-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0503
    Security Bulletin: Security Bulletin: IBM Tivoli Monitoring clients
      affected by vulnerabilities in IBM SDK, Java Technology Edition
                               15 April 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Tivoli Monitoring
Publisher:         IBM
Operating System:  Windows
                   Linux variants
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Modify Arbitrary Files          -- Remote/Unauthenticated
                   Delete Arbitrary Files          -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0428 CVE-2014-0424 CVE-2014-0423
                   CVE-2014-0422 CVE-2014-0417 CVE-2014-0416
                   CVE-2014-0415 CVE-2014-0411 CVE-2014-0410
                   CVE-2014-0403 CVE-2014-0387 CVE-2014-0376
                   CVE-2014-0375 CVE-2014-0373 CVE-2014-0368
                   CVE-2013-5910 CVE-2013-5907 CVE-2013-5899
                   CVE-2013-5898 CVE-2013-5896 CVE-2013-5889
                   CVE-2013-5888 CVE-2013-5887 CVE-2013-5884
                   CVE-2013-5878  

Reference:         ASB-2014.0005

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21668742

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Security Bulletin: IBM Tivoli Monitoring clients affected by 
vulnerabilities in IBM SDK, Java Technology Edition

Document information

More support for:
Tivoli Monitoring Version 6

Software version:
6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.3.0

Operating system(s):
Linux, Windows

Reference #:
1668742

Modified date:
2014-04-08

Security Bulletin

Summary

Java SE issues disclosed in the Oracle January 2014 Critical Patch Update

Vulnerability Details

CVE IDs: CVE-2014-0428 CVE-2014-0422 CVE-2013-5907 CVE-2014-0415 CVE-2014-0410 
CVE-2013-5889 CVE-2014-0417 CVE-2014-0387 CVE-2014-0424 CVE-2013-5878 
CVE-2014-0373 CVE-2014-0375 CVE-2014-0403 CVE-2014-0423 CVE-2014-0376 
CVE-2013-5910 CVE-2013-5884 CVE-2013-5896 CVE-2013-5899 CVE-2014-0416 
CVE-2013-5887 CVE-2014-0368 CVE-2013-5888 CVE-2013-5898 CVE-2014-0411 

DESCRIPTION: This bulletin covers all applicable Java SE CVEs published by 
Oracle as part of their January 2014 Critical Patch Update. For more 
information please refer to Oracle's January 2014 CPU Advisory and the X-Force 
database entries referenced below. 

CVEID: CVE-2014-0428
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90325 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2014-0422
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90326 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5907
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90324 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2014-0415
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90323 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2014-0410
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90322 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5889
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90328 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/C:I/C:A/C)

CVEID: CVE-2014-0417
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90331 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/C:I/C:A/C)

CVEID: CVE-2014-0387
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90332 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/H:Au/N:C/C:I/C:A/C)

CVEID: CVE-2014-0424
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90333 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/P)

CVEID: CVE-2013-5878
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90335 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/P)

CVEID: CVE-2014-0373
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90334 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/P)

CVEID: CVE-2014-0375
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90339 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/P:A/N)

CVEID: CVE-2014-0403
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90338 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/P:A/N)

CVEID: CVE-2014-0423
CVSS Base Score: 5.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90340 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/S:C/P:I/N:A/P)

CVEID: CVE-2014-0376
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90350 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)

CVEID: CVE-2013-5910
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90352 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)

CVEID: CVE-2013-5884
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90348 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)

CVEID: CVE-2013-5896
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90347 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)

CVEID: CVE-2013-5899
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90346 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)

CVEID: CVE-2014-0416
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90349 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)

CVEID: CVE-2013-5887
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90345 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)

CVEID: CVE-2014-0368
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90351 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)

CVEID: CVE-2013-5888
CVSS Base Score: 4.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90354 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/L:AC/L:Au/N:C/P:I/P:A/P)

CVEID: CVE-2013-5898
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90356 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/H:Au/N:C/P:I/P:A/N)

CVEID: CVE-2014-0411
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90357 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/H:Au/N:C/P:I/P:A/N)

