Security Bulletin: Potential security vulnerability due to the implementation of Java HashTable in Information Archive (CVE-2012-0193)

Flash (Alert)


Abstract

Potential Denial of Service (DOS) security exposure when using web-based applications due to the vulnerability in the Java HashTable implementation. Only an authorized user can exploit this vulnerability issue, which is described by the CVE-2012-0193 security alert. An unauthorized user cannot exploit the issue.

Content

VULNERABILITY DETAILS:

CVE ID: CVE-2012-0193

DESCRIPTION: This information is extracted from a Flash notification from the IBM WebSphere Application Server support team. You can read the notification at the following link: http://www.ibm.com/support/docview.wss?uid=swg21577532

This vulnerability can cause a large number of HashTable collisions due to specially crafted HTTP request parameters. If there are too many collisions, performance is significantly impaired and can lead to a denial of service.

CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72298 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

AFFECTED PRODUCTS:
All versions of Information Archive prior to 2.1.3.3


REMEDIATION:
Upgrade your Information Archive appliance to release 2.1.3.3


VRMF Download URL
2.1.3.3 http://www-933.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=ia-2.1.3.3_upgrade1&continue=1




Workaround(s): None

Mitigation(s): Ensure that access to the Information Archive appliance is tightly controlled. Without the proper user authentication, nothing can be run on the appliance or added to the appliance.


REFERENCES:
Complete CVSS Guide ( http://www.first.org/cvss/cvss-guide.html)
On-line Calculator V2 ( http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2)
X-Force Vulnerability Database ( http://xforce.iss.net/xforce/xfdb/72298)
CVE-2012-0193 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0193)

RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog





CHANGE HISTORY:

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


Related information

Potential security vulnerability when using Web based a

Cross reference information
Segment Product Component Platform Version Edition
Disk Storage Systems IBM Information Archive Graphical User Interface (GUI) 2.1, 2.1.1, 2.1.2, 2.1.2.1, 2.1.3, 2.1.3.1, 2.1.3.2 N/A

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Information Archive
Graphical User Interface (GUI)

Software version:

2.1, 2.1.1, 2.1.2, 2.1.2.1, 2.1.3, 2.1.3.1, 2.1.3.2

Operating system(s):

Linux

Software edition:

All Editions

Reference #:

1594731

Modified date:

2013-04-03

Translate my page

Machine Translation

Content navigation