Security Bulletin: IBM Notes & Domino fixes for multiple vulnerabilities in IBM JRE

Flash (Alert)


Abstract

IBM Notes and Domino are vulnerable to multiple attacks listed in the Oracle Java SE Critical Patch Update Advisories (February, April and June 2013) as well as miscellaneous client-side attacks listed below. The repaired IBM JRE is available in Notes and Domino 8.5.3 Fix Pack 5 and is also planned for Notes and Domino 9.0.1.

Content


IBM Notes and Domino 8.5.3 Fix Pack 5 and the planned 9.0.1 releases address multiple attacks on the IBM JRE. In addition to fixes for miscellaneous client-side attacks, these releases contain the cumulative set of fixes to the JRE from both Oracle and IBM as of 01 August 2013.


Summary Advisory for Oracle June 2013 Critical Patch Update
Summary Advisory for Oracle April 2013 Critical Patch Update
Summary Advisory for Oracle February 2013 Critical Patch Update
Client-Side Yet Another Java Zero-Day Vulnerabilities reported by FireEye Inc.
    (CVE-2013-0809, CVE-2013-1493)
Client-Side IBM Java SDK/JRE Vulnerabilities reported by Security Explorations
    (CVE-2013-3012, CVE-2013-3011, CVE-2013-3010, CVE-2013-3009, CVE-2013-3008, CVE-2013-3007, CVE-2013-3006, CVE-2013-2455, CVE-2013-2436)


VULNERABILITY DETAILS

Oracle Java Critical Patch Updates for June, April and February 2013
      DESCRIPTION: Summary Advisory for Oracle Java Critical Patch Update June 2013
      This Critical Patch Update contains 40 new security fixes across Java SE products of which 4 are applicable to server deployments of Java and of which one dozen have a CVSS score > 9.3. Resolving the full set of issues will require updating both Notes and Domino. For a description of the fixes, CVE IDs and CVSS Scoring, see Summary Advisory for Oracle June 2013 CPU

      DESCRIPTION: Summary Advisory for Oracle Java Critical Patch Update April 2013
      This Critical Patch Update contains 42 new security fixes across Java SE products of which 2 are applicable to server deployments of Java and of which twenty have a CVSS score > 9.3. Resolving the full set of issues will require updating both Notes and Domino. For a description of the fixes, CVE IDs and CVSS Scoring, see Summary Advisory for Oracle April 2013 CPU
      DESCRIPTION: Summary Advisory for Oracle Java Critical Patch Update February 2013
      This Critical Patch Update contains 50 new security fixes across Java SE products of which 4 are applicable to server deployments of Java and of which two dozen have a CVSS score > 9.3. Resolving the full set of issues will require updating both Notes and Domino. For a description of the fixes, CVE IDs and CVSS Scoring, see Summary Advisory for Oracle February 2013

    AFFECTED PLATFORMS:
    IBM Notes and Domino 9.0
    IBM Notes and Domino 8.5.x
    IBM Notes and Domino 8.0.x

    REMEDIATION:

    Fix:

    These issues are all tracked as SPR KLYH95CMCJ, which is fixed in 8.5.3 Fix Pack 5. The same fix is planned for release 9.0.1. To track availability, refer to Notes/Domino Fix List - Upcoming Releases.

    Workaround:

    None

    Mitigation(s):

    None



    Client-Side Yet Another Java Zero-Day reported by FireEye

    CVE IDs: CVE-2013-0809, CVE-2013-1493

    DESCRIPTION: An attacker can supply untrusted (sandboxed) code to exploit a buffer overflow in multiple client-side Java components resulting in privilege escalation.
      CVEID: CVE-2013-0809
      CVSS Base Score: 10
      CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82515 for the current score
      CVSS Environmental Score*: Undefined
      CVSS Vector(AV:N/AC:L/Au:N/C:C/I:C/A:C)

      Access Vector: Network Access Complexity: Low
      Authentication: No Confidentiality Impact: Complete
      Integrity Impact: Complete Availability Impact: Complete


