Security Bulletin: Rational Host On-Demand clients affected by vulnerabilities in IBM JRE (CVE-2012-4820, CVE-2012-4821, CVE-2012-4822, CVE-2012-4823)

Technote (FAQ)


Question

IBM Rational Host On-Demand provides a Java JRE as part of its server package for clients to download and install on client machines. The vulnerabilities are only applicable to client-side Java deployments where untrusted code may be executed (such as Java applets running in a web browser). Server applications such as Host On-Demand server are not vulnerable.

Answer

Vulnerability Details:

CVE IDs: CVE-2012-4820, CVE-2012-4821, CVE-2012-4822, CVE-2012-4823

DESCRIPTION:
There are a number of vulnerabilities in the IBM JAVA SDK versions that affect various components (ORB, XML and JMX). Some of the issues need to be combined in sequence to achieve an exploit. This occurs when the affected JRE is installed as the system JRE.

For example, this can occur when a JRE is running Java applets or Web Start applications.

CVEID:
CVE-2012-4820
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78764 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID:
CVE-2012-4821
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78765 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID:
CVE-2012-4822
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78766 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID:
CVE-2012-4823
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78767 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

This advisory is only applicable to client-side Java deployments where untrusted code may be executed (such as Java applets running in a web browser).

The vulnerabilities work by exploiting weaknesses in the internal implementation of various IBM SDK components. Some of the weaknesses need to be combined in sequence to achieve an exploit. All of the issues are only applicable to scenarios in which untrusted code is executed under a security manager. The exploits allow untrusted code to elevate its privileges by modifying or removing the security manager.

The most common vulnerable use case is a JRE running an untrusted Java applet or Java Web Start application. This occurs when the affected JRE is installed as the system JRE.

Affected Platforms:
Any supported Rational Host On-Demand client platform where IBM JRE is used as the system JRE.

Remediation:
Upgrade JRE to Java 6 SR12 or later on the client machines or switch to the Oracle JRE. You can download from Fix Central for entitled Host On-Demand clients.

For Windows clients: http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/IBM+Host+On-Demand&release=1.6.0.12&platform=Windows&function=all

For Linux clients: http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/IBM+Host+On-Demand&release=1.6.0.12&platform=Linux&function=all

Refer to the following on how to replace the JRE on the Host On-Demand Server:
http://www-01.ibm.com/support/docview.wss?uid=swg21317268

Mitigation:
Do not visit untrusted web sites while the browser has a vulnerable JRE enabled.

REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2
· CVE-2011-4820
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/78764
· CVE-2011-4821
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/78765
· CVE-2011-4822
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/78766
· CVE-2011-4823
· X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/78767


RELATED INFORMATION:

http://seclists.org/bugtraq/2012/Sep/38

ACKNOWLEDGEMENT

The vulnerability was reported to IBM by Adam Gowdiak of Security Explorations.

CHANGE HISTORY

None

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note:
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Rational Host On-Demand
General Information

Software version:

11.0

Operating system(s):

AIX, HP Itanium, HP-UX, Linux, Linux iSeries, Linux on System z, Linux pSeries, OS/400, Solaris, Windows, i5/OS, z/OS

Reference #:

1615705

Modified date:

2013-10-09

Translate my page

Machine Translation

Content navigation