Security Bulletin: RMI vulnerability in Java, as used with WebSphere eXtreme Scale
A security vulnerability in the Remote Method Invocation component of the Java Runtime Environment allows unauthenticated network attacks which can result in unauthorized operating system takeover including arbitrary code execution.
A vulnerability in the Java Runtime Environment RMI component is present in versions of the IBM Java Runtime Environment as shipped with WebSphere eXtreme Scale, and is also present in JREs provided by other vendors. This vulnerability allows successful unauthenticated network attacks, which can result in arbitrary code execution and unauthorized operating system takeover.
The vulnerability is present if the client or server application makes use of RMI and if the Java process runs under a Java security manager, for example by specifying -Djava.security.manager. If a security manager is present, the vulnerability does apply to deployments of the WebSphere eXtreme Scale server.
CVSS Base Score: 10.0
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/83571 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
AFFECTED PRODUCTS AND VERSIONS:
All versions of WebSphere eXtreme Scale, including
WebSphere eXtreme Scale 6.1 as shipped with WebSphere Extended Deployment 6.1
WebSphere eXtreme Scale 7.0
WebSphere eXtreme Scale 7.1.1
WebSphere eXtreme Scale 8.5
WebSphere eXtreme Scale 8.6
Please apply the workaround described below. Future versions of WebSphere eXtreme Scale server will have the environment variable java.rmi.server.useCodebaseOnly set to true by default. Future versions of the Java Runtime Environment as shipped with WebSphere eXtreme Scale will have this variable set to true by default.
The Java virtual machine running should be started with -Djava.rmi.server.useCodebaseOnly=true, or should otherwise set this Java system variable to true. If the application does load RMI classes from locations other than the class path, it will be necessary to set the java.rmi.server.codebase system variable as well.
· Complete CVSS Guide
· On-line Calculator V2
· IBM Security Alerts
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
06-06-13 Original Copy Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
More support for:
WebSphere eXtreme Scale
Software version: 6.1, 7.0, 7.1.1, 8.5, 8.6
Operating system(s): AIX, HP-UX, Linux, Solaris, Windows, z/OS
Reference #: 1640058
Modified date: 07 June 2013