Security Bulletin: Multiple vulnerabilities in the IBM Java SDK

Flash (Alert)


Abstract

Issues disclosed in the Oracle June 2013 Java SE Critical Patch Update, plus 8 additional vulnerabilities.

Content

VULNERABILITY DETAILS:

CVE IDs:
CVE-2013-3006 CVE-2013-3007 CVE-2013-3008 CVE-2013-3009 CVE-2013-3010 CVE-2013-3011 CVE-2013-3012 CVE-2013-4002 CVE-2013-2468 CVE-2013-2469 CVE-2013-2465 CVE-2013-2464 CVE-2013-2463 CVE-2013-2473 CVE-2013-2472 CVE-2013-2471 CVE-2013-2470 CVE-2013-2459 CVE-2013-2466 CVE-2013-2462 CVE-2013-2460 CVE-2013-3743 CVE-2013-2448 CVE-2013-2442 CVE-2013-2407 CVE-2013-2454 CVE-2013-2458 CVE-2013-3744 CVE-2013-2400 CVE-2013-2456 CVE-2013-2453 CVE-2013-2457 CVE-2013-2455 CVE-2013-2412 CVE-2013-2443 CVE-2013-2447 CVE-2013-2437 CVE-2013-2444 CVE-2013-2452 CVE-2013-2446 CVE-2013-2450 CVE-2013-1571 CVE-2013-2449 CVE-2013-2451 CVE-2013-1500

DESCRIPTION:
There are a number of vulnerabilities in the IBM Java SDK that affect various components: CVE-2013-3006, CVE-2013-3007, CVE-2013-3008, CVE-2013-3009, CVE-2013-3010, CVE-2013-3011, and CVE-2013-3012. These vulnerabilities allow code running under a security manager to escalate its privileges by modifying or removing the security manager. Some of the issues need to be combined in sequence to achieve an exploit. The vulnerabilities could occur when untrusted code is executed under a security manager, or when the IBM Java SDK has been associated with a web browser for running applets and Web Start applications.

This bulletin also includes CVE-2013-4002. This is a denial of service vulnerability, which could result in a complete availability impact on the affected system.

This bulletin also covers all applicable CVEs published by Oracle as part of their June 2013 Java SE Critical Patch Update. For more information please refer to Oracle’s June 2013 Java SE CPU Advisory.

CVEID: CVE-2013-3006
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84147 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-3007
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84148 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-3008
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84149 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-3009
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84150 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-3010
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84151 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-3011
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84152 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-3012
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84153 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-4002
CVSS Base Score: 7.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85260 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)

CVEID: CVE-2013-2468
CVSS Base Score: 10.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85034 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2469
CVSS Base Score: 10.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85032 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2465
CVSS Base Score: 10.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85031 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2464
CVSS Base Score: 10.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85030 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2463
CVSS Base Score: 10.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85029 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2473
CVSS Base Score: 10.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85028 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2472
CVSS Base Score: 10.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85027 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2471
CVSS Base Score: 10.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85026 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2470
CVSS Base Score: 10.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85025 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2459
CVSS Base Score: 10.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85033 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2466
CVSS Base Score: 10.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85035 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2462
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85037 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2460
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85038 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-3743
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85036 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2448
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85040 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2442
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85041 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2013-2407
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85044 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)

CVEID: CVE-2013-2454
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85045 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVEID: CVE-2013-2458
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85046 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVEID: CVE-2013-3744
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85051 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2013-2400
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85050 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2013-2456
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85058 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2013-2453
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85053 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2013-2457
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85052 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2013-2455
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84146 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2013-2412
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85059 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2013-2443
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85054 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2013-2447
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85056 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2013-2437
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85049 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2013-2444
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85047 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2013-2452
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85055 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2013-2446
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85048 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2013-2450
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85057 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2013-1571
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84715 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2013-2449
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85060 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2013-2451
CVSS Base Score: 3.7
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85061 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:P/I:P/A:P)

CVEID: CVE-2013-1500
CVSS Base Score: 3.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85062 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:N)

AFFECTED PRODUCTS AND VERSIONS:
IBM Java SDK 1.4.2 SR13-FP17 and earlier
IBM Java SDK 5.0 SR16-FP2 and earlier
IBM Java SDK 6 SR13-FP2 and earlier
IBM Java SDK 6.0.1 SR5-FP2 and earlier
IBM Java SDK 7 SR4-FP2 and earlier

For detailed information on which CVEs affect which releases, please refer to the IBM Java Security Alerts page.

REMEDIATION:
IBM Java SDK 1.4.2 SR13-FP18 and later
IBM Java SDK 5.0 SR16-FP3 and later
IBM Java SDK 6 SR14 and later
IBM Java SDK 6.0.1 SR6 and later
IBM Java SDK 7 SR5 and later

IBM Java SDK and JRE releases can be downloaded from
http://www.ibm.com/developerworks/java/jdk/index.html


APAR numbers are as follows:

IV44790 (CVE-2013-3006)
IX90117 (CVE-2013-3007)
IV44791 (CVE-2013-3008)
IX90118 (CVE-2013-3009)
IX90119 (CVE-2013-3010)
IV44793 (CVE-2013-3011)
IV44796 (CVE-2013-3012)
IV45895 (CVE-2013-4002)
IV44618 (CVE-2013-2468)
IV44619 (CVE-2013-2469)
IV44621 (CVE-2013-2465)
IV44623 (CVE-2013-2464)
IV44625 (CVE-2013-2463)
IV44627 (CVE-2013-2473)
IV44629 (CVE-2013-2472)
IV44631 (CVE-2013-2471)
IV44633 (CVE-2013-2470)
IV44635 (CVE-2013-2459)
IV44637 (CVE-2013-2466)
IV44638 (CVE-2013-2462)
IV44639 (CVE-2013-2460)
IV44642 (CVE-2013-2448)
IV44644 (CVE-2013-2442)
IV44674 (CVE-2013-2407)
IV44645 (CVE-2013-2454)
IV44647 (CVE-2013-2458)
IV44648 (CVE-2013-3744)
IV44649 (CVE-2013-2400)
IV44650 (CVE-2013-2456)
IV44652 (CVE-2013-2453)
IV44653 (CVE-2013-2457)
IV44656 (CVE-2013-2455)
IV44657 (CVE-2013-2412)
IV44659 (CVE-2013-2443)
IV44660 (CVE-2013-2447)
IV44661 (CVE-2013-2437)
IV44662 (CVE-2013-2444)
IV44664 (CVE-2013-2452)
IX90117 (CVE-2013-2446)
IV44667 (CVE-2013-2450)
IV44669 (CVE-2013-1571)
IV44670 (CVE-2013-2449)
IV44671 (CVE-2013-2451)
IV44672 (CVE-2013-1500)

WORKAROUND(S):
None.

MITIGATION(S):
None.

REFERENCES:

ACKNOWLEDGEMENT:
The vulnerabilities described by the following CVEs were reported to IBM by Adam Gowdiak of Security Explorations: CVE-2013-3006, CVE-2013-3007, CVE-2013-3008, CVE-2013-3009, CVE-2013-3010, CVE-2013-3011, and CVE-2013-3012.

CHANGE HISTORY:
None

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Document information


More support for:

Runtimes for Java Technology
Java SDK

Software version:

1.4.2, 5.0, 6.0, 7.0

Operating system(s):

AIX, HP-UX, Linux, Linux zSeries, Solaris, Windows, i5/OS, z/OS

Software edition:

Java SE

Reference #:

1645500

Modified date:

2013-07-31

Translate my page

Machine Translation

Content navigation