IBM Support

Security Bulletin: IBM InfoSphere Master Data Management – Java CPU Feb 2013 (CVE-2013-0440, CVE-2013-0443, CVE-2013-0169)

News


Abstract

Multiple security vulnerabilities exist in the IBM Java SDK shipped with IBM WebSphere Application Server that affects IBM InfoSphere Master Data Management versions 8.5, 9.0.1, 9.0.2, 10.0.0, 10.1.0,and 11.0.0

Content

VULNERABILITY DETAILS:

CVE-2013-0440 - Unspecified vulnerability in Java Runtime Environment allows remote attackers to affect availability via vectors related to JSSE.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81799
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-2013-0443 - Unspecified vulnerability in Java Runtime Environment allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81801
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVE-2013-0169 - The TLS protocol does not properly consider timing side-channel attacks, which allows remote attackers to conduct distinguishing attacks and plain-text recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81902
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)


AFFECTED PRODUCTS:

IBM InfoSphere Master Data Management versions 8.5.0, 9.0.1, 9.0.2, 10.0.0.0, 10.1.0.0, 11.0.0.0


REMEDIATION:

· For IBM InfoSphere Master Data Management versions v8.5.0, v9.0.1, v 9.0.2 using IBM WebSphere Application Server V6.1.0.0 through 6.1.0.45
o Apply Interim Fix PM80756: This will upgrade your system to SDK 5 SR16 FP1 + IV37670
· For IBM InfoSphere Master Data Management versions v9.0.1, v 9.0.2, v10.0.0 using IBM WebSphere Application Server V7.0.0.0 through 7.0.0.27
o Apply Interim Fix PM80757: This will upgrade your system to SDK 6 SR13 +IV36426+IV37419+IV37656+IV38029

· For IBM InfoSphere Master Data Management versions v10.1.0. using IBM WebSphere Application Server V8.0.0.0 through 8.0.0.5:
o Apply Interim Fix PM80758: This will upgrade your system to SDK 6 (J9 2.6) SR5 +IV36426+IV37419+IV37656+IV38029
o Also see the Important Note below for this version

· For IBM InfoSphere Master Data Management version v11.0.0.0 using IBM WebSphere Application Server V8.5.0.2
o Apply Interim Fix PM86919: Will upgrade you to SDK 6 (J9 2.6) SR5 +IV36426+IV37419+IV37656+IV38029

VENDOR FIX(ES)

Fix*VRMFTDS Remote Code Vulnerability APARDownload URL
6.1.0.0-WS-WASJavaSDK-<Platform>-IFPM807566.1.0.0PM80756http://www-01.ibm.com/support/docview.wss?uid=swg24034418
7.0.0.0-WS-WASJavaSDK-<Platform>-IFPM807577.0.0.0PM80757http://www-01.ibm.com/support/docview.wss?uid=swg24034443
8.0.0.0-WS-WASJavaSDK-<Platform>-IFPM807588.0.0.0PM80758http://www-01.ibm.com/support/docview.wss?uid=swg24034447
8.5.0.0-WS-WASJavaSDK-<Platform>-IFPM869198.5.0.0PM86919http://www-01.ibm.com/support/docview.wss?uid=swg24034798


Important note:
These instructions apply to IBM InfoSphere Master Data Management version 10.1.0:

Loading Configuration Management Data using the agent will fail after applying fix 8.0.0.0-WS-WASJavaSDK-<Platform>-IFPM80758.

The management agent will have this error and will not be able to load the data:

2013-05-27 10:15:34,652 ERROR - com.ibm.websphere.naming.CannotInstantiateObjectException: Exception occurred while the JNDI NamingManager was processing a javax.naming.Reference object. [Root exception is java.lang.reflect.InvocationTargetException]
-----------------------------------------------------------------------------------------------
Caused by: java.security.AccessControlException: Access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)

If the fix is applied:
1. Before MDM v10.1 is installed
- install MDM and let it fail due to failure to populate CM data
- stop the Management Agent
- edit the mgmt_agent.policy under <instance home>/ManagementAgent/config and add the following entry to the end:
permission java.lang.reflect.ReflectPermission "*";
- start the management agent
- load the CM data manually
- restart the application
- run the IVT to verify it passes


2. After MDM v10.1 is installed
- stop the Management Agent
- edit the mgmt_agent.policy under <instance home>/ManagementAgent/config and add the following entry to the end:
permission java.lang.reflect.ReflectPermission "*";
- start the management agent


WORKAROUND(S):
· None known, apply fixes

MITIGATION(S):
· None known


REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2
· X-Force Vulnerability Database
· CVE-2013-0440, https://exchange.xforce.ibmcloud.com/vulnerabilities/81799
· CVE-2013-0443, https://exchange.xforce.ibmcloud.com/vulnerabilities/81801
· CVE-2013-0169, https://exchange.xforce.ibmcloud.com/vulnerabilities/81902

[{"Product":{"code":"SSWSR9","label":"IBM InfoSphere Master Data Management"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF010","label":"HP-UX"}],"Version":"10.1;11.0;10.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Product":{"code":"SSPVUA","label":"IBM InfoSphere Master Data Management Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF027","label":"Solaris"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"}],"Version":"8.5;9.0;9.0.1;9.0.2;10.0;10.1;11.0","Edition":"WebSphere","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
25 September 2022

UID

swg21640793