Operating System:

[WIN][z/OS][LINUX][HP-UX][Solaris][AIX]

Published:

22 October 2013

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2013.1492 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.1492
       IBM WebSphere Message Broker and IBM Integration Bus Security
       Vulnerability: XML4J denial of service attack (CVE-2013-5372)
                              22 October 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM WebSphere Message Broker
                   IBM Integration Bus
Publisher:         IBM
Operating System:  AIX
                   HP-UX
                   Linux variants
                   Solaris
                   Windows
                   z/OS
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-5372  

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21653087

- --------------------------BEGIN INCLUDED TEXT--------------------

IBM WebSphere Message Broker and IBM Integration Bus Security Vulnerability: 
XML4J denial of service attack (CVE-2013-5372)

Flash (Alert)

Document information

WebSphere Message Broker

Security

Software version:
6.1, 7.0, 8.0

Operating system(s):
AIX, HP-UX on Itanium, Linux, Solaris, Windows, z/OS

Reference #:
1653087

Modified date:
2013-10-17

Abstract

XML4J is vulnerable to a denial of service attack triggered by a specially 
crafted XML document

Content

VULNERABILITY DETAILS:

DESCRIPTION:
The XML4J parser shipped with WebSphere Message Broker and IBM Integration Bus 
is vulnerable to a denial of service attack, triggered by a specially crafted 
XML document. The specially crafted XML document causes the XML parser to run 
out of memory when the security feature to control the processing of a 
document with a large number of entities that need to be expanded is enabled.

CVEID: CVE-2013-5372
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86662 
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)


AFFECTED PRODUCTS AND VERSIONS:
IBM WebSphere Message Broker V6.1.0.11 with Rules and Formatter Extension
IBM WebSphere Message Broker V6.1.0.11
IBM WebSphere Message Broker for z/OS V6.1.0.11
IBM WebSphere Message Broker V7.0,0.6
IBM WebSphere Message Broker for z/OS V7.0,0.6
IBM WebSphere Message Broker V8.0.0.3
IBM WebSphere Message Broker for z/OS V8.0.0.3
IBM Integration Bus V9.0.0.0
IBM Integration Bus for z/OS V9.0.0.0

REMEDIATION:

For IBM WebSphere Message Broker V6.1 and IBM WebSphere Message Broker for 
z/OS V6.1 please apply fix pack V6.1.0.12 which will contain APAR IC96473.


For IBM WebSphere Message Broker V7.0 and IBM WebSphere Message Broker for 
z/OS V7.0 please apply fix pack V7.0.0.7 which will contain APAR IC96473.

For IBM WebSphere Message Broker V8.0 and IBM WebSphere Message Broker for 
z/OS V8.0 please apply fix pack V8.0.0.4 which will contain APAR IC96473.

For IBM Integration Bus V9.0 and IBM Integration Bus for z/OS V9.0 please 
apply fix pack V9.0.0.1 which will contain APAR IC96473.


See http://www.ibm.com/support/docview.wss?uid=swg27006308 for information on 
fix pack availability.

Prior to fix pack availability please contact IBM Support and request the fix 
for the required APAR.

Important note: IBM strongly suggests that all System z customers be 
subscribed to the System z Security Portal to receive the latest critical 
System z security and integrity service. If you are not subscribed, see the 
instructions on the System z Security web site. Security and integrity APARs 
and associated fixes will be posted to this portal. IBM suggests reviewing the 
CVSS scores and applying all security or integrity fixes as soon as possible 
to minimize any potential risk.


Workaround(s):
None known, apply fixes

Mitigation(s):
None known

REFERENCES:

    Complete CVSS Guide
    On-line Calculator V2
    CVE-2013-5372
    X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/86662


RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog


CHANGE HISTORY
17-Oct-2013: Original Copy Published

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of 
this vulnerability in their environments by accessing the links in the 
Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), 
the Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Cross reference information
Segment                Product               Component   Platform                                    Version   Edition
Business Integration   IBM Integration Bus   Security    AIX, HP-UX, Linux, Solaris, Windows, z/OS   9.0 

Copyright and trademark information

IBM, the IBM logo and ibm.com are trademarks of International Business 
Machines Corp., registered in many jurisdictions worldwide. Other product and 
service names might be trademarks of IBM or other companies. A current list of 
IBM trademarks is available on the Web at "Copyright and trademark 
information" at www.ibm.com/legal/copytrade.shtml.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUmXLexLndAQH1ShLAQKNnw//Z81TgzK3wtK/xY6Ztuq+nZZKxBeM906j
S386Bu7JzVp4c9fKkJIipNSDckUEAZHnXoyEYGQjG3OQ959XR6RzsaTgfG3ciwTY
9h2nFz4vW6MWqmWjzKpt6r2XraEuNxdVeZwTyYx/ZwfNF5RWPNoIG/Mt9sei07yX
MkGTk83/Bp5B6YB/tWv+2Ke4z90LVKnJrF3lNKKDNLTmT2Ki7scVifTKxdpRgiS1
YX4HlXI7RiD7L5mS7yRdpH4Omf/wMpJnsVFIiYDQnf1nUSgsmwx+tlJoNIDnX2Xa
3IRBbISKM2XF+BlQXOvaxorUNCIJLpzQ+rfVEWnTHWquJCnJFqBdViC88hEYpKJu
8+xbVfd3vGjGno71i8kSGQ4D7RF14K0rnQYGKQVdE1irMDi3tWtISlmsrZVbkZTR
aTQD0qU+uOj5nPFqKiUfFIyl7Qeqxfi5QMhW0y8HxDzu2w6pHUhzVeUvHGyZfoS7
RYGEAcfCFigT8Y0nmHcC2YzXG1fJivaFRPSbMhf9FI2DY+I1JtYSqUNc95nUJqHc
rYAXDMmRO2Lp/I8eEgBk2yjPXWs+4qErS9nxxvuZ56v0rqjoUW9iBLdD96mft2du
n0w7+5/o3ID2WNALlONf/7qBzTKQutaD026GEEMgLZ4Wdy0QZAM0I/nO4yKvuEdB
NZgkvjCTFhk=
=JhFD
-----END PGP SIGNATURE-----