IBM WebSphere Cast Iron Security Bulletin: Multiple security vulnerabilities in IBM JRE 6

Flash (Alert)


Abstract

Multiple security vulnerabilities exist in the IBM Java Runtime Environment component of WebSphere Cast Iron in IBM JRE 6.0 SR12 (and earlier).

Content

VULNERABILITY DETAILS
There are multiple security vulnerabilities in the IBM Java Runtime Environment used in WebSphere Cast Iron.

CVE ID: CVE-2013-1478

Description: Allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81754
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-0445

Description: Allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81756
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-1480

Description: Allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81757
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-1475

Description: Allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81759
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-1476

Description: Allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2013-0441 and CVE-2013-1475.

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81760
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2012-1541

Description: Allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81761
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-0446

Description: Allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81762
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2012-3342

Description: Allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment

CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78334
CVSS Environmental Score*: Undefined
CVSS Vector: undefined


CVE ID: CVE-2013-0442

Description: Allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81755
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:/AC:L/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-0450

Description: Allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81764
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-0425

Description: Allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-0428 and CVE-2013-0426

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81766
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-0426

Description: Allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-0425 and CVE-2013-0428.

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81767
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-0428

Description: Allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-0425 and CVE-2013-0426

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81768
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2012-3213

Description: Allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Scripting.

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81769
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-1481

Description: Allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound.

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81770
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-0419

Description: Allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than other CVEs listed in the February 2013 CPU.

CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81783
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-0423

Description: Allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than other CVEs listed in the February 2013 CPU.

CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81784
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-0351

Description: Allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than other CVEs listed in the February 2013 CPU.

CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81786
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)


CVE ID: CVE-2013-0432

Description: Allows remote attackers to affect confidentiality and integrity via vectors related to AWT

CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81788
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)


CVE ID: CVE-2013-1473

Description: Allows remote attackers to affect integrity via unknown vectors related to Deployment.

CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81790
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)


CVE ID: CVE-2013-0435

Description: Allows remote attackers to affect confidentiality via vectors related to JAX-WS.

CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81791
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)


CVE ID: CVE-2013-0434

Description: Allows remote attackers to affect confidentiality via vectors related to JAXP

CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81792
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)


CVE ID: CVE-2013-0409

Description: Allows remote attackers to affect confidentiality via vectors related to JMX.

CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81793
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)


CVE ID: CVE-2013-0427

Description: Allows remote attackers to affect integrity via unknown vectors related to Libraries.

CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81795
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)


CVE ID: CVE-2013-0433

Description: Allows remote attackers to affect integrity via unknown vectors related to Networking.

CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81797
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)


CVE ID: CVE-2013-0424

Description: Allows remote attackers to affect integrity via vectors related to RMI.

CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81798
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)


CVE ID: CVE-2013-0440

Description: Allows remote attackers to affect availability via vectors related to JSSE.

CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81799
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)


CVE ID: CVE-2013-0438

Description: Allows remote attackers to affect confidentiality via unknown vectors related to Deployment.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81800
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)


CVE ID: CVE-2013-0443

Description: Allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.

CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81801
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)


CVE ID: CVE-2013-1487

Description: Allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82177
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-1486

Description: Allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX.

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82178
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

AFFECTED PLATFORMS:
IBM WebSphere Cast Iron v6.0, v6.1 and v6.3 Studio, Virtual Appliance and Physical Appliance
IBM WebSphere Cast Iron v6.1 and v6.3 Live SaaS offering.

WORKAROUND
None available; Apply the fix detailed below.

REMEDIATION:
Apply the fix detailed below.

FIX
For WebSphere Cast Iron version v6.0 :
Upgrade to fixpack v6.1.0.15 or upgrade to v6.3.0.1 and apply the v6.3.0.1 interim fix.

For WebSphere Cast Iron version v6.1 :
Upgrade to fixpack v6.1.0.15 or upgrade to v6.3.0.1 and apply the v6.3.0.1 interim fix.

For IBM WebSphere Cast Iron v6.3:
Apply the v6.3.0.1 interim fix.

The WebSphere Cast Iron V6.1 fixpack can be obtained via this link
The WebSphere Cast Iron V6.3 interim fix can be obtained via this link

SaaS offering (WebSphere Cast Iron Live v6.1 and v6.3)
Customers still on the v6.1 SaaS offering can request from the WebSphere Cast Iron cloud operations team that their tennant is migrated to the Cast Iron v6.3 Live offering.


APAR LI77261 is targeted for availability in IBM WebSphere Cast Iron v6.1.0.15 and v6.3.0.2 fixPacks.

MITIGATION:
None known

REFERENCES:
Complete CVSS Guide (http://www.first.org/cvss/cvss-guide.html)
On-line Calculator V2 (http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2)

CVE-2013-1478 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1478)
CVE-2013-0445 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0445)
CVE-2013-1480 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1480)
CVE-2013-1475 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1475)
CVE-2013-1476 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1476)
CVE-2012-1541 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1541)
CVE-2013-0446 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0446)
CVE-2012-3342 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-3342)
CVE-2013-0442 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0442)
CVE-2013-0450 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0450)
CVE-2013-0425 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0425)
CVE-2013-0426 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0426)
CVE-2013-0428 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0428)
CVE-2012-3213 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-3213)
CVE-2013-1481 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1481)
CVE-2013-0419 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0419)
CVE-2013-0423 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0423)
CVE-2013-0351 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0351)
CVE-2013-0432 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0432)
CVE-2013-1473 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1473)
CVE-2013-0435 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0435)
CVE-2013-0434 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0434)
CVE-2013-0409 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0409)
CVE-2013-0427 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0427)
CVE-2013-0433 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0433)
CVE-2013-0424 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0424)
CVE-2013-0440 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0440)
CVE-2013-0438 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0438)
CVE-2013-0443 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0443)
CVE-2013-1487 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1487)
CVE-2013-1486 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1486)
CVE-2013-0169 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0169)


CHANGE HISTORY:
<2013/04/30>: Original Copy Published

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere Cast Iron Cloud integration

Software version:

6.0.0, 6.1, 6.3

Operating system(s):

Firmware, Linux, Windows

Software edition:

Cloud, Physical, Virtual

Reference #:

1634069

Modified date:

2013-04-30

Translate my page

Machine Translation

Content navigation