Security Bulletin: RMI vulnerability in Java, as used with WebSphere eXtreme Scale

Flash (Alert)


Abstract

A security vulnerability in the Remote Method Invocation component of the Java Runtime Environment allows unauthenticated network attacks which can result in unauthorized operating system takeover including arbitrary code execution.

Content

VULNERABILITY DETAILS:
CVE-2013-1537
A vulnerability in the Java Runtime Environment RMI component is present in versions of the IBM Java Runtime Environment as shipped with WebSphere eXtreme Scale, and is also present in JREs provided by other vendors. This vulnerability allows successful unauthenticated network attacks, which can result in arbitrary code execution and unauthorized operating system takeover.

The vulnerability is present if the client or server application makes use of RMI and if the Java process runs under a Java security manager, for example by specifying -Djava.security.manager. If a security manager is present, the vulnerability does apply to deployments of the WebSphere eXtreme Scale server.

CVEID: CVE-2013-1537
CVSS Base Score: 10.0
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/83571 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

AFFECTED PRODUCTS AND VERSIONS:

All versions of WebSphere eXtreme Scale, including

WebSphere eXtreme Scale 6.1 as shipped with WebSphere Extended Deployment 6.1
WebSphere eXtreme Scale 7.0
WebSphere eXtreme Scale 7.1.1
WebSphere eXtreme Scale 8.5
WebSphere eXtreme Scale 8.6

REMEDIATION:

Please apply the workaround described below. Future versions of WebSphere eXtreme Scale server will have the environment variable java.rmi.server.useCodebaseOnly set to true by default. Future versions of the Java Runtime Environment as shipped with WebSphere eXtreme Scale will have this variable set to true by default.

Workarounds:

The Java virtual machine running should be started with -Djava.rmi.server.useCodebaseOnly=true, or should otherwise set this Java system variable to true. If the application does load RMI classes from locations other than the class path, it will be necessary to set the java.rmi.server.codebase system variable as well.

Mitigations:
None

REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2
· CVE-2013-1537
· http://xforce.iss.net/xforce/xfdb/83571
· IBM Security Alerts



RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog


CHANGE HISTORY
06-06-13 Original Copy Published


*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere eXtreme Scale
General

Software version:

6.1, 7.0, 7.1.1, 8.5, 8.6

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows, z/OS

Reference #:

1640058

Modified date:

2013-06-11

Translate my page

Machine Translation

Content navigation