      CVEID: CVE-2013-1493
      CVSS Base Score: 10
      CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82514 for the current score
      CVSS Environmental Score*: Undefined
      CVSS Vector:(AV:N/AC:L/Au:N/C:C/I:C/A:C)

      Access Vector: Network Access Complexity: Low
      Authentication: No Confidentiality Impact: Complete
      Integrity Impact: Complete Availability Impact: Complete

    AFFECTED PLATFORMS:
    IBM Notes 9.0
    IBM Notes 8.5.x
    IBM Notes 8.0.x

    REMEDIATION:

    Fix:

    This issue is also tracked as SPR KLYH95CMCJ, which is fixed in 8.5.3 Fix Pack 5. The same fix is planned for release 9.0.1. To track availability, refer to Notes/Domino Fix List - Upcoming Releases.

    Workaround:

    None

    Mitigation(s):

    None



    Client-Side IBM Java SDK/JRE Vulnerabilities Reported by Security Explorations

    CVE IDs: CVE-2013-2436, CVE-2013-2455, CVE-2013-3006, CVE-2013-3007,CVE-2013-3008, CVE-2013-3009, CVE-2013-3010, CVE-2013-3011, CVE-2013-3012

    DESCRIPTION: A flaw in the java.lang.invoke API allows untrusted code to invoke methods that should be inaccessible. The fix adds a permission check to prevent the problem.
      CVE ID: CVE-2013-2436
      CVSS Base Score: 9.3
      CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83575 for the current score
      CVSS Environmental Score*: Undefined
      CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

      Access Vector: Network Access Complexity: Medium
      Authentication: No Confidentiality Impact: Complete
      Integrity Impact: Complete Availability Impact: Complete


    DESCRIPTION: Incorrect handling of the EnclosingMethod attribute when parsing a class file enables access to declared Method objects of arbitrary classes
      CVE ID: CVE-2013-2455
      CVSS Base Score: 5
      CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84146 for the current score
      CVSS Environmental Score*: Undefined
      CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

      Access Vector: Network Access Complexity: Low
      Authentication: No Confidentiality Impact: Partial
      Integrity Impact: None Availability Impact: None

    DESCRIPTION: Improper binding for protect methods allows the invocation of protected methods of arbitrary objects. The fix ensures that the protected methods are bound correctly.
      CVE ID: CVE-2013-3006
      CVSS Base Score: 9.3
      CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84147 for the current score
      CVSS Environmental Score*: Undefined
      CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

      Access Vector: Network Access Complexity: Medium
      Authentication: No Confidentiality Impact: Complete
      Integrity Impact: Complete Availability Impact: Complete


    DESCRIPTION: Unsafe implementation of deserialization functionality allows access to arbitrary fields of certain classes. The fix ensures that the deserialization is implemented safely.
      CVE ID: CVE-2013-3007
      CVSS Base Score: 9.3
      CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84148 for the current score
      CVSS Environmental Score*: Undefined
      CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

      Access Vector: Network Access Complexity: Medium
      Authentication: No Confidentiality Impact: Complete
      Integrity Impact: Complete Availability Impact: Complete


    DESCRIPTION: Unsafe deserialization of certain objects allows objects to be mutated. The fix prevents modification of internal parameters.
      CVE ID: CVE-2013-3008
      CVSS Base Score: 9.3
      CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84149 for the current score
      CVSS Environmental Score*: Undefined
      CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

      Access Vector: Network Access Complexity: Medium
      Authentication: No Confidentiality Impact: Complete
      Integrity Impact: Complete Availability Impact: Complete


    DESCRIPTION: Insecure use of the invoke method of java.lang.reflect.Method class in the ORB allows arbitrary method invocation inside AccessController's doPrivileged block. The fix ensures that invoke is used securely.
      CVE ID: CVE-2013-3009
      CVSS Base Score: 9.3
      CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84150 for the current score
      CVSS Environmental Score*: Undefined
      CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

      Access Vector: Network Access Complexity: Medium
      Authentication: No Confidentiality Impact: Complete
      Integrity Impact: Complete Availability Impact: Complete


