IBM WebSphere Message Broker Security Vulnerabilities Notification 1: (CVE-2012-5952, CVE-2012-5953, CVE-2013-0466)

Flash (Alert)


Abstract

CVE-2012-5952 - Vulnerability in WS-Addressing and WS-Security for IBM WebSphere Message Broker
CVE-2012-5953 - Potential security exploitation via an HTTP Request for IBM WebSphere Message Broker
CVE-2013-0466 - Security vulnerability in IBM WebSphere Message Broker if ?wsdl support is switched on for SOAP Input nodes

Content

VULNERABILITY DETAILS

CVE ID: CVE-2012-5952, CVE-2012-5953, CVE-2013-0466

DESCRIPTION:

CVE-2012-5952 - Vulnerability in WS-Addressing and WS-Security for IBM WebSphere Message Broker
Basic Authentication is not checked before performing WS-Addressing and WS-Security processing, which can result in messages being sent to remote servers as part of this processing without the original message being authenticated at the transport level

CVE-2012-5953 - Potential security exploitation via an HTTP Request for IBM WebSphere Message Broker
HTTPInput nodes deployed with the "Parse Query Strings" option enabled can go into a long, or infinite loop for certain query strings.

CVE-2013-0466 - Security vulnerability in IBM WebSphere Message Broker if ?wsdl support is switched on for SOAP Input nodes
SOAPInput Nodes deployed with ?wsdl support enabled can return unsanitized data supplied to it from the original ?wsdl request in the returned error message.


CVSS:

CVE-2012-5952
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/80666 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE-2012-5953
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/80667 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVE-2013-0466
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81062 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

AFFECTED PLATFORMS:

CVE-2012-5952

IBM WebSphere Message Broker V8.0, V7.0 and V6.1 are affected on all platforms.
IBM WebSphere Message Broker V8.0, V7.0 and V6.1 for z/OS are affected.

CVE-2012-5953

IBM WebSphere Message Broker V8.0, V7.0 and V6.1 are affected on all platforms.
IBM WebSphere Message Broker V8.0, V7.0 and V6.1 for z/OS are affected.

CVE-2013-0466

IBM WebSphere Message Broker V8.0 and V7.0 are affected on all platforms.
IBM WebSphere Message Broker V8.0 and V7.0 for z/OS are affected.
IBM WebSphere Message Broker V6.1 is not affected by this vulnerability.
IBM WebSphere Message Broker V6.1 for z/OS is not affected by this vulnerability.


REMEDIATION:
Apply the fixes mentioned below.

FIX

CVE-2012-5952

For IBM WebSphere Message Broker V6.1 and IBM WebSphere Message Broker for z/OS V6.1 please apply fix pack V6.1.0.12 which contains APAR IC89803.

For IBM WebSphere Message Broker V7.0 and IBM WebSphere Message Broker for z/OS V7.0 please apply fix pack V7.0.0.6:

http://www.ibm.com/support/docview.wss?rs=849&uid=swg24035349

For IBM WebSphere Message Broker V8.0 and IBM WebSphere Message Broker for z/OS V8.0 please apply fix pack V8.0.0.2.

http://www.ibm.com/support/docview.wss?rs=849&uid=swg24034567

CVE-2012-5953

For IBM WebSphere Message Broker V6.1 and IBM WebSphere Message Broker for z/OS V6.1 please apply fix pack V6.1.0.12 which contains APAR PM75015

For IBM WebSphere Message Broker V7.0 and IBM WebSphere Message Broker for z/OS V7.0 please apply fix pack V7.0.0.6:

http://www.ibm.com/support/docview.wss?rs=849&uid=swg24035349

For IBM WebSphere Message Broker V8.0 and IBM WebSphere Message Broker for z/OS V8.0 please apply fix pack V8.0.0.2.

http://www.ibm.com/support/docview.wss?rs=849&uid=swg24034567

CVE-2013-0466

For IBM WebSphere Message Broker V6.1 and IBM WebSphere Message Broker for z/OS V6.1 no action is required.

For IBM WebSphere Message Broker V7.0 and IBM WebSphere Message Broker for z/OS V7.0 please apply fix pack V7.0.0.6:

http://www.ibm.com/support/docview.wss?rs=849&uid=swg24035349

For IBM WebSphere Message Broker V8.0 and IBM WebSphere Message Broker for z/OS V8.0 please apply fix pack V8.0.0.2.

http://www.ibm.com/support/docview.wss?rs=849&uid=swg24034567.


See http://www.ibm.com/support/docview.wss?uid=swg27006308 for information on fix pack availability.

Prior to fix pack availability please contact IBM Support and request the fix for the required APAR.

WORKAROUND:
None known, apply fixes

MITIGATION
None known

REFERENCES:
Complete CVSS Guide (http://www.first.org/cvss/cvss-guide.html)
On-line Calculator V2 (http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2)

X-Force Vulnerability Database (http://xforce.iss.net/xforce/xfdb/80666)
CVE-2012-5952 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5952)

X-Force Vulnerability Database (http://xforce.iss.net/xforce/xfdb/80667)
CVE-2012-5953 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5953)

X-Force Vulnerability Database (http://xforce.iss.net/xforce/xfdb/81062)
CVE-2013-0466 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0466)

CHANGE HISTORY:
<2013/02/12>: Original Copy Published
<2013/02/14>: X-Force URL Typo Corrected
<2013/02/19>: Clarification of where to get fixes prior to fix pack availability
<2013/08/29>: Updated links to fix packs containing the fixes

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


Product Alias/Synonym

WMB MB

Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere Message Broker

Software version:

6.1, 7.0, 7.0.0.1, 7.0.0.2, 7.0.0.3, 7.0.0.4, 7.0.0.5, 8.0, 8.0.0.1

Operating system(s):

AIX, HP-UX, HP-UX on Itanium, HP-UX on PA-RISC, Linux, Linux SUSE - pSeries, Linux SUSE - xSeries, Linux SUSE - zSeries, Linux SUSE -zSeries, Linux pSeries, OS/390, Solaris, Windows, z/OS

Reference #:

1623316

Modified date:

2013-08-29

Translate my page

Machine Translation

Content navigation