IBM Support

Security Bulletin: Multiple vulnerabilities exist in the SOAP Gateway component of IMS Enterprise Suite (CVE-2013-0440, CVE-2013-0443, CVE-2013-0169, CVE-2013-3003)

Flashes (Alerts)


Abstract

The SOAP Gateway component of IMS™ Enterprise Suite versions 1.1, 2.1, and 2.2 is affected by multiple vulnerabilities in IBM® Java™ and could allow remote, arbitrary command execution.

Content

VULNERABILITY DETAILS:

CVE ID: CVE-2013-0440

DESCRIPTION:
An unspecified vulnerability could allow remote attackers to affect availability via vectors that are related to JSSE.

CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81799
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)


CVE ID: CVE-2013-0443

DESCRIPTION:
An unspecified vulnerability could allow remote attackers to affect confidentiality and integrity via vectors related to JSSE.

CVSS:
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81801
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVE ID: CVE-2013-0169

DESCRIPTION:
The TLS protocol does not properly consider timing side-channel attacks, which could allow remote attackers to conduct distinguishing attacks and plain-text recovery attacks via statistical analysis of timing data for crafted packets, also known as the "Lucky Thirteen" issue.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81902
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE ID: CVE-2013-3003

DESCRIPTION:
The SOAP Gateway component of IMS Enterprise Suite could allow a remote attacker to execute arbitrary commands. SOAP Gateway users are authenticated with OS credentials and a successful exploit requires the user to be authenticated. Any commands executed will be limited by the privileges of the authenticated user.

CVSS:
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/84129
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:S/C:C/I:C/A:C)

AFFECTED PRODUCTS:
The SOAP Gateway component of IMS Enterprise Suite versions 1.1, 2.1, and 2.2.

REMEDIATION:

FIX(ES):

Fix*VRMFDownload URL
IMS Enterprise Suite SOAP Gateway 1.11.1.0.6
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite
IMS Enterprise Suite SOAP Gateway 2.12.1.0.5
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite
IMS Enterprise Suite SOAP Gateway 2.22.2.0.2
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite


Important note: IBM strongly recommends that all System z® customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

WORKAROUNDS: None.

MITIGATIONS: None.

REFERENCES:

CVE-2013-0440, CVE-2013-0443, CVE-2013-0169, CVE-2013-3003

Complete CVSS Guide (http://www.first.org/cvss/v2/guide)
On-line Calculator V2 (http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2)
X-Force® Vulnerability Database (https://exchange.xforce.ibmcloud.com/vulnerabilities/81799)
CVE-2013-0440 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0440)
X-Force Vulnerability Database (https://exchange.xforce.ibmcloud.com/vulnerabilities/81801)
CVE-2013-0443 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0443)
X-Force Vulnerability Database (https://exchange.xforce.ibmcloud.com/vulnerabilities/81902)
CVE-2013-0169 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169)
X-Force Vulnerability Database (https://exchange.xforce.ibmcloud.com/vulnerabilities/84129)
CVE-2013-3003 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3003)


RELATED INFORMATION:
· IBM Secure Engineering Web Portal
· IBM Product Security Incident Response Blog

CHANGE HISTORY:
June 4, 2013: Initial version.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{"Product":{"code":"SSGMWY","label":"IBM IMS Enterprise Suite for z\/OS"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"SOAP Gateway","Platform":[{"code":"PF035","label":"z\/OS"},{"code":"PF033","label":"Windows"}],"Version":"1.1;2.1;2.2","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Document Information

Modified date:
25 September 2022

UID

swg21641655