Affected Products and Versions

IBM Tivoli Monitoring version 6.3.0 through 6.3.0 Fix Pack 02
IBM Tivoli Monitoring version 6.2.3 through 6.2.3 Fix Pack 05
IBM Tivoli Monitoring version 6.2.2 through 6.2.2 Fix Pack 09 
IBM Tivoli Monitoring version 6.2.1 through 6.2.1 Fix Pack 04
IBM Tivoli Monitoring version 6.2.0 through 6.2.0 Fix Pack 03

Remediation/Fixes

These vulnerabilities exist where the affected Java Runtime Environment (JRE) 
is installed on systems running the Tivoli Enterprise Portal Browser client or 
Java WebStart client. The affected JRE is installed on a system when logging 
into the IBM Tivoli Enterprise Portal using the Browser client or WebStart 
client and a JRE at the required level does not exist. The portal provides an 
option to download the provided JRE to the system.

This fix below provides updated JRE packages for the portal which can be 
downloaded by new client systems. Once the fix has been installed on the portal 
server, instructions in the README can be used to download the updated JRE 
from the portal to the portal clients.

Fix				VRMF			APAR	How to acquire fix
6.X.X-TIV-ITM_JRE_TEP-20140404	6.2.0 through 6.3.0 FP2	IV52806	http://www.ibm.com/support/docview.wss?uid=swg2403276


The Fix Pack listed below will include the updated JRE packages.
Fix			VRMF	APAR	How to acquire fix
6.3.0-TIV-ITM-FP0003	6.3.0	IV52806	http://www.ibm.com/support/docview.wss?uid=swg24036775
					Refer to the link above for status on availability.

Workarounds and Mitigations

None.

References

Complete CVSS Guide 
On-line Calculator V2
Complete CVSS Guide 
On-line Calculator V2 
Oracle January 2014 Java SE Critical Patch Update Advisory 
IBM SDK, Java Technology Edition Security Alerts

Related information

IBM Secure Engineering Web Portal 
IBM Product Security Incident Response Blog
IBM Secure Engineering Web Portal 
IBM Product Security Incident Response Blog

Change History

04 April 2014 Original Copy Published.

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of 
this vulnerability in their environments by accessing the links in the 
Reference section of this Security Bulletin.

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of 
this vulnerability in their environments by accessing the links in the 
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the 
Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU0yQzhLndAQH1ShLAQJ1Xg/+M7MXYX57W0OA0t+iDnBjEoHCV0VUmIAw
HVkMAIJDddNFjGQo9B2MzGY7E/iB60vohKBwBt5n1B7OJdp3gLWuiTC3jaobnH9z
pCvTULkm9VJvFsvXJTzCJXH3PZoVFViR7pOUA4O/wqdsznfptVIFhqywfY6Z7+19
uGtdPVom81MrYfUDuJsFTUj1H3vnXP4/v8Y5jUC6pYB2IoCLA1nPNLvqL8nELpcN
5bXPsUBNpj2qDWbxiZhV9Y2iIME6sLY5qZ+bk/E2uEwKPiVxDj7xed9UsOmpMbQ9
GFMqcLMAf2Cvi3xOtibRaNqTwg8WWZlf5eqpsgAtMOO3xQzK7HfLevTgQnoPba8f
g8es3Ikgc7tBNkBCl9onozdt6ahKlr+9cOQ7giMUGyqc0QG79ugkiXukDwsXhrIX
KOFw66gIScwJ+og4yblVvNH0QakRigt9tOLGVzhb9WcdFqByFJ5onWNN3HDyE0Kc
0ksumY3HYZwBMLfk4dc9T014UBmHdmUe8aYCm5D2v/hSeRcDJ0RK9+o1eCfhE5IR
IsADqTbh8hKZO/nyb+VM8w4H70CBq7frOtCYET64BtPKZAU6AhF6ZN+guiVkO71m
4GLFARIj5pLOlfzqcqq4aV2Lk9OOE+dcMNOAHaOs1GgPPHIxlERL2HsJolajap/I
zOVwTMfRJZM=
=fr+G
-----END PGP SIGNATURE-----