IBM Support

Security Bulletin: IBM Tivoli Composite Application Manager for Transactions affected by vulnerabilities in IBM JRE (Multiple CVEs)

Flashes (Alerts)


Abstract

IBM Tivoli Composite Application Manager for Transactions is shipped with two IBM JREs that are based on Oracle Java. It is also dependent on ITM 6.2.1 Framework, which also has it own JRE. Oracle has released a June 2013 Critical Patch Update (CPU) that contains security vulnerability fixes and IBM Java is affected.

Content

VULNERABILITY DETAILS:


DESCRIPTION:
This bulletin also covers all applicable CVEs published by Oracle as part of their June 2013 Java SE Critical Patch Update. For more information please refer to Oracle’s June 2013 Java SE CPU Advisory.

CVEID: CVE-2013-3006
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/84147 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-3007
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/84148 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-3008
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/84149 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-3009
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/84150 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-3010
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/84151 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-3011
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/84152 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-3012
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/84153 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-4002
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85260 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)

CVEID: CVE-2013-2468
CVSS Base Score: 10.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85034 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2469
CVSS Base Score: 10.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85032 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2465
CVSS Base Score: 10.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85031 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2464
CVSS Base Score: 10.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85030 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2463
CVSS Base Score: 10.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85029 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2473
CVSS Base Score: 10.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85028 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2472
CVSS Base Score: 10.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85027 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2471
CVSS Base Score: 10.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85026 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2470
CVSS Base Score: 10.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85025 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2459
CVSS Base Score: 10.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85033 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2466
CVSS Base Score: 10.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85035 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2462
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85037 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2460
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85038 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-3743
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85036 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2448
CVSS Base Score: 7.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85040 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2442
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85041 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2013-2407
CVSS Base Score: 6.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85044 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)

CVEID: CVE-2013-2454
CVSS Base Score: 5.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85045 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVEID: CVE-2013-2458
CVSS Base Score: 5.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85046 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVEID: CVE-2013-3744
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85051 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2013-2400
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85050 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2013-2456
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85058 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2013-2453
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85053 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2013-2457
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85052 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2013-2455
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/84146 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2013-2412
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85059 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2013-2443
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85054 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2013-2447
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85056 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2013-2437
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85049 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2013-2444
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85047 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2013-2452
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85055 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2013-2446
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85048 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2013-2450
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85057 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2013-1571
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/84715 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2013-2449
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85060 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2013-2451
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85061 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:P/I:P/A:P)

CVEID: CVE-2013-1500
CVSS Base Score: 3.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85062 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:N)

For detailed information on which CVEs affect which releases, please refer to the IBM Java Security Alerts page.


AFFECTED PRODUCTS AND VERSIONS:
Versions 7.1.x.x to 7.3.x.x are affected.

REMEDIATION:

Remediation is done in two parts. ITCAM for Transactions users may be affected due to its dependency on ITM framework. On machines with other ITM agents, please ensure the latest updates has been applied. On machines with only ITCAM for Transactions Agent, they should obtain the ITM OS Agent and install that. Refer to
http://www-01.ibm.com/support/docview.wss?uid=swg21634920

Additionally for Robotics Response Time (T6) Agent users:
Appropriate maintenance can be tracked by APAR <TBD>. Apply maintenance patch 7.3.0.1-TIV-CAMRT-IF0022 (applicable for versions 7.1, 7.2 and 7.3), it will address above issues by updating the JREs shipped. The maintenance package will be available on Fix Central.

Note: This fix supersedes 7.3.0.1-TIV-CAMRT-IF0021.

Fix*VRMFAPARHow to acquire fix
7.3.0.1-TIV-CAMRT-IF00227.3.0.1.22IV48461FixCentral



Workaround(s):
None

Mitigation(s):
None

REFERENCES:
· Complete CVSS v2 Guide
· On-line Calculator V2
· X-Force Vulnerability Database


RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Oracle’s June 2013 Java SE CPU Advisory
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/84147
CVE-2013-3007
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/84148
CVE-2013-3008
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/84149
CVE-2013-3009
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/84150
CVE-2013-3010
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/84151
CVE-2013-3011
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/84150
CVE-2013-3012
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/84153
CVE-2013-4002
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85260
CVE-2013-2468
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85034
CVE-2013-2469
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85032
CVE-2013-2465
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85031
CVE-2013-2464
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85030
CVE-2013-2463
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85029
CVE-2013-2473
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85028
CVE-2013-2472
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85027
CVE-2013-2471
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85026
CVE-2013-2470
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85025
CVE-2013-2459
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85033
CVE-2013-2466
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85035
CVE-2013-2462
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85037
CVE-2013-2460
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85038
CVE-2013-3743
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85036
CVE-2013-2448
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85040
CVE-2013-2442
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85041
CVE-2013-2407
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85044
CVE-2013-2454
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85045
CVE-2013-2458
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85046
CVE-2013-3744
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85051
CVE-2013-2400
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85050
CVE-2013-2456
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85058
CVE-2013-2453
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85053
CVE-2013-2457
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85052
CVE-2013-2455
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/84146
CVE-2013-2412
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85059
CVE-2013-2443
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85054
CVE-2013-2447
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85056
CVE-2013-2437
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85049
CVE-2013-2444
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85047
CVE-2013-2452
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85055
CVE-2013-2446
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85048
CVE-2013-2450
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85057
CVE-2013-1571
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/84715
CVE-2013-2449
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85060
CVE-2013-2451
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85061
CVE-2013-1500
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/85062

ACKNOWLEDGEMENT
The vulnerabilities described by the following CVEs were reported to IBM by Adam Gowdiak of Security Explorations: CVE-2013-3006, CVE-2013-3007, CVE-2013-3008, CVE-2013-3009, CVE-2013-3010, CVE-2013-3011, and CVE-2013-3012.

CHANGE HISTORY
2013-09-17: Original Copy Published


*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Related Information

[{"Product":{"code":"SS5MD2","label":"Tivoli Composite Application Manager for Transactions"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.1;7.2;7.3","Edition":"All Editions","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
25 September 2022

UID

swg21649801