PM88607: Security vulnerabilities in the Transport Layer Security implementation of the Java Runtime Environment exist in V8.5.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • Multiple security vulnerabilities in the Transport Layer
    Security (TLS) implementation of the Java Runtime Environment
    (JRE) in WebSphere eXtreme Scale might allow attackers to
    access sensitive data.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of WebSphere eXtreme Scale        *
    *                  V8.5                                        *
    ****************************************************************
    * PROBLEM DESCRIPTION: Multiple security vulnerabilities       *
    *                      might                                   *
    *                      exist in the JRE shipped with this      *
    *                      version of WebSphere eXtreme Scale.     *
    ****************************************************************
    * RECOMMENDATION:  Install an interim fix that contains this   *
    *                  APAR.                                       *
    ****************************************************************
    Security Bulletin:  WebSphere eXtreme Scale can be affected by
    three vulnerabilities in the IBM Java Runtime Environment
    (CVE-2013-0440, CVE-2013-0443, CVE-2013-0169)
    The interim fix for PM88607 resolves the following problem:
    VULNERABILITY DETAILS:
    CVE-2013-0440 - Unspecified vulnerability in Java Runtime
    Environment allows remote attackers to affect availability via
    vectors related to JSSE.
    CVSS Base Score: 5
    CVSS Temporal Score: See
    http://xforce.iss.net/xforce/xfdb/81799
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
    CVE-2013-0443 - Unspecified vulnerability in Java Runtime
    Environment allows remote attackers to affect confidentiality
    and integrity via vectors related to JSSE.
    CVSS Base Score: 4
    CVSS Temporal Score: See
    http://xforce.iss.net/xforce/xfdb/81801
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
    CVE-2013-0169 - The TLS protocol does not properly consider
    timing side-channel attacks, which allows remote attackers to
    conduct distinguishing attacks and plain-text recovery attacks
    via statistical analysis of timing data for crafted packets,
    also known as the "Lucky Thirteen" issue.
    CVSS Base Score: 4.3
    CVSS Temporal Score: See
    http://xforce.iss.net/xforce/xfdb/81902
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
    AFFECTED PRODUCTS AND VERSIONS:
    All levels of WebSphere eXtreme Scale through V8.6.0.1.
    REMEDIATION:
    If you are running WebSphere eXtreme Scale V7.1.1 or V8.5 with
    the Java Runtime Environment shipped with those versions of
    the product, apply one of the following interim fixes:
    WebSphere eXtreme Scale 7.1.1 PM87563
    WebSphere eXtreme Scale 8.5 PM88607
    If you are running WebSphere eXtreme Scale V8.6.0 or V8.6.0.1,
    upgrade to WebSphere eXtreme Scale V8.6.0.2 or later.
    The WebSphere eXtreme Scale Client is used to communicate with
    the WebSphere DataPower XC10 Appliance, and the recommended
    fix level described here should be applied to the client when
    used with the appliance as well.
    Information on obtaining the required software updates is
    available at this link:
    http://www-01.ibm.com/support/docview.wss?uid=swg27018991
    If you are running WebSphere eXtreme Scale Client or server
    within a WebSphere Application Server process, apply a fix as
    described in the WebSphere Application Server security
    bulletin for these vulnerabilities:
    http://www-01.ibm.com/support/docview.wss?uid=swg21627634
    If you are running WebSphere eXtreme Scale Client or server
    using a Java Runtime Environment obtained separately, obtain a
    fix for that Java Runtime Environment from the Java vendor.
    Workarounds:
    None
    Mitigations:
    None
    

Problem conclusion

Temporary fix

Comments

APAR Information

  • APAR number

    PM88607

  • Reported component name

    WS EXTREME SCAL

  • Reported component ID

    5724X6702

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-05-07

  • Closed date

    2013-07-22

  • Last modified date

    2013-07-22

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WS EXTREME SCAL

  • Fixed component ID

    5724X6702

Applicable component levels

  • R850 PSY

       UP



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere eXtreme Scale

Software version:

850

Reference #:

PM88607

Modified date:

2013-07-22

Translate my page

Machine Translation

Content navigation