Security Bulletin: Potential Security Vulnerabilities in Oracle Java 5 SDK affecting IBM OpenPages GRC Platform version 5

Flash (Alert)


Abstract

IBM OpenPages GRC Platform version 5 has a potential security exposure due to vulnerabilities in the Oracle Java 5 SDK that allow remote attackers to affect confidentiality, integrity and availability of the Java platform via various vectors.

CVE-2011-3547, CVE-2011-3546, CVE-2011-3548, CVE-2011-3549, CVE-2011-3516, CVE-2011-3550, CVE-2011-3551, CVE-2011-3552, CVE-2011-3553, CVE-2011-3554, CVE-2011-3555, CVE-2011-3556, CVE-2011-3357, CVE-2011-3558, CVE-2011-3560, CVE-2011-3561, CVE-2011-3389

Content

VULNERABILITY DETAILS

CVE-2011-3547: Oracle Java SE JDK and JRE could allow a remote attacker to obtain sensitive information, caused by an unspecified vulnerability in the Java Runtime Environment component. An attacker could exploit this vulnerability using unknown attack vectors related to Networking to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70846 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-2011-3546: An unspecified vulnerability in Oracle Java SE JDK and JRE within the Java Runtime Environment component could allow remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and integrity. An attacker could exploit this vulnerability using unknown attack vectors related to Deployment.
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70847 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVE-2011-3548: An unspecified vulnerability in Oracle Java SE JDK and JRE within the Java Runtime Environment component could allow remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity and availability. An attacker could exploit this vulnerability using unknown attack vectors related to AWT.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70845 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-2011-3549: An unspecified vulnerability in Oracle Java SE JDK and JRE within the Java Runtime Environment component could allow remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity and availability. An attacker could exploit this vulnerability using unknown attack vectors related to Swing.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70844 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-2011-3516: An unspecified vulnerability in Oracle Java SE JDK and JRE within the Java Runtime Environment component could allow a remote attacker to affect confidentiality, integrity and availability. An attacker could exploit this vulnerability using unknown attack vectors related to Deployment.
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-2011-3550: An unspecified vulnerability in Oracle Java SE JDK and JRE within the Java Runtime Environment component could allow a remote attacker to affect confidentiality, integrity, and availability. An attacker could exploit this vulnerability using unknown attack vectors related to AWT.
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70843 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

CVE-2011-3551: An unspecified vulnerability in Oracle Java SE JDK and JRE within the Java Runtime Environment component could allow a remote attacker to affect confidentiality, integrity, and availability. An attacker could exploit this vulnerability using unknown attack vectors related to 2D.
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70842 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-2011-3552: An unspecified vulnerability in Oracle Java SE JDK and JRE within the Java Runtime Environment component could allow remote attacker to affect integrity. An attacker could exploit this vulnerability using unknown attack vectors related to Networking.
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70841 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

CVE-2011-3553: Oracle Java SE JDK and JRE could allow a remote attacker to obtain sensitive information, caused by an unspecified vulnerability in the Java Runtime Environment component. An attacker could exploit this vulnerability using unknown attack vectors related to JAXWS to obtain sensitive information.
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70840 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)

CVE-2011-3544: Oracle Java SE JDK and JRE within the Java Runtime Environment component could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of Rhino Javascript errors. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70849 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-2011-3545: An unspecified vulnerability in Oracle Java SE JDK and JRE within the Java Runtime Environment component could allow a remote attacker to affect confidentiality, integrity and availability. An attacker could exploit this vulnerability using unknown attack vectors related to Sound.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70848 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-2011-3521: An unspecified vulnerability in Oracle Java SE JDK and JRE within the Java Runtime Environment component could allow a remote attacker to affect confidentiality, integrity and availability. An attacker could exploit this vulnerability using unknown attack vectors related to Deserialization.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70850 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-2011-3554: An unspecified vulnerability in Oracle Java SE JDK and JRE within the Java Runtime Environment component could allow remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and integrity and availability. An attacker could exploit this vulnerability using unknown attack vectors.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70839 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-2011-3555: Oracle Java SE JDK and JRE are vulnerable to a denial of service, caused by an unspecified vulnerability in the Java Runtime Environment component. An attacker could exploit this vulnerability using unknown attack vectors to cause a denial of service.
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70838 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:P)

