Security Bulletin: Tivoli System Automation Application Manager 3.2.2

Technote (FAQ)


Question

Multiple security vulnerabilities exist in the IBM Java Runtime Environment component of IBM Tivoli System Automation Application Manager which may affect the product.

Cause

Security Bulletin: IBM Tivoli System Automation Application Manager 3.2.2 Vulnerability: Multiple security vulnerabilities in IBM JREs 5 (CVE-2012-0502, CVE-2012-0503, CVE-2012-0506, CVE-2012-0507, CVE-2012-3563, CVE-2012-0497, CVE-2012-0498, CVE-2012-0499, CVE-2012-0501, CVE-2012-0505, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719, CVE-2012-1720, CVE-2012-1721, CVE-2012-1722, CVE-2012-1725)

VULNERABILITY DETAILS:


DESCRIPTION:
There are multiple security vulnerabilities in the IBM Java Runtime Environment component, and all are applicable to IBM JRE 5.0. The IBM Tivoli System Automation Application Manager includes an IBM Java Runtime Environment on platforms other than AIX.

CVEIDs: CVE-2012-0502, CVE-2012-0503, CVE-2012-0506, CVE-2012-0507, CVE-2012-3563, CVE-2012-0497, CVE-2012-0498, CVE-2012-0499, CVE-2012-0501, CVE-2012-0505, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719, CVE-2012-1720, CVE-2012-1721, CVE-2012-1722, CVE-2012-1725

CVEID: CVE-2012-0502
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73193 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)

CVEID: CVE-2012-0503
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73191 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2012-0506
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73196 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2012-0507
CVSS Base Score: 9.7
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72513 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-3563
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73194 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)

CVEID: CVE-2012-0497
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73185 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-0498
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73186 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-0499
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73187 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-0501
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73195 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2012-0505
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73192 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2012-1713
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/76239 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-1716
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/76244for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-1717
CVSS Base Score: 2.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/76251 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-1718
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/76249 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-1719
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/76247 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-1720
CVSS Base Score: 3.7
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/76250 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-1721
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/76240 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-1722
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/76241 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-1725
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/76243 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)


* The CVSS Environmental Score is specific to the customer environment and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the “References:” information section of this Flash.



AFFECTED PRODUCTS AND VERSIONS:
IBM Tivoli System Automation Application Manager 3.1 – 3.2.2


Answer

REMEDIATION:

A product upgrade to the latest IBM Tivoli System Automation Application Manager 3.2.2.1 is recommended. Please upgrade therefore to IBM Tivoli System Automation Application Manager 3.2.2, and apply then the mentioned fixpack 3.2.2.1.

Fix* VRMF APAR How to acquire fix
Fixpack <3221> http://www-01.ibm.com/support/ docview.wss?uid=swg24033449 http://www-01.ibm.com/support/ docview.wss?uid=swg24033449



Workaround(s):
<None>

Mitigation(s):
<None>

REFERENCES:
· Complete CVSS Guide ( http://www.first.org/cvss/cvss-guide.html)
· On-line Calculator V2 ( http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2)
· CVE-2012-0497 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0497, http://xforce.iss.net/xforce/xfdb/73185)
· CVE-2012-0498 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0498, http://xforce.iss.net/xforce/xfdb/73186)
· CVE-2012-0499 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0499, http://xforce.iss.net/xforce/xfdb/73187)
· CVE-2012-0501 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0501, http://xforce.iss.net/xforce/xfdb/73195)
· CVE-2012-0502 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0502, http://xforce.iss.net/xforce/xfdb/73193)
· CVE-2012-0503 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0503, http://xforce.iss.net/xforce/xfdb/73191)
· CVE-2012-0505 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0505, http://xforce.iss.net/xforce/xfdb/73192)
· CVE-2012-0506 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0506, http://xforce.iss.net/xforce/xfdb/73196)
· CVE-2012-0507 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0507, http://xforce.iss.net/xforce/xfdb/72513)
· CVE-2012-3563 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-3563, http://xforce.iss.net/xforce/xfdb/73194)
· CVE-2012-1713 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1713, http://xforce.iss.net/xforce/xfdb/76239)
· CVE-2012-1716 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1716, http://xforce.iss.net/xforce/xfdb/76244)
· CVE-2012-1717 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1717, http://xforce.iss.net/xforce/xfdb/76251)
· CVE-2012-1718 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1718, http://xforce.iss.net/xforce/xfdb/76249)
· CVE-2012-1719 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1719, http://xforce.iss.net/xforce/xfdb/76247)
· CVE-2012-1720 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1720, http://xforce.iss.net/xforce/xfdb/76250)
· CVE-2012-1721 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1721, http://xforce.iss.net/xforce/xfdb/76240)
· CVE-2012-1722 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1722, http://xforce.iss.net/xforce/xfdb/76241)
· CVE-2012-1725 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1725, http://xforce.iss.net/xforce/xfdb/76243)


RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog


CHANGE HISTORY
<18 March 2013>: Original Copy Published
<05 April 2013>: Merging two security bulletins into one


*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


Rate this page:

(0 users)Average rating

Document information


More support for:

Tivoli System Automation Application Manager

Software version:

3.1, 3.2, 3.2.1, 3.2.2

Operating system(s):

Linux, Solaris

Reference #:

1633991

Modified date:

2013-04-10

Translate my page

Machine Translation

Content navigation