Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.1738 Rational Reporting for Development Intelligence - Oracle CPU June 2013 5 December 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Rational Reporting for Development Intelligence Publisher: IBM Operating System: AIX Linux variants Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-2450 CVE-2013-2407 Reference: ASB-2013.0075 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21656759 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Rational Reporting for Development Intelligence - Oracle CPU June 2013 (CVE-2013-2407, CVE-2013-2450) Security Bulletin Document information Rational Reporting for Development Intelligence Report Server Software version: 1.0.2, 2.0, 2.0.1, 2.0.3, 2.0.4 Operating system(s): AIX, Linux, Windows Reference #: 1656759 Modified date: 2013-12-03 Summary Multiple security vulnerabilities exist in the IBM JRE that is shipped with the Rational Reporting for Development Intelligence (RRDI). The same security vulnerabilities also exist in the IBM Java SDK that is shipped with the IBM WebSphere Application Server (WAS). Vulnerability Details The IBM JRE installed with RRDI is based on the Oracle JRE and the IBM Java SDK installed with WAS is based on the Oracle JDK. Oracle has released June 2013 critical patch updates (CPU) which contain security vulnerability fixes and the IBM JRE and Java SDK have been updated to incorporate those updates. See http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html for the list of security vulnerabilities fixed by the Oracle June 2013 CPU. Note: WAS itself is not vulnerable to all the advisories. However, RRDI is vulnerable to the following two advisories: CVE ID: CVE-2013-2407 Unspecified vulnerability in the Java Runtime Environment (JRE) component DESCRIPTION: A malicious user that is able to send a XML document with specially crafted Signature data via an HTTP request to the RRDI report server may be able to cause excessive CPU usage, effectively causing a partial denial of service to the system. CVSS Base Score: 6.4 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85044 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P) CVE ID: CVE-2013-2450 Unspecified vulnerability in the Java Runtime Environment (JRE) component DESCRIPTION: A malicious user that is able to send specially crafted data via an HTTP request to the RRDI report server may be able to cause excessive CPU usage, effectively causing a partial denial of service to the system. CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85057 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Affected Products RRDI 1.0.2, 1.0.2.1, 2.0, 2.0.0.1, 2.0.1, 2.0.3 and 2.0.4 Remediation/Fixes Apply the recommended fixes to all affected versions of RRDI as soon as practical. RRDI 1.0.2 and 1.0.2.1 1. Download and install the Cognos 8 Business Intelligence 8.4.1 Interim Fix 3 for Security Exposure. Review technote 1656661: Install Cognos 8 Business Intelligence 8.4.1 Interim Fix 3 for Security Exposure to resolve security vulnerabilities in RRDI 1.0.2.x and Rational Insight 1.0.1.x for instructions. 2. Upgrade your WAS Java SDK to IBM Java 6 SR14, IBM Java 6.0.1 SR6 or IBM Java 7 SR5. Review technote 1656749: Upgrade the WebSphere Application Server Java SDK to resolve security vulnerabilities in Rational Reporting for Development Intelligence and Rational Insight for instructions. RRDI 2.0, 2.0.0.1, 2.0.1, 2.0.3 and 2.0.4 1. Download and install the Cognos Business Intelligence 10.1 Interim Fixes for Security Exposure. Review technote 1656736: Install Cognos Business Intelligence 10.1 Interim Fixes for Security Exposure to resolve security vulnerabilities in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x. for instructions. 2. Upgrade your WAS Java SDK to IBM Java 6 SR14, IBM Java 6.0.1 SR6 or IBM Java 7 SR5. Review technote 1656749: Upgrade the WebSphere Application Server Java SDK to resolve security vulnerabilities in Rational Reporting for Development Intelligence and Rational Insight for instructions. 3. Download and install the RRDI 2.0.x JRE Patch. Review technote 1656780: Install the RRDI 2.0.x JRE Patch to resolve security vulnerabilities in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x for instructions. References: Complete CVSS Guide On-line Calculator V2 CVE-2013-2407 http://xforce.iss.net/xforce/xfdb/85044 CVE-2013-2450 http://xforce.iss.net/xforce/xfdb/85057 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History November 21, 2013 Original Copy Published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUp/Y1RLndAQH1ShLAQLqrA//f5IQet26YVeDnyuMBlucB9P0DpItjbc8 nkZODab7FQ7U3j/b0l0FQp1sMksbTB0qPmLJuv1I5YTjePBlLbqbRLSXwgIkqeEw 6VfPjHFJCJDv6L1wdwZSuACeA+9EAtJ0O0OziO/tabU2NIsSPQSOUvOUfyrVq7SI NqZKWxNo0AQi5cilMAtH0wZfIve8LS6MeTAWNTdWoAJvkqeItX8cBJE3KD+Gm4bN PvipnGHixUfbmgp60/ckTD4gT4WB7DdRmsQlV+fZAcd8Gtecc/qMO4UAM27jNBuC bkc59He7iDyApm4m32s1qw/0o59fVZSe8VL+McmUUe8eDWg6kkISWM7NYVhjbYS9 i3z7v/YbbTMJgo/RkWEx1JbZGwDnpA4bwN6flGmopsT8/SApyPKSNWx6aTEpB8a4 /uHAGLVg+b42Rlta+wXKWAPiYEyQNEFtLLYbmVXJvOLU0B8hATZdkQ0RnC77FMN7 ra92gmJe+bF8YE+1tInU79tU6F+JiqKCvJ90ATKd0jopXG8AYqArIHEYh8WgRJMD 7kQDQxvGQoQR46KRBbyvK56kWtZOfCIRoGDCYqXsGqQyUHv10JWOYThlEsrlWAEc BVq70CAq4I/8y1Wdbzl/iS3teIlURbedgdlxV0P4lVbdN+79g7ZlFdkwFoA9zGXf ydd2+duTckc= =+rFm -----END PGP SIGNATURE-----