    DESCRIPTION: Insecure implementation of reflective Field access allows privileged access to arbitrary fields of some classes. The fix implements reflection safely.
      CVE ID: CVE-2013-3010
      CVSS Base Score: 9.3
      CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84151 for the current score
      CVSS Environmental Score*: Undefined
      CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

      Access Vector: Network Access Complexity: Medium
      Authentication: No Confidentiality Impact: Complete
      Integrity Impact Complete Availability Impact: Complete


    DESCRIPTION: XSLT unsafely allows calls to Java extension functions. The fix makes these calls safely.
      CVE ID: CVE-2013-3011
      CVSS Base Score: 9.3
      CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84152 for the current score
      CVSS Environmental Score*: Undefined
      CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

      Access Vector: Network Access Complexity: Medium
      Authentication: No Confidentiality Impact: Complete
      Integrity Impact: Complete Availability Impact: Complete


    DESCRIPTION: XSLT extends a ClassLoader unsafely. The fix extends the ClassLoader safely.
      CVE ID: CVE-2013-3012
      CVSS Base Score: 9.3
      CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84153 for the current score
      CVSS Environmental Score*: Undefined
      CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

      Access Vector: Network Access Complexity: Medium
      Authentication: No Confidentiality Impact: Complete
      Integrity Impact: Complete Availability Impact: Complete


    AFFECTED PLATFORMS:
    IBM Notes 9.0
    IBM Notes 8.5.x
    IBM Notes 8.0.x

    REMEDIATION:

    Fix:

    This issue is also tracked as SPR KLYH95CMCJ which is made available in 8.5.3 Fix Pack 5. The same fix is planned for release 9.0.1. To track availability, refer to Notes/Domino Fix List - Upcoming Releases.

    Workaround:

    None

    Mitigation(s):

    None



    REFERENCES:
    X-Force Vulnerability Database
    http://xforce.iss.net/xforce/xfdb/82515
    http://xforce.iss.net/xforce/xfdb/84146
    http://xforce.iss.net/xforce/xfdb/82514
    http://xforce.iss.net/xforce/xfdb/83575
    http://xforce.iss.net/xforce/xfdb/84147
    http://xforce.iss.net/xforce/xfdb/84148
    http://xforce.iss.net/xforce/xfdb/84149
    http://xforce.iss.net/xforce/xfdb/84150
    http://xforce.iss.net/xforce/xfdb/84151
    http://xforce.iss.net/xforce/xfdb/84152
    http://xforce.iss.net/xforce/xfdb/84153

    RELATED INFORMATION:

    ACKNOWLEDGEMENT:
    The vulnerabilities described by the following CVEs were reported to IBM by Adam Gowdiak of Security Explorations: CVE-2013-2436, CVE-2013-2455, CVE-2013-3006, CVE-2013-3007,CVE-2013-3008, CVE-2013-3009, CVE-2013-3010, CVE-2013-3011, CVE-2013-3012  

    *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


    Note:
    According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

    Related information

    Summary Advisory For Oracle June Critical Patch Update
    Summary Advisory for Oracle Java SE Critical Patch Upda
    Summary Advisory for Oracle Java SE CPU - Feb-2013
    A simplified Chinese translation is available

    Cross reference information
    Segment Product Component Platform Version Edition
    Messaging Applications IBM Domino Security AIX, AIX 64bit, i5/OS, IBM i, Linux, Linux iSeries, Linux xSeries, Linux zSeries, Solaris, Windows, Windows 64bit, z/OS 9.0, 8.5.3, 8.5.2, 8.5.1, 8.5, 8.0

    Rate this page:

    (0 users)Average rating

    Document information


    More support for:

    IBM Notes
    Security

    Software version:

    8.0, 8.5, 8.5.1, 8.5.2, 8.5.3, 9.0

    Operating system(s):

    Linux, Mac OS, Mac OS X, Windows

    Reference #:

    1644918

    Modified date:

    2013-08-09

    Translate my page

    Machine Translation

    Content navigation