Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.1339
Security Bulletin: Tivoli Workload Scheduler Distributed Potential multiple
Security vulnerabilities with IBM WebSphere Application
Server (CVE-2013-0443 and others)
7 August 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Tivoli Workload Scheduler
Publisher: IBM
Operating System: Windows
Linux variants
HP-UX
Solaris
AIX
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-0964 CVE-2014-0411 CVE-2014-0114
CVE-2013-5803 CVE-2013-5780 CVE-2013-0443
CVE-2013-0169 CVE-2012-3325
Reference: ASB-2014.0077
ASB-2014.0005
ASB-2013.0124
ASB-2013.0113
ESB-2014.1290
ESB-2012.1076
ESB-2012.1044.2
ESB-2012.0916
ESB-2012.0822
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21677352
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Tivoli Workload Scheduler Distributed Potential
multiple Security vulnerabilities with IBM WebSphere Application Server
(CVE-2013-0443 and others)
Document information
More support for:
Tivoli Workload Scheduler
WebSphere Application Server
Software version:
8.6
Operating system(s):
Platform Independent
Reference #:
1677352
Modified date:
2014-07-31
Security Bulletin
Summary
Multiple IBM WebSphere Application Server vulnerabilities due to Java
exposures have been discovered.
Vulnerability Details
CVEID: CVE-2013-0443
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81801
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
DESCRIPTION: Diffie-Hellman key exchange is known to be vulnerable to
weak key attacks. A peer's public key needs to be validated according
to section 2.1.5 of RFC 2631. The JDK does not conduct the validation,
which means that TLS transactions based on Diffie-Hellman cipher suites
are vulnerable to Man-in-the-middle (MITM) attacks. The fix implements
the validation in accordance with the RFC. This issue applies to server
applications which use TLS (part of the JSSE component).
Versions affected:
SDK shipped with IBM WebSphere Application Server Version 8.5.0.0 through
8.5.0.2, Version 8.0.0.0 through 8.0.0.5, Version 7.0.0.0 through 7.0.0.27,
Version 6.1.0.0 through 6.1.0.45
This does not occur on SDK versions shipped with WebSphere Application
Servers fixpack following 8.5.0.2, or with fixpacks 8.0.0.6, 7.0.0.29 and
6.1.0.47 or later.
CVEID: CVE-2013-0169
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81902 for the
current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
DESCRIPTION: This is also called "Lucky 13" TLS attack. In CBC block mode,
the TLS protocol uses Ciphers, HMAC (essentially a checksum variant using
MessageDigest (checksums) and initialized with Keys), and padding. The
padding is used to maintain the specific block size that is required
by the block-oriented Cipher. The HMAC internally executes compression
routines to reduce the bulk data into a smaller checksum values. Based
on the amount of input data, the HMAC will need to do different numbers
of compressions. The padding controls the amount of data fed to the HMAC
algorithm. By using many connections and adjusting the packet contents
carefully (effectively tweaking the amount of padding used), an attacker
can statistically observe the time necessary to generate/receive error
messages. This timing difference is due to the varying length of the HMAC
calculations. The attacker can then deduce the plaintext after a relatively
small number of decryption operations. The issue is largely theoretical
and very difficult to exploit in real world scenarios.
Versions affected:
SDK shipped with IBM WebSphere Application Server Version 8.5.0.0 through
8.5.0.2, Version 8.0.0.0 through 8.0.0.5, Version 7.0.0.0 through 7.0.0.27,
Version 6.1.0.0 through 6.1.0.45
This does not occur on SDK versions shipped with WebSphere Application
Servers fixpack following 8.5.0.2, or with fixpacks 8.0.0.6, 7.0.0.29 and
6.1.0.47 or later.
CVEID: CVE-2013-5780
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88001 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/N:A/N)
DESCRIPTION: Many crypto providers include sensitive information in their
toString() output, including private keys. This could lead to accidentally
leaking private key material.
