-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.1194
  Security Bulletin: IBM Tivoli Federated Identity Manager and IBM Tivoli
      Federated Identity Manager Business Gateway can be affected by
             vulnerabilities in the Websphere IBM Java Runtime
                        Environment (CVE-2013-2407)
                             2 September 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Tivoli Federated Identity Manager
                   IBM Tivoli Federated Identity Manager Business Gateway
Publisher:         IBM
Operating System:  AIX
                   HP-UX
                   Linux variants
                   Solaris
                   Windows
                   z/OS
Impact/Access:     Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-2407  

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21648448

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: IBM Tivoli Federated Identity Manager and IBM Tivoli 
Federated Identity Manager Business Gateway can be affected by vulnerabilities 
in the Websphere IBM Java Runtime Environment (CVE-2013-2407)

Flash (Alert)

Document information

Tivoli Federated Identity Manager

Software version:
6.1, 6.1.1, 6.2, 6.2.1, 6.2.2

Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows, z/OS

Reference #:
1648448

Modified date:
2013-08-30

Abstract

Vulnerability in the Java Runtime Environment component of Oracle Java SE

Content

VULNERABILITY DETAILS:

DESCRIPTION:

CVE-2013-2407
A unspecified vulnerability in the Websphere IBM Java Runtime Environment (JRE)
component allows remote attackers to affect the confidentiality and 
availability of Tivoli Federated Identity Manager (TFIM) and IBM Tivoli
Federated Identity Manager Business Gateway TFIMBG) via unknown vectors related
to Libraries.

The attack does not require specialized knowledge or techniques, nor does it 
require authentication, and network access required. An exploit could impact 
the confidentiality of information and the availability of the system, but the 
integrity of data is not compromised.

CVEID:
CVE-2013-2407

CVSS Base Score: 6.4
CVSS Temporal Score: See CVSS Temporal Score: 
http://xforce.iss.net/xforce/xfdb/85044 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)

AFFECTED PRODUCTS AND VERSIONS:
Tivoli Federated Identity Manager (TFIM): v6.1, 6.1.1, 6.2.0, 6.2.1, 6.2.2

Tivoli Federated Identity Manager Business Gateway (TFIMBG): v6.1.1, 6.2.0, 
6.2.1, 6.2.2


REMEDIATION:

Upgrade your Websphere IBM Java Runtime Environment to a interim fix level as 
determined below:

For TFIM and TFIMBG, download and apply the interim fix APARs below, for your 
appropriate release of Websphere:

TFIM/TFIMBG Version 	Websphere Version 	Websphere APAR Interim Fix

TFIM 6.1.1 		EWAS 6.1		PM91296 for SDK 5
			WAS 6.1 	

TFIM 6.2.0 		EWAS 6.1 		PM91296 for SDK 5
			WAS 6.1			PM91295 for SDK 6
			WAS 7.0			PM91293 for SDK 6.26

TFIM 6.2.1 		EWAS 6.1		PM91296 for SDK 5
			WAS 6.1			PM91295 for SDK 6
			WAS 7.0			PM91293 for SDK 6.26
			WAS 8.0 for z/OS 	

TFIM 6.2.2 		EWAS 6.1 		PM91296 for SDK 5
			WAS 6.1			PM91295 for SDK 6
			WAS 7.0			PM91293 for SDK 6.26
			WAS 8.0			PM91291 for SDK 7
			WAS 8.5 	

TFIMBG 6.1.1 		EWAS 6.1		PM91296 for SDK 5
			WAS 6.1 	

TFIMBG 6.2.0 		EWAS 6.1		PM91296 for SDK 5
			WAS 6.1			PM91295 for SDK 6
			WAS 7.0 		PM91293 for SDK 6.26

TFIMBG 6.2.1	 	EWAS 6.1		PM91296 for SDK 5
			WAS 6.1			PM91295 for SDK 6
			WAS 7.0			PM91293 for SDK 6.26
			WAS 8.0 for z/OS 	

TFIMBG 6.2.2 		EWAS 6.1		PM91296 for SDK 5
			WAS 6.1			PM91295 for SDK 6
			WAS 7.0			PM91293 for SDK 6.26
			WAS 8.0			PM91291 for SDK 7
			WAS 8.5 	

Workaround(s):
None

Mitigation(s):
None

REFERENCES:
- - Complete CVSS Guide
- - On-line Calculator V2
- - CVE-2013-2407
- - http://xforce.iss.net/xforce/xfdb/85044
- - IBM Security Alerts

RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

ACKNOWLEDGEMENT
None

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the 
Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Cross reference information 

Segment 	Security 		 	 		
Product 	Tivoli Federated Identity Manager Business Gateway 
Component 	Not Applicable
Platform 	AIX, HP-UX, Linux, Solaris, Windows, z/OS
Version 	6.1.1, 6.1, 6.2, 6.2.1, 6.2.2 
Edition

Copyright and trademark information

IBM, the IBM logo and ibm.com are trademarks of International Business 
Machines Corp., registered in many jurisdictions worldwide. Other product and 
service names might be trademarks of IBM or other companies. A current list 
of IBM trademarks is available on the Web at "Copyright and trademark
information" at www.ibm.com/legal/copytrade.shtml.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUiQKCBLndAQH1ShLAQLyCg/+J9LT8c/2xldh3UA+jwOovjPFKmc05V7L
D8CcorfeTQWX/BUEzkQomJ/cHs6tqSsAdb6ootIR+bG85IVZl2puCnEmjryzAHa9
NT6/U6F/EGFTnlKOoQm/xAwqyvSd5+NnpSj99TyCZpM3uoY0CWj9Dn1vryaQPUq8
z9IcztFRUFv3SembONGoMJ6eBkHoDsYLRd7xc/TJpB3HviTH59KLAXDayuvbjtRi
VM1XADfHKV3kvAkNzM8UX8+QgAkylav39//vqyjNyyse7OMYzzL+BqwZQMrp2Gen
+g66C/wdUBLhbvkPvV401u/8UfdCW1q28R0ZIpGTOmM5rL30Ka/NMKABxzuJ5POe
FMovwkwPn7USb1kdLWNnqlqJ1lTfz9DrZiPqZRA5XK/QwX0Uq8fZ6n1naQ/jyiHF
njyxLxN7KKKhnzSc/zTyNmo0BFVCQvWw7OMeCqwwIi6fdWorSldPOSz0R/AD0Lwb
eMzdHwbY+BY/4qUqytff98L3Gsk++Kf2Oq96L74O3qeKkr40Lt6sd6Bz3maJDMcv
G4V9xkeGpakwZTCA+sVobTHMfUMRr7kfC6iCSN8S8mXq1oXNh1DouaE+7ZHxch5C
DDJpeLp6AIaD7zWPDMxuhsjkfkEVcoNPCeLbh/JAv434Uf+IxvGoGaCJgBbFJOZQ
Nfn84BAcU1w=
=L2lq
-----END PGP SIGNATURE-----