Security Bulletin: Tivoli Storage Productivity Center - Oracle CPU February 2012, June 2012

Flash (Alert)


Abstract

Multiple security vulnerabilities exist in the IBM Java SDK that is shipped with IBM Tivoli Storage Productivity Center.

Content

IBM Tivoli Storage Productivity Center 4.x is shipped with an IBM Java SDK that is based on the Oracle JDK. Oracle released February 2012 and April 2012 critical patch updates (CPU) which contain security vulnerability fixes and the IBM Java SDK has been updated to incorporate those fixes.

Vulnerability Details
Oracle February 2012 CPU
CVE-2012-0502
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73193
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)

CVE-2012-0503
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73191
CVSS Environmental Score*: Undefined
CVSS Vector (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2012-0506
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73196
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE-2011-3563
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73194
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)

CVE-2012-0499
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73187
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-2012-0505
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73192
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Oracle June 2012 CPU
CVE-2012-1717
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/76251
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)

CVE-2012-1713
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/76239
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-2012-1718
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/76249
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-2012-1719
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/76247
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

AFFECTED PRODUCTS AND VERSIONS:
Tivoli Storage Productivity Center 4.2.0 through 4.2.2.145
Tivoli Storage Productivity Center 4.1.x

Note: Tivoli Storage Productivity Center 5.x is not affected.

REMEDIATION:
All of these steps are required to resolve the security vulnerabilities.

  1. Apply the Tivoli Storage Productivity Center fix pack as soon as practical. (See Latest Downloads.)
    Affected TPC Version APAR Fixed TPC Version Target Availability
    4.2.x
    4.1.x
    IC93514 4.2.2.170 (FP4) June 2013
  2. Apply embedded WebSphere Application Server fix pack 6.1.0.45 to Tivoli Storage Productivity Center for Replication 4.2.2.4.
  3. If you have downloaded and installed an IBM JRE from an older version of Tivoli Storage Productivity Center, you should download it again after applying the fix pack and reinstall the IBM JRE.

Note: If you are updating a System Storage Productivity Center (SSPC) appliance, use the IBM JRE downloaded from your upgraded Tivoli Storage Productivity Center installation, as referenced in step 3, to also update the IBM JRE on that system.

Workaround(s):
None.

Mitigation(s):
None

REFERENCES:
RELATED INFORMATION
IBM Product Security Incident Response blog

CHANGE HISTORY
None

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Cross reference information
Segment Product Component Platform Version Edition
Storage Virtualization Software System Storage Productivity Center
Storage Management Tivoli Storage Productivity Center Basic Edition Windows, AIX, Linux 4.1, 4.1.1, 4.2, 4.2.1, 4.2.2

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Tivoli Storage Productivity Center Standard Edition

Software version:

4.1, 4.1.1, 4.2, 4.2.1, 4.2.2

Operating system(s):

AIX, Linux, Windows

Reference #:

1643870

Modified date:

2013-07-19

Translate my page

Machine Translation

Content navigation