Security Bulletin: Tivoli Workload Scheduler Distributed and Tivoli Workload Scheduler for Applications Openssl Multiple Vulnerabilities

Flash (Alert)


Abstract

OpenSSL versions prior to 1.0.0 do not follow best security practices and need to upgrade.

Content

VULNERABILITY DETAILS:

CVEID: CVE-2012-2131
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/75099 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2012-2110
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/74926 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2012-0884
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73916 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2012-0050
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72458 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVEID: CVE-2011-4108
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72128 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2011-4576
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72130 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2011-4577
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72131 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVEID: CVE-2011-4619
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72132 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVEID: CVE-2011-3210
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/69614 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2011-0014
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/68221 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:P)

CVEID: CVE-2010-3864
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/63293 for the current score
CVSS Environmental Score*: Unknown
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVE ID: CVE-2013-0169 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169)
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81902
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE ID: CVE-2013-0166 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0166)
CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81904 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE ID: CVE-2012-2686 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2686)
CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81903 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

DESCRIPTION: OpenSSL versions prior to 1.0.0 do not follow best security practices. TWS uses OpenSSL only for secure communication between internal processes.
For Tivoli Workload Scheduler Distributed, TWS nodes are impacted by OpenSSL security exposure only if the TWS workstation has been defined with “securitylevel” set to on or enabled or force.
The security exposures do not apply to the embedded WebSphere Application Server but only to programs installed under <TWS home>/bin.

The security exposures do not apply to Dynamic Agents or zCentric agents.

For Tivoli Workload Scheduler for Applications, the programs that are installed in
<TWS home>/methods are impacted if the agent that is hosting the methods has been defined with a “securitylevel” set to on or enabled or force.

TWS is a backoffice application that usually runs over a protected infrastructure where connections with outside networks is forbidden. Connection with branch offices where TWS agents run are always implemented through VPNs. For this reason SSL is not often used to interconnect TWS nodes. Customers with high security demands activate SSL, but they never let TWS nodes to communicate over unsecured networks.
Saying that, the probability of having attacks is very limited, moreover the majority of the exposures belong to the "denial of service" category. This in the worst case, will lead to the temporary unavailability of the attacked TWS nodes.


AFFECTED PRODUCTS AND VERSIONS:
Tivoli Workload Scheduler Distributed 8.6 FP02 and earlier
Tivoli Workload Scheduler Distributed 8.5.1 FP04 and earlier
Tivoli Workload Scheduler Distributed 8.5 FP03 and earlier
Tivoli Workload Scheduler Distributed 8.4 FP07 and earlier
Tivoli Workload Scheduler for Applications 8.6
Tivoli Workload Scheduler for Applications 8.5 FP01 and earlier
Tivoli Workload Scheduler for Applications 8.4 FP02 and earlier


REMEDIATION:
APAR IV44823 has been opened to address the following vulnerabilities
on Tivoli Workload Scheduler Distributed and Tivoli Workload Scheduler for Applications
CVEID: CVE-2012-2131
CVEID: CVE-2012-2110
CVEID: CVE-2012-0884
CVEID: CVE-2012-0050
CVEID: CVE-2011-4108
CVEID: CVE-2011-4576
CVEID: CVE-2011-4577
CVEID: CVE-2011-4619
CVEID: CVE-2011-3210
CVEID: CVE-2011-0014
CVEID: CVE-2010-3864

APAR IV45486 has been opened to address the following vulnerabilities for Tivoli Workload Scheduler for Applications
CVE ID: CVE-2013-0169
CVE ID: CVE-2013-0166
CVE ID: CVE-2012-2686

IV44823 is already included in
Tivoli Workload Scheduler Distributed 8.5.1 FP05
Tivoli Workload Scheduler Distributed 8.5 FP04

Starting from July 10th, the following interim fixes for IV44823 will be available for download on FixCentral

· 8.4.0-TIV-TWS-FP0007- IV44823
to be applied on top of Tivoli Workload Scheduler Distributed 8.4 FP07
· 8.6.0-TIV-TWS-FP0002- IV44823
to be applied on top of Tivoli Workload Scheduler Distributed 8.6 FP02
· 8.5.0-TIV-TWSWSE-FP0001- IV44823
to be applied on top of Tivoli Workload Scheduler for Applications 8.5 FP01
· 8.4.0-TIV-TWSWSE-FP0002- IV44823
to be applied on top of Tivoli Workload Scheduler for Applications 8.4 FP02
· 8.6.0-TIV-TWSWSE-FP0000- IV44823
to be applied on top of Tivoli Workload Scheduler for Applications 8.6

and officially included in next fixpacks for the same TWS versions.

Starting from July 10th, the same following interim fixes for IV45486 will be available for download on FixCentral for Tivoli Workload Scheduler for Applications

· 8.5.0-TIV-TWSWSE-FP0001- IV44823
to be applied on top of Tivoli Workload Scheduler for Applications 8.5 FP01
· 8.4.0-TIV-TWSWSE-FP0002- IV44823
to be applied on top of Tivoli Workload Scheduler for Applications 8.4 FP02
· 8.6.0-TIV-TWSWSE-FP0000- IV44823
to be applied on top of Tivoli Workload Scheduler for Applications 8.6


Workaround(s):
None

Mitigation(s):
None

REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2
· CVE-2013-0169 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169)
· CVE-2013-0166 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0166)
· CVE-2012-2686 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2686)
· CVE-2012-2131 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2131)
· CVE-2012-2110 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2110)
· CVE-2012-0884 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0884)
· CVE-2012-0050 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0050)
· CVE-2011-4108 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4108)
· CVE-2011-4576 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576)
· CVE-2011-4577 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4577)
· CVE-2011-4619 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4619)
· CVE-2011-3210 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3210)
· CVE-2011-0014 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0014)
· CVE-2010-3864 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3864)
· http://xforce.iss.net/xforce/xfdb/81902
· http://xforce.iss.net/xforce/xfdb/81904
· http://xforce.iss.net/xforce/xfdb/81903
· http://xforce.iss.net/xforce/xfdb/75099
· http://xforce.iss.net/xforce/xfdb/74926
· http://xforce.iss.net/xforce/xfdb/73916
· http://xforce.iss.net/xforce/xfdb/72458
· http://xforce.iss.net/xforce/xfdb/72128
· http://xforce.iss.net/xforce/xfdb/72130
· http://xforce.iss.net/xforce/xfdb/72131
· http://xforce.iss.net/xforce/xfdb/72132
· http://xforce.iss.net/xforce/xfdb/69614
· http://xforce.iss.net/xforce/xfdb/68221
· http://xforce.iss.net/xforce/xfdb/63293


RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog


ACKNOWLEDGEMENT
None

CHANGE HISTORY
26 June, 2013: Original Copy Published


*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Tivoli Workload Scheduler

Software version:

8.4, 8.5, 8.5.1, 8.6

Operating system(s):

Platform Independent

Reference #:

1643316

Modified date:

2013-08-21

Translate my page

Machine Translation

Content navigation