Flash (Alert)
Abstract
These vulnerabilities are only applicable to Java deployments where untrusted code may be executed under a security manager. IBM Tivoli Monitoring image of IBM Service Delivery Manager is affected.
Content
DESCRIPTION:
CVE IDs: CVE-2012-4820, CVE-2012-4821, CVE-2012-4822, CVE-2012-4823
There are a number of vulnerabilities in the IBM JAVA SDK that affect various components (ORB, XML and JMX). The vulnerabilities allow code running under a security manager to escalate its privileges by modifying or removing the security manager. Some of the issues need to be combined in sequence to achieve an exploit.
The vulnerabilities could occur when the IBM JRE is installed as the system JRE, such that it may be used to execute untrusted Java applets or Web Start applications in a browser.
VULNERABILITY DETAILS:
| CVE ID | DESCRIPTION | CVSS |
| CVE-2012-1531 | Unspecified vulnerability in JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79413 | 10 |
| CVE-2012-1532 | Unspecified vulnerability in the JRE allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79417 | 10 |
| CVE-2012-1533 | Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79416 | 10 |
| CVE-2012-3143 | Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability, related to JMX. CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79419 | 10 |
| CVE-2012-3159 | Unspecified vulnerability in the Java Runtime Environment (JRE) allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79424 | 7.5 |
| CVE-2012-3216 | Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79436 | 2.6 |
| CVE-2012-4820 | Unspecified vulnerability in the JRE component allows remote attackers to execute arbitrary code on the system. CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78764 | 9.3 |
| CVE-2012-4821 | Unspecified vulnerability in the JRE component allows remote attackers to execute arbitrary code on the system.CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78765 for the current score. | 9.3 |
| CVE-2012-4822 | Unspecified vulnerability in the JRE component allows remote attackers to execute arbitrary code on the system. CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78766 for the current score | 9.3 |
| CVE-2012-4823 | Unspecified vulnerability in the JRE component allows remote attackers to execute arbitrary code on the system. CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78767 for the current score. | 9.3 |
| CVE-2012-5068 | Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79425 for the current score | 7.5 |
| CVE-2012-5069 | Unspecified vulnerability in JRE component allows remote attackers to affect confidentiality and integrity via unknown vectors related to Concurrency. CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79428 | 5.8 |
| CVE-2012-5071 | Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality and integrity, related to JMX. CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79427 | 6.4 |
| CVE-2012-5072 | Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality via unknown vectors related to Security. CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79434 | 5 |
| CVE-2012-5073 | Unspecified vulnerability in the JRE component allows remote attackers to affect integrity via unknown vectors related to Libraries. CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79432 | 5 |
| CVE-2012-5075 | Unspecified vulnerability in the JRE allows remote attackers to affect confidentiality, related to JMX. CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79431 | 5 |
| CVE-2012-5079 | Unspecified vulnerability in the JRE component allows remote attackers to affect integrity via unknown vectors related to Libraries.CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79433 | 5 |
| CVE-2012-5083 | Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79412 | 10 |
| CVE-2012-5084 | Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Swing. CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79427 | 7.6 |
| CVE-2012-5089 | Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability, related to JMX. CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79422 | 7.6 |
For the most current description and CVSS for each vulnerability, please refer to developerWorks JavaTM Technology Security Alerts
AFFECTED PRODUCTS AND VERSIONS:
IBM Service Delivery Manager 7.2.1
IBM Service Delivery Manager 7.2.2
IBM Service Delivery Manager 7.2.4
REMEDIATION:
Only IBM Tivoli Monitoring image of IBM Service Delivery Manager is affected. Refer to the security bulletin for IBM Tivoli Monitoring for remediation:
https://www-304.ibm.com/support/docview.wss?uid=swg21616490
Workaround(s):
None.
Mitigation(s):
None
Rate this page:
Average rating
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.