IBM Support

IC91726: The appliance allows unauthenticated access to administrative operations because security vulnerabilities exist.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • A security vulnerability in the WebSphere DataPower XC10
    Appliance allows unauthenticated access to administrative
    operations, and security vulnerabilities in Java transport
    layer security (TLS) might allow attackers access.
    

Local fix

  • 
        

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  Users of IBM WebSphere DataPower XC10       *
    *                  Appliance v2.0 and higher.                  *
    ****************************************************************
    * PROBLEM DESCRIPTION: Attackers can have unauthenticated      *
    *                      access to administrative operations     *
    *                      because of security vulnerabilities     *
    *                      in Java TLS.                            *
    ****************************************************************
    * RECOMMENDATION:  Install a firmware version that contains    *
    *                  this APAR.                                  *
    ****************************************************************
    CVE-2013-0600 - A knowledgeable user may submit administrative
    commands to the WebSphere DataPower XC10 Appliance without
    authentication.
    CVSS Base Score: 9.3
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83617
    for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/AU:N/C:C/I:C/A:C)
    CVE-2013-0440 - Unspecified vulnerability in Java Runtime
    Environment allows remote attackers to affect availability via
    vectors related to JSSE.
    CVSS Base Score: 5
    CVSS Temporal Score: See
    http://xforce.iss.net/xforce/xfdb/81799
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
    CVE-2013-0443 - Unspecified vulnerability in Java Runtime
    Environment allows remote attackers to affect confidentiality
    and integrity via vectors related to JSSE.
    CVSS Base Score: 4
    CVSS Temporal Score: See
    http://xforce.iss.net/xforce/xfdb/81801
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
    CVE-2013-0169 - The TLS protocol does not properly consider
    timing side-channel attacks, which allows remote attackers to
    conduct distinguishing attacks and plain-text recovery attacks
    via statistical analysis of timing data for crafted packets, aka
    the "Lucky Thirteen" issue.
    CVSS Base Score: 4.3
    CVSS Temporal Score: See
    http://xforce.iss.net/xforce/xfdb/81902
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
    

Problem conclusion

  • The vulnerabilities were found and corrected in the appropriate
    code in the runtime environment. Download a version of the
    firmware for either V2.0.0.3 or V2.1.0.3 that
    contains this APAR
    (http://www-01.ibm.com/support/docview.wss?uid=swg27019704).
    For more information about this security vulnerability, see
    the following web page:
    http://www-01.ibm.com/support/docview.wss?uid=swg21636324
    

Temporary fix

  • 
        

Comments

  • 
        

APAR Information

  • APAR number

    IC91726

  • Reported component name

    WSDATAPOWER XC1

  • Reported component ID

    5765H4200

  • Reported release

    200

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-04-22

  • Closed date

    2013-06-18

  • Last modified date

    2013-06-18

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WSDATAPOWER XC1

  • Fixed component ID

    5765H4200

Applicable component levels

  • R200 PSY

       UP

  • R210 PSY

       UP



Document information

More support for: WebSphere DataPower XC10 Appliance

Software version: 2.0.0.3

Reference #: IC91726

Modified date: 18 June 2013