The fix removes the sensitive material from the toString() output.
CVEID: CVE-2013-5803
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88008 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/H:Au/N:C/N:I/N:A/P)
DESCRIPTION: The Kerberos protocol passes a length parameter in the
clear (in accordance with the specification) and the JRE's implementation
allocates space accordingly without sanity checking the value. An attacker
can exploit this to cause a DoS on a target server by triggering one or
more OutOfMemoryErrors.
The fix adds code to sanity check the value and handle bad values gracefully.
Versions affected:
SDK shipped with IBM WebSphere Application Server Version 8.5.0.0 through
8.5.5.1, Version 8.0.0.0 through 8.0.0.7, Version 7.0.0.0 through 7.0.0.30,
Version 6.1.0.0 through 6.1.0.47
This does not occur on SDK versions shipped with WebSphere Application
Servers fix pack 8.5.5.2, 8.0.0.8 and 7.0.0.31 or later.
CVEID: CVE-2012-3325
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86662 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
DESCRIPTION: The XML4J parser is vulnerable to a denial of service
attack, triggered by specially crafted XML data. The DoS manifests as
an OutOfMemoryError.
The fix ensures that this type of malicious XML data is handled gracefully.
CVEID: CVE-2014-0411
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90357 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
DESCRIPTION: Timing differences based on the validity of messages can
be exploited to decrypt the entire session. The exploit is not trivial,
requiring a man-in-the-middle position and a long time (around 20 hours).
The fix eliminates the timing differences.
Versions affected:
SDK shipped with IBM WebSphere Application Server Version 8.5.0.0 through
8.5.5.1, Version 8.0.0.0 through 8.0.0.8, Version 7.0.0.0 through 7.0.0.31,
Version 6.1.0.0 through 6.1.0.47
This does not occur on SDK versions shipped with WebSphere Application
Servers fix pack 8.5.5.2, 8.0.0.9 and 7.0.0.33 or later.
CVEID: CVE-2014-0964
CVSS Base Score: 7.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92877 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)
DESCRIPTION: WebSphere Application Server isn't susceptible to the
Heartbleed vulnerability. But if you use the Heartbleed tool to test if
you are vulnerable - the tool itself in conjunction with WAS 6.1 and JDK
5 will cause a denial of service.
Platforms Affected:
IBM WebSphere Application Server 6.0.2 and IBM WebSphere Application
Server 6.1
CVEID: CVE-2014-0114
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92889 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
DESCRIPTION: Apache Struts could allow a remote attacker to execute arbitrary
code on the system, caused by the failure to restrict the setting of Class
Loader attributes. Struts 1 is used by IBM WebSphere Application Server.
This problem affects WAS V6.1 and V7 (and eWAS 6.1 and eWAS 7)
This is not an issue with Version 8.0 or 8.5 of WebSphere Application Server.
Affected Products and Versions
Tivoli Workload Scheduler is potentially impacted by the listed
vulnerabilities since they potentially affect secure communications between
eWAS and subcomponents through Java exposures.
The issues have been fixed updating Java inside eWAS installed with the
latest fixpack version of TWS.
The affected versions are:
Tivoli Workload Scheduler Distributed 8.4.0
Tivoli Dynamic Workload Console 8.4.0
Tivoli Workload Scheduler Distributed 8.5.0
Tivoli Dynamic Workload Console 8.5.0
Tivoli Workload Scheduler z/OS Connector 8.5.0
Tivoli Workload Scheduler Distributed 8.5.1
Tivoli Dynamic Workload Console 8.5.1
Tivoli Workload Scheduler z/OS Connector 8.5.1
Tivoli Workload Scheduler Distributed 8.6.0
Tivoli Dynamic Workload Console 8.6.0
Tivoli Workload Scheduler z/OS Connector 8.6.0
Remediation/Fixes
IBM has provided patches for all affected versions. Follow the installation
instructions in the README files included with the patch.
