ISDM: vulnerability in JRE (CVE-2013-0809, CVE-2013-1493)

Security Bulletin


Summary

The listed vulnerabilities apply to client side deployments of Java wherein untrusted code may be executed under a security manager. Only IBM Tivoli Monitoring image of IBM Service Delivery Manager is affected.

Vulnerability Details

There are a number of vulnerabilities in the IBM JAVA SDK that affect various components (ORB, XML and JMX). The vulnerabilities allow the code running under a security manager to escalate its privileges by modifying or removing the security manager. Some of the issues must be combined in sequence to achieve an exploit.
The vulnerabilities can occur when the IBM JRE is installed as the system JRE, such that it may be used to execute untrusted Java applets or Web Start applications in a browser.


CVE ID: CVE-2013-0809

Description: Untrusted (sandboxed) code can exploit a buffer overflow in the AWT image component to gain direct read/write access to arbitrary memory addresses. The testcase / proof of concept we received from Oracle causes a crash. However, there is a possibility to remove the security manager by using a strategy similar to that of CVE-2013-1493, or the execution flow could be redirected to an area of memory that contains the malicious code.

The vulnerability is exploited by extending a part of Java SE API with a special class. The constructor of the class overwrites fields in the parent class with values that cause a buffer overflow during subsequent processing. It can only be achieved by malicious code running on the target machine.

CVSS Base Score: 10
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)


CVE ID: CVE-2013-1493

Description: Untrusted (sandboxed) code can exploit a buffer overflow in the Java 2D Color Management Module (CMM) to gain direct read/write access to arbitrary memory addresses. This capability can be used to overwrite and null the area of memory that contains the reference to the System security manager, thus escalating the untrusted privileges of the code. The “in-the-wild” exploit uses these privileges to download and install a trojan.

The vulnerability is exploited in a multi-step process, which can only be achieved by a malicious code running on the target machine.

CVSS Base Score: 10
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Affected Products and Versions

IBM Service Delivery Manager 7.2.1, 7.2.2, 7.2.4

Remediation/Fixes

Only IBM Tivoli Monitoring image of IBM Service Delivery Manager is affected.

Apply the fix supplied in document 4035138: IBM Tivoli Monitoring 6 JRE Update (6.X.X-TIV-ITM_JRE_TEP-20130726) for remediation.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
For the most current description and CVSS of each vulnerability, see developerWorks JavaTM Technology Security Alerts at URL:

http://www.ibm.com/developerworks/java/jdk/alerts/

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information


More support for:

IBM Service Delivery Manager

Software version:

7.2.1, 7.2.2, 7.2.4

Operating system(s):

AIX, Linux, Windows

Reference #:

1646389

Modified date:

2015-07-06

Translate my page

Content navigation