Security Bulletin: Rational Host On-Demand clients affected by vulnerabilities in IBM JRE (CVE-2012-4820, CVE-2012-4821, CVE-2012-4822, CVE-2012-4823)

Security Bulletin


Summary

IBM Rational Host On-Demand provides a Java JRE as part of its server package for clients to download and install on client machines. The vulnerabilities are only applicable to client-side Java deployments where untrusted code may be executed (such as Java applets running in a web browser). Server applications such as Host On-Demand server are not vulnerable.

Vulnerability Details

Subscribe to My Notifications to be notified of important product support alerts like this.
  • Follow this link for more information (requires login with your IBM ID)

CVE IDs: CVE-2012-4820, CVE-2012-4821, CVE-2012-4822, CVE-2012-4823

Description: There are a number of vulnerabilities in the IBM JAVA SDK versions that affect various components (ORB, XML and JMX). Some of the issues need to be combined in sequence to achieve an exploit. This occurs when the affected JRE is installed as the system JRE.

For example, this can occur when a JRE is running Java applets or Web Start applications.

CVEID:
CVE-2012-4820
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78764 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID:
CVE-2012-4821
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78765 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID:
CVE-2011-4822
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78766 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID:
CVE-2011-4823
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78767 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

This advisory is only applicable to client-side Java deployments where untrusted code may be executed (such as Java applets running in a web browser).

The vulnerabilities work by exploiting weaknesses in the internal implementation of various IBM SDK components. Some of the weaknesses need to be combined in sequence to achieve an exploit. All of the issues are only applicable to scenarios in which untrusted code is executed under a security manager. The exploits allow untrusted code to elevate its privileges by modifying or removing the security manager.

The most common vulnerable use case is a JRE running an untrusted Java applet or Java Web Start application. This occurs when the affected JRE is installed as the system JRE.

Affected Products and Versions

Any supported Rational Host On-Demand client platform where IBM JRE is used as the system JRE.

Remediation/Fixes

Upgrade your JRE to Java 6 SR12 or later on the client machines or switch to the Oracle JRE.

You can download from Fix Central for entitled Host On-Demand clients.


Review technote 1317268: How to replace the IBM JRE on the Host On-Demand Server for details.

Workarounds and Mitigations

Workaround: None


Mitigation: Do not visit untrusted web sites while the browser has a vulnerable JRE enabled.

References

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

The vulnerability was reported to IBM by Adam Gowdiak of Security Explorations.

Change History

* 08 November 2012: Original copy published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Rational Host On-Demand
General Information

Software version:

11.0

Operating system(s):

AIX, HP Itanium, HP-UX, Linux, Linux iSeries, Linux on System z, Linux pSeries, OS/400, Solaris, Windows, i5/OS, z/OS

Reference #:

1615705

Modified date:

2013-10-09

Translate my page

Machine Translation

Content navigation