Apar IV61280 has been opened for the issues.
Starting from June 11th, the following interim fixes for IV61280 will be
available for download on FixCentral:
8.4.0-TIV-TWS-FP0007-IV61280
to be applied on top of Tivoli Workload Scheduler Distributed 8.4.0 FP07
(the same fix applies to all 8.4.0 affected releases)
8.5.0-TIV-TWS-FP0004- IV61280
to be applied on top of Tivoli Workload Scheduler Distributed 8.5.0 FP04
(the same fix applies to all 8.5.0 affected releases)
8.5.1-TIV-TWS-FP0005- IV61280
to be applied on top of Tivoli Workload Scheduler Distributed 8.5.1 FP05
(the same fix applies to all 8.5.1 affected releases)
8.6.0-TIV-TWS-FP0003-MDM-IV61280
to be applied on top of Tivoli Workload Scheduler Distributed 8.6.0 FP03
(the same fix applies to MDM and z/OS Connector component latest fixpack
level)
8.6.0-TIV-TWS-FP0003-DWC-IV61280
to be applied on top of Tivoli Workload Scheduler Distributed 8.6.0 FP03
(the fix applies to DWC component)
and officially included in next fixpacks for the affected TWS versions.
The fixes can be easily found on FixCentral using the following link
http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FTivoli&product=ibm/Tivoli/Tivoli+Workload+Scheduler&release=All&platform=All&function=aparId&apars=IV61280
and identified according to TWS version and operating system.
Workarounds and Mitigations
None
References
Complete CVSS Guide
On-line Calculator V2
Complete CVSS Guide
On-line Calculator V2
http://xforce.iss.net/xforce/xfdb/81801
http://xforce.iss.net/xforce/xfdb/81902
http://xforce.iss.net/xforce/xfdb/88001
http://xforce.iss.net/xforce/xfdb/88008
http://xforce.iss.net/xforce/xfdb/86662
http://xforce.iss.net/xforce/xfdb/90357
http://xforce.iss.net/xforce/xfdb/92877
http://xforce.iss.net/xforce/xfdb/92889
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU+MiUhLndAQH1ShLAQJAmw//b8fcmeeMJu1D4cYd4DVztj2KGMkaTxcm
XhqG7Km5ZR/YcdDnfRD9+ZDrQmVcjuhu9a3P5WQ/v4bwNyNP+ZZsy5NI8Yl0KAoV
cgm1/DCjw+3YI8vONxkj8VmMB2DBaiAH3BWofYBIUkXbMPZZw8wD6kOrLswWCKmO
dHG9T9D1zx844RHzVTuc2D6KiwOMzKcXXNmHufLjBYlfBdIQXp9RbYBub/tztC9U
mnAGx6Dd/guGQaA5mCi7NJKjvJS8LsYQ7Z9Z9WTpXzL+LoqHwGlITZnVPble4rCo
I2/CML+kY65Eycj24WWkPoFGvef0xsYcLr1RbJS9gJfr/ZPn6EQA4gQm7KvJIOay
GSpJa1m1el1n/LYvCgSZA/mDwW1xxwnfl+hRVFoiX2DEh1QGl+kv9/VSkXS6r1P/
jeUyVWS05nn1OClU9USJauqCKn9lAfkn61pfJe3SEMabo/EGhi2tYlYFllPHvpPQ
LwTY2OR5UNS6sS1ZZEyiU7OSQRzo0Htx1iDJiUxYTA0bTWncSMMXyknpe5bE4RNU
Wln5PSWL80BZFAeZJAPdkGugXTBTvPTlGWgNMlyHbmaKVb6rWVTKS6dLTebgSYPa
tP+EmVW7JRWZ2/ZuAyLwDWRom6Zp9NbOYTgWkgOsD+1PNBY9wN7BijBniIWkxAz1
D0Zb/YsMVh4=
=1Y5E
-----END PGP SIGNATURE-----