IBM WebSphere Cast Iron Security Bulletin: Multiple security vulnerabilities in IBM JRE 6

Flash (Alert)


Abstract

Multiple security vulnerabilities exist in the IBM Java Runtime Environment component of WebSphere Cast Iron in IBM JRE 6.0 SR13FP1 (and earlier).

Content

VULNERABILITY DETAILS
There are multiple security vulnerabilities in the IBM Java Runtime Environment used in WebSphere Cast Iron.

CVE ID: CVE-2013-2422

Description: An unspecified vulnerability in Oracle Java SE related to Libraries has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83570
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-1491

Description: Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83559
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-2435

Description: An unspecified vulnerability in Oracle Java SE related to Deployment has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83563
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-2420

Description: An unspecified vulnerability in Oracle Java SE related to 2D has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83560
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-2432

Description: An unspecified vulnerability in Oracle Java SE related to 2D has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83559
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2012-1569

Description: Oracle Java is vulnerable to a stack-based buffer overflow in the fontmanager native component, caused by improper handling of Ligature Substitution subtables embedded within a mort table. A remote attacker could exploit this vulnerability to execute arbitrary code with the privileges of the victim user by persuading the victim to open a malicious Web page or file.

CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83557
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-2384

Description: A vulnerability in Oracle Java related to the fontmanager native component could allow a remote attacker to execute arbitrary code on the system. An attacker could exploit this vulnerability using an overly large LookupCount sum in a TTF file to execute code with the privileges of a victim user by persuading the victim to open a malicious Web page or file.

CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83556
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-2383

Description: A vulnerability in Oracle Java related to the fontmanager component could allow a remote attacker to execute arbitrary code on the system. An attacker could exploit this vulnerability using a Ligature Substitution subtable embedded within a mort table to execute code with the privileges of the victim user by persuading the victim to open a malicious Web page or file.

CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83555
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-1557

Description: An unspecified vulnerability in Oracle Java SE related to RMI has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83572
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-1537

Description: An unspecified vulnerability in Oracle Java SE related to RMI has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83571
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2012-1558

Description: An unspecified vulnerability in Oracle Java SE related to Beans has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83561
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-2440

Description: An unspecified vulnerability in Oracle Java SE related to Deployment has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83562
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-1518

Description: An unspecified vulnerability in Oracle Java SE related to JAXP has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83566
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-2429

Description: An unspecified vulnerability in Oracle Java SE related to ImageIO has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83578
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-2430

Description: An unspecified vulnerability in Oracle Java SE related to ImageIO has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83577
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-1563

Description: An unspecified vulnerability in Oracle Java SE related to Install has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83579
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-2394

Description: A vulnerability in Oracle Java related to the handling of Type1 fonts in t2k.dll could allow a remote attacker to execute arbitrary code on the system. An attacker could exploit this vulnerability to execute arbitrary code with the privileges of the victim user by persuading the victim to open a malicious Web page or file.

CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83576
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-0401

Description: An unspecified vulnerability in Oracle Java related to AWT could allow a remote attacker to execute arbitrary code on the system. An attacker could exploit this vulnerability to execute arbitrary code with the privileges of the victim user by persuading the victim to open a malicious Web page or file.

CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82823
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-2424

Description: An unspecified vulnerability in Oracle Java SE related to JMX could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors.

CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83582
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)


CVE ID: CVE-2013-2419

Description: Oracle Java SE ActiveX control (deployJava1.dll) could allow a remote attacker to execute arbitrary code on the system. By persuading a victim to visit a specially-crafted Web page that passes an overly long string argument to the insecure launchApp() method, a remote attacker could exploit this vulnerability to possibly execute arbitrary code on the system or cause a denial of service.

CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83581
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)


CVE ID: CVE-2013-2417

Description: An unspecified vulnerability in Oracle Java SE related to Networking could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors.

CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83586
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)


CVE ID: CVE-2013-2418

Description: An unspecified vulnerability in Oracle Java SE related to Deployment has partial confidentiality impact, partial integrity impact, and partial availability impact.

CVSS Base Score: 4.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83587
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)


CVE ID: CVE-2013-1540

Description: An unspecified vulnerability in Oracle Java SE related to Deployment has no confidentiality impact, partial integrity impact, and no availability impact.

CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83590
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:


CVE ID: CVE-2013-2433

Description: An unspecified vulnerability in Oracle Java SE related to Deployment has no confidentiality impact, partial integrity impact, and no availability impact.

CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83589
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)


*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

AFFECTED PLATFORMS:
IBM WebSphere Cast Iron v6.0, v6.1 v6.3 and v6.4 Studio, Virtual Appliance and Physical Appliance
IBM WebSphere Cast Iron v6.1 and v6.3 Live SaaS offering.

WORKAROUND
None available; Apply the fix detailed below.

REMEDIATION:
Apply the fix detailed below.

FIX
For WebSphere Cast Iron version v6.0 :
Upgrade to the v6.1.0.15 interim fix or upgrade to v6.3.0.1/v6.4.0.1 by applying the relevant interim fix.

For WebSphere Cast Iron version v6.1 :
Upgrade to the v6.1.0.15 interim fix or upgrade to v6.3.0.1/v6.4.0.1 by applying the relevant interim fix.

For IBM WebSphere Cast Iron v6.3:
Apply the v6.3.0.1 or v6.4.0.1 interim fix.

For IBM WebSphere Cast Iron v6.4:
Apply the v6.4.0.1 interim fix.

The WebSphere Cast Iron V6.1 interim fix can be obtained via this link
The WebSphere Cast Iron V6.3 interim fix can be obtained via this link
The WebSphere Cast Iron V6.4 interim fix can be obtained via this link

SaaS offering (WebSphere Cast Iron Live v6.1 and v6.3):
Customers still on the v6.1 SaaS offering can request from the WebSphere Cast Iron cloud operations team that their tennant is migrated to the Cast Iron v6.3 Live offering.
The WebSphere Cast Iron V6.3 SaaS offering is scheduled to be updated during July 2013's maintenance window to address the IBM Java 6 Security Vulnerability.


APAR LI77479 is targeted for availability in IBM WebSphere Cast Iron v6.1.0.16, v6.3.0.2 and v6.4.0.2 fixPacks.

MITIGATION:
None known

REFERENCES:
Complete CVSS Guide (http://www.first.org/cvss/cvss-guide.html)
On-line Calculator V2 (http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2)

CVE-2013-2422 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2422)
CVE-2013-1491 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1491)
CVE-2013-2435 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2435)
CVE-2013-2420 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2420)
CVE-2013-2432 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2432)
CVE-2013-1569 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1569)
CVE-2013-2384 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2384)
CVE-2013-2383 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2383)
CVE-2013-1557 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1557)
CVE-2013-1537 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1537)
CVE-2013-1558 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1558)
CVE-2013-2440 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2440)
CVE-2013-1518 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1518)
CVE-2013-2429 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2429)
CVE-2013-2430 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2430)
CVE-2013-1563 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1563)
CVE-2013-2394 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2394)
CVE-2013-0401 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0401)
CVE-2013-2424 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2424)
CVE-2013-2419 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2419)
CVE-2013-2417 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2417)
CVE-2013-2418 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2418)
CVE-2013-1540 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1540)
CVE-2013-2433 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2433)

CHANGE HISTORY:
<2013/06/28>: Original Copy Published

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere Cast Iron Cloud integration

Software version:

6.0.0, 6.1, 6.3, 6.4.0.0

Operating system(s):

Firmware, Linux, Windows

Software edition:

Cloud, Physical, Virtual

Reference #:

1637512

Modified date:

2013-09-13

Translate my page

Machine Translation

Content navigation