IBM Support

Security Bulletin: Potential Security Vulnerabilities in Oracle Java 5 SDK affecting IBM OpenPages GRC Platform version 5

Security Bulletin


Summary

IBM OpenPages GRC Platform version 5 has a potential security exposure due to vulnerabilities in the Oracle Java 5 SDK that allow remote attackers to affect confidentiality, integrity and availability of the Java platform via various vectors.

CVE-2011-3547, CVE-2011-3546, CVE-2011-3548, CVE-2011-3549, CVE-2011-3516, CVE-2011-3550, CVE-2011-3551, CVE-2011-3552, CVE-2011-3553, CVE-2011-3554, CVE-2011-3555, CVE-2011-3556, CVE-2011-3357, CVE-2011-3558, CVE-2011-3560, CVE-2011-3561, CVE-2011-3389

Vulnerability Details

VULNERABILITY DETAILS
CVE-2011-3547: Oracle Java SE JDK and JRE could allow a remote attacker to obtain sensitive information, caused by an unspecified vulnerability in the Java Runtime Environment component. An attacker could exploit this vulnerability using unknown attack vectors related to Networking to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/70846 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-2011-3546: An unspecified vulnerability in Oracle Java SE JDK and JRE within the Java Runtime Environment component could allow remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and integrity. An attacker could exploit this vulnerability using unknown attack vectors related to Deployment.
CVSS Base Score: 5.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/70847 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVE-2011-3548: An unspecified vulnerability in Oracle Java SE JDK and JRE within the Java Runtime Environment component could allow remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity and availability. An attacker could exploit this vulnerability using unknown attack vectors related to AWT.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/70845 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-2011-3549: An unspecified vulnerability in Oracle Java SE JDK and JRE within the Java Runtime Environment component could allow remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity and availability. An attacker could exploit this vulnerability using unknown attack vectors related to Swing.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/70844 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-2011-3516: An unspecified vulnerability in Oracle Java SE JDK and JRE within the Java Runtime Environment component could allow a remote attacker to affect confidentiality, integrity and availability. An attacker could exploit this vulnerability using unknown attack vectors related to Deployment.
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/70851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-2011-3550: An unspecified vulnerability in Oracle Java SE JDK and JRE within the Java Runtime Environment component could allow a remote attacker to affect confidentiality, integrity, and availability. An attacker could exploit this vulnerability using unknown attack vectors related to AWT.
CVSS Base Score: 7.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/70843 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

CVE-2011-3551: An unspecified vulnerability in Oracle Java SE JDK and JRE within the Java Runtime Environment component could allow a remote attacker to affect confidentiality, integrity, and availability. An attacker could exploit this vulnerability using unknown attack vectors related to 2D.
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/70842 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-2011-3552: An unspecified vulnerability in Oracle Java SE JDK and JRE within the Java Runtime Environment component could allow remote attacker to affect integrity. An attacker could exploit this vulnerability using unknown attack vectors related to Networking.
CVSS Base Score: 2.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/70841 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

CVE-2011-3553: Oracle Java SE JDK and JRE could allow a remote attacker to obtain sensitive information, caused by an unspecified vulnerability in the Java Runtime Environment component. An attacker could exploit this vulnerability using unknown attack vectors related to JAXWS to obtain sensitive information.
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/70840 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)

CVE-2011-3544: Oracle Java SE JDK and JRE within the Java Runtime Environment component could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of Rhino Javascript errors. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/70849 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-2011-3545: An unspecified vulnerability in Oracle Java SE JDK and JRE within the Java Runtime Environment component could allow a remote attacker to affect confidentiality, integrity and availability. An attacker could exploit this vulnerability using unknown attack vectors related to Sound.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/70848 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-2011-3521: An unspecified vulnerability in Oracle Java SE JDK and JRE within the Java Runtime Environment component could allow a remote attacker to affect confidentiality, integrity and availability. An attacker could exploit this vulnerability using unknown attack vectors related to Deserialization.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/70850 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-2011-3554: An unspecified vulnerability in Oracle Java SE JDK and JRE within the Java Runtime Environment component could allow remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and integrity and availability. An attacker could exploit this vulnerability using unknown attack vectors.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/70839 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-2011-3555: Oracle Java SE JDK and JRE are vulnerable to a denial of service, caused by an unspecified vulnerability in the Java Runtime Environment component. An attacker could exploit this vulnerability using unknown attack vectors to cause a denial of service.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/70838 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:P)

