Security Bulletin: Potential security vulnerability in IBM Tivoli Monitoring with JAVA® using untrusted Java WebStart applications or Java applets.
This document applies only to the following language version(s):
IBM Tivoli Monitoring ships and uses a Java Runtime Environment (JRE). This alert addresses several vulnerabilities for the Tivoli Enterprise Portal browser JRE which might allow remote untrusted Java WebStart applications and untrusted Java applets to affect confidentiality, availability and integrity.
If the JRE is used to run Java WebStart applications or Java applets that are not part of the IBM Tivoli Monitoring product, you might be affected by these vulnerabilities. For additional information on each of the CVE’s refer to the “Included CVEs” links below.
|Vendor||IBM JRE Level||Included CVEs|
|IBM||IBM JRE 1.6 SR10 FP1||CVE-2012-0502
For detailed information on all the vulnerabilities addressed in the Oracle February 14 th 2012 CPU, refer to the following link:
IBM Developerworks Java Security Alerts
AFFECTED PRODUCTS AND VERSIONS:
All IBM Tivoli Monitoring versions
The following maintenance has been delivered to remedy the potential vulnerabilities described in this alert.
We are still investigating workarounds for other IBM Tivoli Monitoring product levels. Refer back to this bulletin frequently for additional information and updates. Until other options are available the current workaround is to upgrade your environment to IBM Tivoli Monitoring 6.2.3 FP02.
- October 28, 2012 Advisory Flash Created
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.