CVE-2011-3558: Oracle Java SE JDK and JRE could allow a remote attacker to obtain sensitive information, caused by an unspecified vulnerability in the Java Runtime Environment component. An attacker could exploit this vulnerability using unknown attack vectors related to HotSpot to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70835 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-2011-3556: An unspecified vulnerability in Oracle Java SE JDK and JRE within the Java Runtime Environment component could allow a remote attacker to affect confidentiality, integrity, and availability. An attacker could exploit this vulnerability using unknown attack vectors related to RMI.
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70837 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2011-3557: An unspecified vulnerability in Oracle Java SE JDK and JRE within the Java Runtime Environment component could allow a remote attacker to affect confidentiality, integrity, and availability. An attacker could exploit this vulnerability using unknown attack vectors related to RMI.
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70836 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVE-2011-3389: Multiple products could allow a remote attacker to obtain sensitive information, caused by a design error in the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols when using a Cipher-Block Chaining (CBC) based cryptographic algorithm. By persuading a victim to visit a Web site, a remote attacker could exploit this vulnerability using man-in-the-middle techniques to decrypt HTTPS sessions and obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70069 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE-2011-3560: An unspecified vulnerability in Oracle Java SE JDK and JRE within the Java Runtime Environment component could allow remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and integrity. An attacker could exploit this vulnerability using unknown attack vectors related to JSSE.
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70834 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)

CVE-2011-3561: Oracle Java SE JDK and JRE could allow a remote attacker to obtain sensitive information, caused by an unspecified vulnerability in the Java Runtime Environment component. An attacker could exploit this vulnerability using unknown attack vectors related to Deployment to obtain sensitive information.
CVSS Base Score: 1.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70833 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:A/AC:H/Au:N/C:P/I:N/A:N)


Affected product(s): IBM OpenPages GRC Platform
Affected version(s): 5.0, 5.1, 5.5

REMEDIATION:
Fixes:
Download and install IBM OpenPages GRC Platform version 6.2.1 from Passport Advantage. Download information is available on the Downloading IBM OpenPages GRC 6.2.1 from Passport Advantage page.

Workaround(s):
None known; upgrade to latest version

Mitigation(s):
None known

REFERENCES:
Oracle’s October 18 2011 Critical Patch Update
Complete CVSS Guide
On-line Calculator V2
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3547
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3546
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3548
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3549
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3516
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3550
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3551
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3552
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3553
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3545
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3521
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3554
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3555
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3558
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3556
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3557
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3560
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3561
http://xforce.iss.net/xforce/xfdb/70846
http://xforce.iss.net/xforce/xfdb/70847
http://xforce.iss.net/xforce/xfdb/70845
http://xforce.iss.net/xforce/xfdb/70844
http://xforce.iss.net/xforce/xfdb/70851
http://xforce.iss.net/xforce/xfdb/70843
http://xforce.iss.net/xforce/xfdb/70842
http://xforce.iss.net/xforce/xfdb/70841
http://xforce.iss.net/xforce/xfdb/70840
http://xforce.iss.net/xforce/xfdb/70849
http://xforce.iss.net/xforce/xfdb/70848
http://xforce.iss.net/xforce/xfdb/70850
http://xforce.iss.net/xforce/xfdb/70839
http://xforce.iss.net/xforce/xfdb/70838
http://xforce.iss.net/xforce/xfdb/70835
http://xforce.iss.net/xforce/xfdb/70837
http://xforce.iss.net/xforce/xfdb/70836
http://xforce.iss.net/xforce/xfdb/70069
http://xforce.iss.net/xforce/xfdb/70834
http://xforce.iss.net/xforce/xfdb/70833

RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

CHANGE HISTORY
25 June 2013: Original Copy Published


*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

OpenPages GRC Platform

Software version:

5.0, 5.1, 5.5, 5.5.2, 5.5.3

Operating system(s):

AIX, Linux, Windows

Reference #:

1641966

Modified date:

2013-06-25

Translate my page

Machine Translation

Content navigation