Operating System:

Published:

24 October 2013

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.1524
 Security Bulletin: IBM Tivoli Netview for z/OS v6.1 (components: NetView
   MultiSystem Manager agent and NetView Web Application) Vulnerability
                              24 October 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Tivoli Netview
Publisher:         IBM
Operating System:  z/OS
Impact/Access:     Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-2407  

Reference:         ASB-2013.0075
                   ESB-2013.1491
                   ESB-2013.0975
                   ESB-2013.0923
                   ESB-2013.0874
                   ESB-2013.0873

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21653833

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: IBM Tivoli Netview for z/OS v6.1 (components: NetView 
MultiSystem Manager agent and NetView Web Application) Vulnerability

Document information

Tivoli NetView for z/OS

Software version:
6.1

Operating system(s):
z/OS

Reference #:
1653833

Modified date:
2013-10-22

Flash (Alert)

Abstract

An unspecified vulnerability in Oracle Java SE related to the Java Runtime 
Environment Libraries component has partial confidentiality impact, no 
integrity impact, and partial availability impact. (CVE-2013-2407)

Content

A medium risk vulnerability, identified in the June 2013 Oracle Java CPU 
(IBM 6 Fix), has been identified in IBM Tivoli NetView for z/OS V6.1 
(components: NetView MultiSystem Manager agent and NetView Web Application) 
(CVE-2013-2407).

VULNERABILITY DETAILS:

Vendor 	Vendor ID 	Vendor Title 				Included CVEs
IBM 	IBM Java 6 SR14 Oracle June 18 2013 CPU (IBM 6 Fix) 	CVE-2013-2407

CVE ID: CVE-2013-2407

DESCRIPTION:

Unspecified vulnerability in the Java Runtime Environment (JRE) component in 
Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier, and 
OpenJDK 7, allows remote attackers to affect confidentiality and availability 
via unknown vectors related to Libraries. NOTE: the previous information is
from the June 2013 CPU. Oracle has not commented on claims from another vendor
that this issue is related to "XML security and the class loader."

CVSS:

CVSS Base Score: 6.4
CVSS Temporal Score: See CVSS Temporal Score: 
http://xforce.iss.net/xforce/xfdb/85044 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)

AFFECTED PRODUCTS:

    This vulnerability affects only NetView for z/OS release v6.1 and 
    specifically, only its distributed components, NetView MultiSystem Manager 
    and NetView Web Application.
    Releases/systems/configurations NOT affected: NetView for z/OS v5.4 and 
    earlier, and v6.2 and later are not affected by this problem. Also, NetView
    for z/OS components that run on z/OS are not affected by this problem.

REMEDIATION:

Apply the fix for Tivoli NetView for z/OS distributed components, NetView 
MultiSystem Manager and NetView Web Application. Implement the appropriate 
solution as soon as practicable.


Vendor Fix(es):

Product 	VRMF 	APAR 		Remediation/First Fix
Tivoli NetView 	V6.1 	OA43518 	Fix Central link for APAR OA43518
for z/OS
 
Workaround(s) & MITIGATION(s): None known, apply fix

Important note: IBM strongly suggests that all System z customers be subscribed 
to the System z Security Portal to receive the latest critical System z 
security and integrity service. If you are not subscribed, see the 
instructions on the System z Security web site. Security and integrity APARs 
and associated fixes will be posted to this portal. IBM suggests reviewing 
the CVSS scores and applying all security or integrity fixes as soon as 
possible to minimize any potential risk.

REFERENCES:

    Complete CVSS Guide (http://www.first.org/cvss/cvss-guide.html )
    On-line Calculator V2 (http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 )
    CVE-2013-2407 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-2407, 
    http://xforce.iss.net/xforce/xfdb/85044)

RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

CHANGE HISTORY:

    22 October 2013: Original copy published

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of 
this vulnerability in their environments by accessing the links in the 
Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), 
the Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF 
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY 
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Product Alias/Synonym

zNetView

Copyright and trademark information

IBM, the IBM logo and ibm.com are trademarks of International Business Machines 
Corp., registered in many jurisdictions worldwide. Other product and service 
names might be trademarks of IBM or other companies. A current list of IBM 
trademarks is available on the Web at "Copyright and trademark information" at 
www.ibm.com/legal/copytrade.shtml.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUmiCjxLndAQH1ShLAQKq4g/+NjMNYTmaK49/qnZVUEyUBN8nFJVGJybM
nk/w9D0fnC0t0xbFslN0M82b3SDJ4qXfGnkYxOUMMioHSRKw8zWIeADlJYwiybU+
OHLDM/NhBWPdRZWTBX75AYTuHEC3P9CxmPm2sX6RUgOefBJ5lg9rrm0Uhgt1brfb
NqLEWzr7g3uu/P0SiNq1eoFvDem+rm/y1vFktQDHDhG4DTUcZif+FaDuz737wp2t
x6sCwCwwMSbmLN8DxiUJ7DnZR5JoSIvt/W16oumY5VdAMUpxxuzf9BygpIJLDhbJ
KrKkC9RgaTy+LclSzk2qMbxUKw2iovRU/JxXxtf3xSOPSN5s1wdR19fUt4lyve8c
8fWu5fj4d+AvohS112Gdo70bArwq8xv0MYyiHORJ19iSrZTjj0IUBeo+4BQegEJT
oQhNOsyYr+RqG/U7PFK7//lr9UlnDpJyGH/qzpBSxS+7U1/qt6e1HTY3KauVJKCM
trcw/n8vFd/1sElGhRiBDpltNhOXd5dJni5syfZQ800Av+rjoKEydeIoSOODF30v
tgjxOIUrwJYTXJV4H6zIdPCbmPiSE5Rf4R9kGVOBpXUXc+xFIY/pni/WNASzo/AS
mb+bDqk9yZ7LBpzsv7qFNA03RPGVTuW5OBlF3ptBNdzbuiRp+RnTD9p/bzFd0QI/
yyS15QlT3y0=
=Qnqg
-----END PGP SIGNATURE-----