Security Bulletin: Potential security vulnerabilities in WebSphere Application Server products for the Oracle October 2012 CPU

Versions affected:

• SDK shipped with IBM WebSphere Application Server Version 8.5.0.0 through 8.5.0.1, Version 8.0.0.0 through 8.0.0.5, Version 7.0.0.0 through 7.0.0.25, Version 6.1.0.0 through 6.1.0.45
• This does not occur on SDK versions shipped with WebSphere Application Servers 8.5.0.2, 8.0.0.6, 7.0.0.27 and 6.1.0.47 or later.

Description:
This Security Bulletin addresses the security vulnerabilities that have shipped with the IBM SDK and is part of the Oracle October 2012 critical patch updates (CPU). For details on these updates please refer to the Reference section of this bulletin.

Solutions:
Upgrade your SDK to an interim fix level as determined below:

For IBM WebSphere Application Server for distributed operating systems and IBM WebSphere Application Server Hypervisor Edition :

Download and apply the interim fix APARs below, for your appropriate release:

For V8.5.0.0 through 8.5.0.1:

• Apply Interim Fix PM75382: Will upgrade you to SDK 6 (J9 2.6) SR4

--OR--

• Apply Interim Fix PM75383: Will upgrade you to SDK 7 SR3

--OR--

• Apply Java SDK shipped with WebSphere Application Server Fix pack 2 (8.5.0.2) or later (targeted to be available mid April 2013).

For 8.0.0.0 through 8.0.0.5:

• Apply Interim Fix PM75381: Will upgrade you to SDK 6 (J9 2.6) SR4

--OR--

• Apply Java SDK shipped with WebSphere Application Server Fix pack 6 (8.0.0.6) or later (targeted to be available late April 2013).

For V7.0.0.0 through 7.0.0.25:

• Apply Interim Fix PM75379: Will upgrade you to SDK 6 SR12

--OR--

• Apply Java SDK shipped with WebSphere Application Server Fix pack 27 (7.0.0.27) or later.

For V6.1.0.0 through 6.1.0.45:

• Apply Interim Fix PM75378: Will upgrade you to SDK 5 SR15

--OR--

• Apply Java SDK shipped with WebSphere Application Server Fix pack 47 (6.1.0.47) or later (targeted to be available late Sept 2013).

For IBM WebSphere Application Server for i5/OS operating systems:

The IBM Developer Kit for Java is prerequisite software for WebSphere Application Server for IBM i.

For Versions 8.5.0.0 through 8.5.0.1:

• Apply all of the PTFs matching one of these Developer Kit for Java options and the version of IBM i installed on your system from the chart below.

For Versions 8.0.0.0 through 8.0.0.5:

• Apply all of the PTFs matching one of these Developer Kit for Java options and the version of IBM i installed on your system from the chart below.

For Versions 7.0 through 7.0.0.25:

• Apply all of the PTFs matching one of these Developer Kit for Java options and the version of IBM i installed on your system from the chart below.

For Versions 6.1 through 6.1.0.45:

• Apply all of the PTFs matching one of these Developer Kit for Java options and the version of IBM i installed on your system from the chart below.

	Java Developer Kit 5.0 32 bit	Java Developer Kit 5.0 64 bit	Java Developer Kit 6.0 32 bit	Java Developer Kit 6.0 64 bit	Java Developer Kit 6 (J9 2.6) 32 bit	Java Developer Kit 6 (J9 2.6) 64 bit	Java Developer Kit 7.0 32 bit	Java Developer Kit 7.0 64 bit
V5R4	SI48515 SI48514	N/A	SI48554 SI48559	N/A	N/A	N/A	N/A	N/A
IBM i 6.1	SI48512 SI48516	SI48513 SI48518	SI48541 SI48558	SI48543 SI48605 SI48621	SI48741 SI48742	SI48750 SI48751	N/A	N/A
IBM i 7.1	SI48512 SI48516	SI48513 SI48518	SI48541 SI48558	SI48543 SI48605 SI48621	SI48741 SI48742	SI48750 SI48751	SI48822 SI48868 SI48836	SI48835 SI48869 SI48833

For WebSphere Application Server for z/OS operating systems:

For V8.5.0.0 through 8.5.0.1:

• Apply Interim Fix PM75382: Will upgrade you to SDK 6 (J9 2.6) SR4

--OR--

• Apply Interim Fix PM75383: Will upgrade you to SDK 7 SR3

--OR--

• Apply Java SDK shipped with WebSphere Application Server Fix pack 2 (8.5.0.2) or later (targeted to be available mid April 2013).

For V8.0.0.0 through 8.0.0.5:

• Apply Interim Fix PM75381: Will upgrade you to SDK 6 (J9 2.6) SR4

--OR--

• Apply Java SDK shipped with WebSphere Application Server Fix Pack 6 (8.0.0.6) or later (targeted to be available late April 2013).

For V7.0.0.0 through 7.0.0.25:

• Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request ++APARs for PM75379
• Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed

-OR-

• Apply Java SDK shipped with WebSphere Application Server Fix Pack 7.0.0.27, or later, at APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS

For V6.1.0.0 through 6.1.0.45:

• Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM75378
• Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed.

--OR--

• Apply Java SDK shipped with WebSphere Application Server Fix Pack 6.1.0.47, or later, at APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS. (check back for estimated date)

For additional details and information on WebSphere Application Server product updates:

• For Distributed, see Recommended fixes for WebSphere Application Server.
• For i5/OS, see WebSphere Application Server for i5/OS.
• For z/OS, see APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS.
  

Change history

• 04 Dec 2012: Original publish date
• 22 Jan 2012: minor wording updates and add in PTF updates to IBM i table

REFERENCES:

• IBM Security Alerts: Oracle October 2012 Security Alert.
• Oracle Java SE Critical Patch Update Advisory - October 2012: Oracle Java SE Critical Patch Update Advisory - October 2012.
• Java on IBM i
• Complete CVSS Guide http://www.first.org/cvss/cvss-guide.html
• On-line Calculator V2 http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.