Security Bulletin: IBM WebSphere Appliance Management Center, multiple security vulnerabilities in IBM Java Runtime Environment 6

Flash (Alert)


Abstract

Multiple security vulnerabilities exist in the IBM Java Runtime Environment component of IBM WebSphere Appliance Management Center.

Content

CVEID: CVE-2013-2415

Description: Part of the JAX-WS component creates temporary files with inappropriate permission attributes, which potentially allows them to be read by any local user. The temporary files may contain sensitive information. The fix ensures that temporary files are only accessible by the user that launched the Java Virtual Machine.

This vulnerability is only exploitable by users with access to the environment on which the Java Virtual Machine is executing. It cannot be exploited through untrusted Java Web Start Applications and untrusted Java applets. It also cannot be exploited via untrusted data passed into a server application or service.


CVSS Base Score: 2.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83592 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)



CVEID: CVE-2013-0169

Description: This is the recently publicised "Lucky 13" TLS attack. In CBC block mode, the TLS protocol uses Ciphers, HMAC (essentially a checksum variant using MessageDigest (checksums) and initialized with Keys), and padding. The padding is used to maintain the specific block size that is required by the block-oriented Cipher.

The HMAC internally executes compression routines to reduce the bulk data into a smaller checksum values. Based on the amount of input data, the HMAC will need to do different numbers of compressions. The padding controls the amount of data fed to the HMAC algorithm.

By using many connections and adjusting the packet contents carefully (modifying the amount of padding used), an attacker can statistically observe the time necessary to generate/receive error messages. This timing difference is due to the varying length of the HMAC calculations. The attacker can then deduce the plain text after a relatively small number of decryption operations.

This issue applies to server applications which use TLS (part of the JSSE component). Note that despite the public disclosure, the issue is largely theoretical and very difficult to exploit in real world scenarios.


CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81902 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)



Affected Products And Versions:
IBM WebSphere Appliance Management Center v4 (all releases).


Remediation:
Upgrade to IBM WebSphere Appliance Management Center v5.0 (27 June 2013) release.


Workaround(s):
None


Mitigation(s):
Upgrade to IBM WebSphere Appliance Management Center v5.0 (27 June 2013) release.


References:
- Complete CVSS Guide
- On-line Calculator V2
- CVE-2013-2415
- CVE-2013-0169
- X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/83592
- X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81902


Related Information:
- IBM Secure Engineering Web Portal
- IBM Product Security Incident Response Blog


Acknowledgement:
None


Change History:
27 June 2013: Original copy published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


Related information

IBM WebSphere Appliance Management Center

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere Appliance Management Center

Software version:

4.0

Operating system(s):

AIX, Linux, Windows

Reference #:

1641325

Modified date:

2013-06-28

Translate my page

Machine Translation

Content navigation