Security Bulletin: IBM InfoSphere Master Data Management – Java CPU Feb 2013 (CVE-2013-0440, CVE-2013-0443, CVE-2013-0169)

Flash (Alert)


Abstract

Multiple security vulnerabilities exist in the IBM Java SDK shipped with IBM WebSphere Application Server that affects IBM InfoSphere Master Data Management versions 8.5, 9.0.1, 9.0.2, 10.0.0, 10.1.0,and 11.0.0

Content

VULNERABILITY DETAILS:

CVE-2013-0440 - Unspecified vulnerability in Java Runtime Environment allows remote attackers to affect availability via vectors related to JSSE.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81799
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-2013-0443 - Unspecified vulnerability in Java Runtime Environment allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81801
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVE-2013-0169 - The TLS protocol does not properly consider timing side-channel attacks, which allows remote attackers to conduct distinguishing attacks and plain-text recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81902
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)


AFFECTED PRODUCTS:

IBM InfoSphere Master Data Management versions 8.5.0, 9.0.1, 9.0.2, 10.0.0.0, 10.1.0.0, 11.0.0.0


REMEDIATION:

· For IBM InfoSphere Master Data Management versions v8.5.0, v9.0.1, v 9.0.2 using IBM WebSphere Application Server V6.1.0.0 through 6.1.0.45

    o Apply Interim Fix PM80756: This will upgrade your system to SDK 5 SR16 FP1 + IV37670
· For IBM InfoSphere Master Data Management versions v9.0.1, v 9.0.2, v10.0.0 using IBM WebSphere Application Server V7.0.0.0 through 7.0.0.27
    o Apply Interim Fix PM80757: This will upgrade your system to SDK 6 SR13 +IV36426+IV37419+IV37656+IV38029

· For IBM InfoSphere Master Data Management versions v10.1.0. using IBM WebSphere Application Server V8.0.0.0 through 8.0.0.5:
    o Apply Interim Fix PM80758: This will upgrade your system to SDK 6 (J9 2.6) SR5 +IV36426+IV37419+IV37656+IV38029
    o Also see the Important Note below for this version

· For IBM InfoSphere Master Data Management version v11.0.0.0 using IBM WebSphere Application Server V8.5.0.2
    o Apply Interim Fix PM86919: Will upgrade you to SDK 6 (J9 2.6) SR5 +IV36426+IV37419+IV37656+IV38029

V ENDOR F IX(ES )

Fix* VRMF TDS Remote Code Vulnerability APAR Download URL
6.1.0.0-WS-WASJavaSDK-<Platform>-IFPM80756 6.1.0.0 PM80756 http://www-01.ibm.com/support/docview.wss?uid=swg24034418
7.0.0.0-WS-WASJavaSDK-<Platform>-IFPM80757 7.0.0.0 PM80757 http://www-01.ibm.com/support/docview.wss?uid=swg24034443
8.0.0.0-WS-WASJavaSDK-<Platform>-IFPM80758 8.0.0.0 PM80758 http://www-01.ibm.com/support/docview.wss?uid=swg24034447
8.5.0.0-WS-WASJavaSDK-<Platform>-IFPM86919 8.5.0.0 PM86919 http://www-01.ibm.com/support/docview.wss?uid=swg24034798


Important note:
These instructions apply to IBM InfoSphere Master Data Management version 10.1.0:

Loading Configuration Management Data using the agent will fail after applying fix 8.0.0.0-WS-WASJavaSDK-< Platform>-IFPM80758.

The management agent will have this error and will not be able to load the data:
    2013-05-27 10:15:34,652 ERROR - com.ibm.websphere.naming.CannotInstantiateObjectException: Exception occurred while the JNDI NamingManager was processing a javax.naming.Reference object. [Root exception is java.lang.reflect.InvocationTargetException]
    -----------------------------------------------------------------------------------------------
    Caused by: java.security.AccessControlException: Access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)

If the fix is applied:
    1. Before MDM v10.1 is installed
      - install MDM and let it fail due to failure to populate CM data
      - stop the Management Agent
      - edit the mgmt_agent.policy under <instance home>/ManagementAgent/config and add the following entry to the end:
      permission java.lang.reflect.ReflectPermission "*";
      - start the management agent
      - load the CM data manually
      - restart the application
      - run the IVT to verify it passes
    2. After MDM v10.1 is installed
      - stop the Management Agent
      - edit the mgmt_agent.policy under <instance home>/ManagementAgent/config and add the following entry to the end:
      permission java.lang.reflect.ReflectPermission "*";
      - start the management agent

W ORKAROUND(S):
· None known, apply fixes

M ITIGATION ( S ):
· None known


REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2
· X-Force Vulnerability Database
· CVE-2013-0440, http://xforce.iss.net/xforce/xfdb/81799
· CVE-2013-0443, http://xforce.iss.net/xforce/xfdb/81801
· CVE-2013-0169, http://xforce.iss.net/xforce/xfdb/81902

Cross reference information
Segment Product Component Platform Version Edition
Information Management InfoSphere Master Data Management Server Not Applicable AIX, Solaris, HP-UX, Linux 8.5, 9.0, 9.0.1, 9.0.2, 10.0, 10.1, 11.0 WebSphere

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

InfoSphere Master Data Management

Software version:

10.0, 10.1, 11.0

Operating system(s):

AIX, HP-UX, Linux, Solaris

Reference #:

1640793

Modified date:

2013-06-13

Translate my page

Machine Translation

Content navigation