CVE-2011-3558: Oracle Java SE JDK and JRE could allow a remote attacker to obtain sensitive information, caused by an unspecified vulnerability in the Java Runtime Environment component. An attacker could exploit this vulnerability using unknown attack vectors related to HotSpot to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/70835 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-2011-3556: An unspecified vulnerability in Oracle Java SE JDK and JRE within the Java Runtime Environment component could allow a remote attacker to affect confidentiality, integrity, and availability. An attacker could exploit this vulnerability using unknown attack vectors related to RMI.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/70837 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2011-3557: An unspecified vulnerability in Oracle Java SE JDK and JRE within the Java Runtime Environment component could allow a remote attacker to affect confidentiality, integrity, and availability. An attacker could exploit this vulnerability using unknown attack vectors related to RMI.
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/70836 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVE-2011-3389: Multiple products could allow a remote attacker to obtain sensitive information, caused by a design error in the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols when using a Cipher-Block Chaining (CBC) based cryptographic algorithm. By persuading a victim to visit a Web site, a remote attacker could exploit this vulnerability using man-in-the-middle techniques to decrypt HTTPS sessions and obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/70069 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE-2011-3560: An unspecified vulnerability in Oracle Java SE JDK and JRE within the Java Runtime Environment component could allow remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and integrity. An attacker could exploit this vulnerability using unknown attack vectors related to JSSE.
CVSS Base Score: 6.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/70834 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)

CVE-2011-3561: Oracle Java SE JDK and JRE could allow a remote attacker to obtain sensitive information, caused by an unspecified vulnerability in the Java Runtime Environment component. An attacker could exploit this vulnerability using unknown attack vectors related to Deployment to obtain sensitive information.
CVSS Base Score: 1.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/70833 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:A/AC:H/Au:N/C:P/I:N/A:N)


Affected product(s): IBM OpenPages GRC Platform
Affected version(s): 5.0, 5.1, 5.5

REMEDIATION:
Fixes:
Download and install IBM OpenPages GRC Platform version 6.2.1 from Passport Advantage. Download information is available on the Downloading IBM OpenPages GRC 6.2.1 from Passport Advantage page.

Workaround(s):
None known; upgrade to latest version

Mitigation(s):
None known

REFERENCES:
Oracle’s October 18 2011 Critical Patch Update
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3547
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3546
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3548
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3549
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3516
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3550
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3551
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3552
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3553
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3545
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3521
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3554
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3555
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3558
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3556
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3557
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3560
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3561
https://exchange.xforce.ibmcloud.com/vulnerabilities/70846
https://exchange.xforce.ibmcloud.com/vulnerabilities/70847
https://exchange.xforce.ibmcloud.com/vulnerabilities/70845
https://exchange.xforce.ibmcloud.com/vulnerabilities/70844
https://exchange.xforce.ibmcloud.com/vulnerabilities/70851
https://exchange.xforce.ibmcloud.com/vulnerabilities/70843
https://exchange.xforce.ibmcloud.com/vulnerabilities/70842
https://exchange.xforce.ibmcloud.com/vulnerabilities/70841
https://exchange.xforce.ibmcloud.com/vulnerabilities/70840
https://exchange.xforce.ibmcloud.com/vulnerabilities/70849
https://exchange.xforce.ibmcloud.com/vulnerabilities/70848
https://exchange.xforce.ibmcloud.com/vulnerabilities/70850
https://exchange.xforce.ibmcloud.com/vulnerabilities/70839
https://exchange.xforce.ibmcloud.com/vulnerabilities/70838
https://exchange.xforce.ibmcloud.com/vulnerabilities/70835
https://exchange.xforce.ibmcloud.com/vulnerabilities/70837
https://exchange.xforce.ibmcloud.com/vulnerabilities/70836
https://exchange.xforce.ibmcloud.com/vulnerabilities/70069
https://exchange.xforce.ibmcloud.com/vulnerabilities/70834
https://exchange.xforce.ibmcloud.com/vulnerabilities/70833


Get Notified about Future Security Bulletins

References

Complete CVSS v2 Guide
On-line Calculator v2

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

25 June 2013: Original Copy Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: OpenPages GRC Platform

Software version: 5.0, 5.1, 5.5, 5.5.2, 5.5.3

Operating system(s): AIX, Linux, Windows

Reference #: 1641966

Modified date: 25 June 2013


Translate this page: