IBM WebSphere Message Broker and IBM Integration Bus Security Vulnerability: Multiple security vulnerabilities in IBM JREs 5, 6, and 7

Flash (Alert)


Abstract

Multiple security vulnerabilities exist in the IBM Java Runtime Environment component of WebSphere Message Broker for IBM JRE 5.0 SR16-FP3 (and earlier), IBM JRE 6.0 SR13 (and earlier) and the IBM Java Runtime Environment component of IBM Integration Bus for JRE 7.0 SR4(and earlier).

Content

VULNERABILITY DETAILS
CVE ID:
CVE-2013-1500, CVE-2013-2400, CVE-2013-2407, CVE-2013-2412, CVE-2013-2437, CVE-2013-2442, CVE-2013-2443, CVE-2013-2444, CVE-2013-2446, CVE-2013-2447, CVE-2013-2448, CVE-2013-2449, CVE-2013-2450, CVE-2013-2451, CVE-2013-2452, CVE-2013-2453, CVE-2013-2454, CVE-2013-2455, CVE-2013-2456, CVE-2013-2457, CVE-2013-2458, CVE-2013-2459, CVE-2013-2460, CVE-2013-2462, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2466, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-3743

DESCRIPTION:

This flash has been superseded by a later JRE update for the following versions:

IBM WebSphere Message Broker V7.0
IBM WebSphere Message Broker V8.0
IBM Integration Bus V9.0

Please see http://www.ibm.com/support/docview.wss?uid=swg21660279 for details.

There are multiple security vulnerabilities in the IBM Java Runtime Environment component of IBM WebSphere Message Broker. All are applicable to both IBM JRE 5.0, IBM JRE 6.0.1 and IBM JRE 7.0 except where indicated.

CVE-2013-1500 (CVSS3.2)
CVE-2013-2400 (CVSS5) - IBM JRE 7.0 Only
CVE-2013-2407 (CVSS6.4) - IBM JRE 6.0.1 & IBM JRE 7.0
CVE-2013-2412 (CVSS5) - IBM JRE 6.0.1 & IBM JRE 7.0
CVE-2013-2437 (CVSS5) - IBM JRE 6.0.1 & IBM JRE 7.0
CVE-2013-2442 (CVSS7.5) - IBM JRE 6.0.1 & IBM JRE 7.0
CVE-2013-2443 (CVSS5)
CVE-2013-2444 (CVSS5)
CVE-2013-2446 (CVSS5)
CVE-2013-2447 (CVSS5)
CVE-2013-2448 (CVSS7.6)
CVE-2013-2449 (CVSS4.3) - IBM JRE 7.0 Only
CVE-2013-2450 (CVSS5)
CVE-2013-2451 (CVSS3.7) - IBM JRE 6.0.1 & IBM JRE 7.0
CVE-2013-2452 (CVSS5)
CVE-2013-2453 (CVSS5) - IBM JRE 6.0.1 & IBM JRE 7.0
CVE-2013-2454 (CVSS5.8)
CVE-2013-2455 (CVSS5)
CVE-2013-2456 (CVSS5)
CVE-2013-2457 (CVSS5)
CVE-2013-2458 (CVSS5.8) - IBM JRE 7.0 Only
CVE-2013-2459 (CVSS10)
CVE-2013-2460 (CVSS9.3) - IBM JRE 7.0 Only
CVE-2013-2462 (CVSS9.3) - IBM JRE 7.0 Only
CVE-2013-2463 (CVSS10)
CVE-2013-2464 (CVSS10)
CVE-2013-2465 (CVSS10)
CVE-2013-2466 (CVSS10) - IBM JRE 6.0.1 & IBM JRE 7.0
CVE-2013-2468 (CVSS10) - IBM JRE 6.0.1 & IBM JRE 7.0
CVE-2013-2469 (CVSS10)
CVE-2013-2470 (CVSS10)
CVE-2013-2471 (CVSS10)
CVE-2013-2472 (CVSS10)
CVE-2013-2473 (CVSS10)
CVE-2013-3743 (CVSS9.3)

CVSS:
CEVID: CVE-2013-1500
CVSS Base Score: 3.6
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85062 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:N)

CEVID: CVE-2013-2400
CVSS Base Score: 5
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85050 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CEVID: CVE-2013-2407
CVSS Base Score: 6.4
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85044 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)

CEVID: CVE-2013-2412
CVSS Base Score: 5
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85059 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CEVID: CVE-2013-2437
CVSS Base Score: 5
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85049 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CEVID: CVE-2013-2444
CVSS Base Score: 5
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85047 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CEVID: CVE-2013-2442
CVSS Base Score: 7.5
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85041 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CEVID: CVE-2013-2443
CVSS Base Score: 5
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85054 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CEVID: CVE-2013-2447
CVSS Base Score: 5
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85056 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CEVID: CVE-2013-2446
CVSS Base Score: 5
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85048 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CEVID: CVE-2013-2448
CVSS Base Score: 7.6
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85040 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

