, and availability via unknown vectors related to Swing. CVSS Base Score: 7.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79423 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C) CVEID: CVE-2012-5086 Description: Remote attackers could affect confidentiality, integrity, and accessibility through unknown vectors related to Beans. CVSS Base Score 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79414 for the current score CVSS Environmental Score*: undefined CVSS Vector (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2012-5089 Description: Remote attackers could affect confidentiality, integrity, and availability, related to JMX. CVSS Base Score: 7.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79422 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C) AFFECTED PRODUCTS AND VERSIONS: IBM OpenPages GRC Platform version 6.2 REMEDIATION: Fixes: Download and install IBM OpenPages GRC Platform version 6.2.1 from Passport Advantage. Download information is available on the Downloading IBM OpenPages GRC 6.2.1 from Passport Advantage page. Workaround(s): None known; apply fixes. Mitigation(s): None known REFERENCES: Complete CVSS Guide On-line Calculator V2 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1531 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1532 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1533 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3143 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3159 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3216 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4416 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5068 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5069 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5071 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5072 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5073 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5075 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5077 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5079 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5081 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5083 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5084 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5086 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5089 RELATED INFORMATION: IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog CHANGE HISTORY 7 May 2013: Original Copy Published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUYr1K+4yVqjM2NGpAQKhNRAAhQrfqD9VprHDcu6Ir93e72c72JbxR8X2 5e34zson7UtvPGStpVt+9LcCE8PY1ISuxTJ9Gb/+ErAdg3kdxbKaw0UCbavqp0uH ciBAJ3v3Dog16TJKnei5i3p/wU9iiU5/cEHpMytiY67wvq7cRJVRO8n1FhTysrIF Pxl4MuInvKmhJ+8eraqxUAk/D08cuMEBSZ4z+e7+EX9JNgCSEDaFj65L9sEDCx4l iN56B421YJ0BTtld2ZK5RdPIGpAgfOQ5mOG680llYsF0pjEFDi0qvZyb3lUihkhh scqNQdQjSoozyqdY/CJNlRzz0hHsFdB+lRwY4R4P3FmjNi2IslDHBfS0pdC7NPkb fCzopVkTkFgDosbEz6FVAQzsMH5YYec+xYozJtHIePblrvwdMAjDs/Rz5XN4UR96 kbF0kO3BPCwVSVY/nVZtW2Xfh/G6nCt3QrOb1FbRn2Jn7eAm+ic4XzBaGw7OrmW/ tPwdE5y2zyc5IVmzDYWjtIYhDO559F0mav2n2aoT9Bm1V1UJI3TY5MOp09pI80lm Y6VoM1D7qUghSyLDZmtzbOM8Qjq+s0CUK+bGOlFF5O87Fighy68FycQG5O7oXGVC d+sVad0rrBSneSzO8oxsCybBQrF0LetlJINNRbhB0v9TtQa7Zgh0dcR+/G/uHVsn LQ8ZkisHbmA= =STbT -----END PGP SIGNATURE-----
Comments? Click here
http://www.auscert.org.au/render.html?cid=1980&it=17514