Operating System:

[WIN][LINUX][AIX]

Published:

05 December 2013

Protect yourself against future threats.

//Service

Malicious URL Feed

Add this Australian-based feed to your firewall blacklist and SIEM to prevent compromises to your network.

Read more
Resources > Security Bulletins > ESB-2013.1738 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.1738
  Rational Reporting for Development Intelligence - Oracle CPU June 2013
                              5 December 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Rational Reporting for Development Intelligence
Publisher:         IBM
Operating System:  AIX
                   Linux variants
                   Windows
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-2450 CVE-2013-2407 

Reference:         ASB-2013.0075

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21656759

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Rational Reporting for Development Intelligence - Oracle 
CPU June 2013 (CVE-2013-2407, CVE-2013-2450)

Security Bulletin

Document information

Rational Reporting for Development Intelligence

Report Server

Software version: 1.0.2, 2.0, 2.0.1, 2.0.3, 2.0.4

Operating system(s): AIX, Linux, Windows

Reference #: 1656759

Modified date: 2013-12-03

Summary

Multiple security vulnerabilities exist in the IBM JRE that is shipped with 
the Rational Reporting for Development Intelligence (RRDI). The same security
vulnerabilities also exist in the IBM Java SDK that is shipped with the IBM 
WebSphere Application Server (WAS).

Vulnerability Details

The IBM JRE installed with RRDI is based on the Oracle JRE and the IBM Java 
SDK installed with WAS is based on the Oracle JDK. Oracle has released June 
2013 critical patch updates (CPU) which contain security vulnerability fixes 
and the IBM JRE and Java SDK have been updated to incorporate those updates.

See 
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
for the list of security vulnerabilities fixed by the Oracle June 2013 CPU.

Note: WAS itself is not vulnerable to all the advisories. However, RRDI is 
vulnerable to the following two advisories:

CVE ID: CVE-2013-2407 Unspecified vulnerability in the Java Runtime 
Environment (JRE) component

DESCRIPTION:

A malicious user that is able to send a XML document with specially crafted 
Signature data via an HTTP request to the RRDI report server may be able to 
cause excessive CPU usage, effectively causing a partial denial of service to
the system.

CVSS Base Score: 6.4

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85044 for the 
current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)

CVE ID: CVE-2013-2450 Unspecified vulnerability in the Java Runtime 
Environment (JRE) component

DESCRIPTION:

A malicious user that is able to send specially crafted data via an HTTP 
request to the RRDI report server may be able to cause excessive CPU usage, 
effectively causing a partial denial of service to the system.

CVSS Base Score: 5

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85057 for the 
current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products

RRDI 1.0.2, 1.0.2.1, 2.0, 2.0.0.1, 2.0.1, 2.0.3 and 2.0.4

Remediation/Fixes

Apply the recommended fixes to all affected versions of RRDI as soon as 
practical.

RRDI 1.0.2 and 1.0.2.1

1. Download and install the Cognos 8 Business Intelligence 8.4.1 Interim Fix
3 for Security Exposure. Review technote 1656661: Install Cognos 8 Business 
Intelligence 8.4.1 Interim Fix 3 for Security Exposure to resolve security 
vulnerabilities in RRDI 1.0.2.x and Rational Insight 1.0.1.x for instructions.

2. Upgrade your WAS Java SDK to IBM Java 6 SR14, IBM Java 6.0.1 SR6 or IBM 
Java 7 SR5. Review technote 1656749: Upgrade the WebSphere Application Server
Java SDK to resolve security vulnerabilities in Rational Reporting for 
Development Intelligence and Rational Insight for instructions.

RRDI 2.0, 2.0.0.1, 2.0.1, 2.0.3 and 2.0.4

1. Download and install the Cognos Business Intelligence 10.1 Interim Fixes 
for Security Exposure. Review technote 1656736: Install Cognos Business 
Intelligence 10.1 Interim Fixes for Security Exposure to resolve security 
vulnerabilities in Rational Reporting for Development Intelligence 2.0.x and 
Rational Insight 1.1.1.x. for instructions.

2. Upgrade your WAS Java SDK to IBM Java 6 SR14, IBM Java 6.0.1 SR6 or IBM 
Java 7 SR5. Review technote 1656749: Upgrade the WebSphere Application Server
Java SDK to resolve security vulnerabilities in Rational Reporting for 
Development Intelligence and Rational Insight for instructions.

3. Download and install the RRDI 2.0.x JRE Patch. Review technote 1656780: 
Install the RRDI 2.0.x JRE Patch to resolve security vulnerabilities in 
Rational Reporting for Development Intelligence 2.0.x and Rational Insight 
1.1.1.x for instructions.

References:

Complete CVSS Guide

On-line Calculator V2 CVE-2013-2407

http://xforce.iss.net/xforce/xfdb/85044

CVE-2013-2450

http://xforce.iss.net/xforce/xfdb/85057

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Change History

November 21, 2013 Original Copy Published

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the 
Reference section of this Security Bulletin.

Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUp/Y1RLndAQH1ShLAQLqrA//f5IQet26YVeDnyuMBlucB9P0DpItjbc8
nkZODab7FQ7U3j/b0l0FQp1sMksbTB0qPmLJuv1I5YTjePBlLbqbRLSXwgIkqeEw
6VfPjHFJCJDv6L1wdwZSuACeA+9EAtJ0O0OziO/tabU2NIsSPQSOUvOUfyrVq7SI
NqZKWxNo0AQi5cilMAtH0wZfIve8LS6MeTAWNTdWoAJvkqeItX8cBJE3KD+Gm4bN
PvipnGHixUfbmgp60/ckTD4gT4WB7DdRmsQlV+fZAcd8Gtecc/qMO4UAM27jNBuC
bkc59He7iDyApm4m32s1qw/0o59fVZSe8VL+McmUUe8eDWg6kkISWM7NYVhjbYS9
i3z7v/YbbTMJgo/RkWEx1JbZGwDnpA4bwN6flGmopsT8/SApyPKSNWx6aTEpB8a4
/uHAGLVg+b42Rlta+wXKWAPiYEyQNEFtLLYbmVXJvOLU0B8hATZdkQ0RnC77FMN7
ra92gmJe+bF8YE+1tInU79tU6F+JiqKCvJ90ATKd0jopXG8AYqArIHEYh8WgRJMD
7kQDQxvGQoQR46KRBbyvK56kWtZOfCIRoGDCYqXsGqQyUHv10JWOYThlEsrlWAEc
BVq70CAq4I/8y1Wdbzl/iS3teIlURbedgdlxV0P4lVbdN+79g7ZlFdkwFoA9zGXf
ydd2+duTckc=
=+rFm
-----END PGP SIGNATURE-----