CEVID: CVE-2013-2449
CVSS Base Score: 4.3
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85060 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CEVID: CVE-2013-2450
CVSS Base Score: 5
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85057 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CEVID: CVE-2013-2451
CVSS Base Score: 3.7
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85061 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:P/I:P/A:P)

CEVID: CVE-2013-2452
CVSS Base Score: 5
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85055 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CEVID: CVE-2013-2453
CVSS Base Score: 5
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85053 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CEVID: CVE-2013-2454
CVSS Base Score: 5.8
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85045 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CEVID: CVE-2013-2455
CVSS Base Score: 5
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/84146 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CEVID: CVE-2013-2456
CVSS Base Score: 5
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85058 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CEVID: CVE-2013-2457
CVSS Base Score: 5
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85052 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CEVID: CVE-2013-2458
CVSS Base Score: 5.8
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85046 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CEVID: CVE-2013-2459
CVSS Base Score: 10
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85033 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CEVID: CVE-2013-2460
CVSS Base Score: 9.3
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85038 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CEVID: CVE-2013-2462
CVSS Base Score: 9.3
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85037 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CEVID: CVE-2013-2463
CVSS Base Score: 10
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85029 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CEVID: CVE-2013-2464
CVSS Base Score: 10
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85030 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CEVID: CVE-2013-2465
CVSS Base Score: 10
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85031 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CEVID: CVE-2013-2466
CVSS Base Score: 10
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85035 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CEVID: CVE-2013-2468
CVSS Base Score: 10
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85034 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CEVID: CVE-2013-2469
CVSS Base Score: 10
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85032 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CEVID: CVE-2013-2470
CVSS Base Score: 10
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85025 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CEVID: CVE-2013-2471
CVSS Base Score: 10
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85026 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CEVID: CVE-2013-2472
CVSS Base Score: 10
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85027 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CEVID: CVE-2013-2473
CVSS Base Score: 10
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85028 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CEVID: CVE-2013-3743
CVSS Base Score: 9.3
CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85036 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

AFFECTED PLATFORMS:
IBM WebSphere Message Broker V6.1, V7.0 and V8.0 & IBM Integration Bus V9.0 are affected on all platforms except IBM z/OS.

REMEDIATION:
None known

FIX
For IBM WebSphere Message Broker V6.1 an interim fix for APAR IC94158 is available from IBM Fix Central:

http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Message+Broker&release=All&platform=All&function=aparId&apars=IC94158

APAR IC94158 is targeted for availability in IBM WebSphere Message Broker V6.1.0.12

For IBM WebSphere Message Broker V7.0 and V8,0 an interim fix for APAR IC94186 is available from IBM Fix Central:

http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Message+Broker&release=All&platform=All&function=aparId&apars=IC94186

APAR IC94186 is targeted for availability in IBM WebSphere Message Broker V7.0.0.7 and V8.0.0.4

Note: The fix on the Solaris platform is not yet available for IBM WebSphere Message Broker V7.0 and V8.0

For IBM Integration Bus V9.0 the fix for APAR IC94187 is available in IBM Integrationb Bus V9.0.0.1:

http://www.ibm.com/support/docview.wss?uid=swg24036637


Mitigation
None known

REFERENCES:
Complete CVSS Guide (http://www.first.org/cvss/cvss-guide.html)
On-line Calculator V2 (http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2)

CVE-2013-1500

CVE-2013-2400
CVE-2013-2407
CVE-2013-2412
CVE-2013-2437
CVE-2013-2444
CVE-2013-2442
CVE-2013-2443
CVE-2013-2447 CVE-2013-2446
CVE-2013-2448
CVE-2013-2449
CVE-2013-2450 CVE-2013-2451
CVE-2013-2452
CVE-2013-2453
CVE-2013-2454
CVE-2013-2455
CVE-2013-2456
CVE-2013-2457
CVE-2013-2458
CVE-2013-2459
CVE-2013-2460
CVE-2013-2462
CVE-2013-2463
CVE-2013-2464
CVE-2013-2465
CVE-2013-2466
CVE-2013-2468
CVE-2013-2469
CVE-2013-2470
CVE-2013-2471
CVE-2013-2472
CVE-2013-2473
CVE-2013-3743

CHANGE HISTORY:
<09 - Oct - 2013>: Original Copy Published
<04 - Dec - 2013>: Added information of availability of the fix at WMB V7.0 and WMB V8,0
<17 - Dec - 2013>: Corrected type
<28 - Jan - 2014>: Updated to point to flash which supersedes this one.
<10 - Feb - 2014> Corrected link for document 1660279
<24 - Mar - 2014>: Updated to indicate that Solaris fix is available for WMB V6.1
<26 - Aug - 2014>: Corrected typo


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere Message Broker
Security

Software version:

6.1

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

1647053

Modified date:

2014-08-26

Translate my page

Machine Translation

Content navigation