IC88002: VULNERABILITIES WITH TPC CLIENT-SIDE JAVA DEPLOYMENTS WHERE UNTRUSTED CODE MAY BE EXECUTED.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • There are a number of vulnerabilities in the IBM JAVA SDK
    versions that affect various components (ORB, XML and JMX). Some
    of the issues need to be combined in sequence to achieve an
    exploit. This occurs when the affected JRE is installed as the
    system JRE.
    
    For example this can occur when a JRE is running Java applet or
    Web Start application.  These vulnerabilities are only
    applicable to client-side Java deployments where untrusted code
    may be executed.
    
    The TPC versions affected include:
    5.1.0
    4.2.0 through 4.2.2.143 (4.2.2 FP3)
    4.1.x
    3.x
    

Local fix

  • Until a fix is available with TPC, download IBM Java 6 SR12 from
    the developerWorks site for AIX and Linux.  Contact IBM support
    if you need the IBM Java 6 SR12 package for Windows.
    
    Uninstall any existing Java versions you have and install IBM
    Java 6 SR12.
    

Problem summary

  • USERS AFFECTED:
    All TPC users who download IBM Java from TPC for the Java Web
    Start GUI prior to TPC 5.1.1.
    
    PROBLEM DESCRIPTION:
    TPC 5.1.0 includes IBM Java 6 SR 9 or earlier, which is affected
    by a security vulnerability.
    

Problem conclusion

  • The Java packaged with TPC has been updated to resolve the
    issue. Use IBM Java 6 SR12 or higher.  The fix for this APAR is
    targeted for the following maintenance package:
    
    | fix pack | 5.1.1-TIV-TPC-FP0001 - December 2012
    
    http://www-01.ibm.com/support/docview.wss?&uid=swg21320822
    
    The target dates for future fix packs do not represent a formal
    commitment by IBM. The dates are subject to change without
    notice.
    
    The following steps apply to the Tivoli Storage Productivity
    Center GUI launched via Java Web Start on remote systems.
    
    * Uninstall any versions of Java prior to IBM Java 6 SR12.
    * Download and install IBM Java 6 SR12.
    * Launch the Tivoli Storage Productivity Center GUI using
    the JNLP file and Java Web Start.
    
    
    Note: Do not use the IBM JRE 1.6.0 or IBM SDK 1.6.0 links
    provided with the affected Tivoli Storage Productivity Center
    versions. Once you have upgraded your Tivoli Storage
    Productivity Center components to a level with the fix, you
    can use the links again as they will then allow you to
    download IBM Java 6 SR12. Until the fix is available in a
    Tivoli Storage Productivity Center maintenance release, you
    can download the new Java 6 SR12 packages directly from the
    IBM developerWorks web site or by contacting IBM Support.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC88002

  • Reported component name

    TPC

  • Reported component ID

    5608TPC00

  • Reported release

    510

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-11-07

  • Closed date

    2012-12-21

  • Last modified date

    2012-12-21

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IC88003

Fix information

  • Fixed component name

    TPC

  • Fixed component ID

    5608TPC00

Applicable component levels

  • R510 PSY

       UP



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Tivoli Storage Productivity Center

Software version:

510

Reference #:

IC88002

Modified date:

2012-12-21

Translate my page

Machine Translation

Content navigation