Security Bulletin: TADDM 7.2.2.0, 7.2.1.5 and 7.2.0.10: Vulnerabilities in embedded JRE.

Flash (Alert)


Abstract

Multiple security vulnerabilities exist in the Java Runtime Environments (JREs) IBM JRE 5.0 Service Release 16 FP2 and IBM JRE 7 SR4 FP2 or earlier, and non-IBM Java 5.0 and Java 7 or earlier, that can affect the security of IBM Tivoli Application Dependency Discovery Manager.

Content

VULNERABILITY DETAILS:
CVEID: CVE-2013-1500 (CVSS 3.2)
Description:
Some native internal implementation code in the AWT component creates a shared memory segment with world read/write permissions. This allows potentially sensitive data to be accessed and modified by a local user.

CVSS Base Score: 3.6
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85062
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:N)


CVEID: CVE-2013-1571 (CVSS 4.3) / PSIRT Advisory 1025
Description:
The Javadoc tool is used to generate documentation for Java code. Current versions of Javadoc generate HTML with embedded javascript that contains a security vulnerability.
The vulnerability allows an attacker to craft a malicious link to the documentation which injects arbitrary content into the main frame. The injected content appears to originate from the site hosting the documentation, but in fact it is hosted elsewhere, and may contain malicious links or content. This type of attack is known as "clickjacking".
The fix corrects the Javadoc tool such that it produces secure javascript that validates target pages correctly.

CVSS Base Score: 4.3
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/84715
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)


CVEID: CVE-2013-2400 (CVSS 5)
Description:
Code listed in the progress-class JNLP attribute is executed before any warning dialog is presented.
The fix prevents this from happening.

CVSS Base Score: 5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85050
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)


CVEID: CVE-2013-2407 (CVSS 6.4)
Description:
XML Signatures contain features intended to cover many different use cases. Unfortunately, some of these features can be abused by creating hostile signatures that may cause potential security issues when processing them, such as DOS attacks. See http://www.w3.org/TR/xmldsig-bestpractices/ for more information.
A new secure validation mode has been added whereby signatures are rejected and not processed if they contain potentially hostile constructs. A new private property (org.jcp.xml.dsig.secureValidation) can be set to enable this mode by calling the DOMValidateContext.setProperty method.
This property will be set to true by default when running under a SecurityManager.

CVSS Base Score: 6.4
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85044
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)


CVEID: CVE-2013-2412 (CVSS 5)
Description:
The RMI connection dialogue box in JConsole sends the username/password in the clear.
The fix updates the code to give the user the option to use SSL for a connection.

CVSS Base Score: 5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85059
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)


CVEID: CVE-2013-2437 (CVSS 5)
Description:
Unsigned applets and Web Start applications do not have permission to list files in the local directory, but this vulnerability allows a list to be obtained via brute force guessing of file names.

CVSS Base Score: 5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85049
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)


CVEID: CVE-2013-2442 (CVSS 7.5)
Description:
An applet with code from multiple origins may allow Same Origin Policy violations.

CVSS Base Score: 7.5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85041
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)


CVEID: CVE-2013-2443 (CVSS 5)
Description:
Under certain circumstances, data used in permission checks (canonicalised file names, resolved IP addresses etc.) can be accessed by malicious code.

CVSS Base Score: 5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85054
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)


CVEID: CVE-2013-2444 (CVSS 5)
Description:
java.awt.Font creates temporary files while processing fonts. These files are deleted in a finally {} block, but that code is not guaranteed to be executed.
As a result, malicious Java code can indirectly consume filesystem resources and potentially cause a DoS.

CVSS Base Score: 5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85047
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)


CVEID: CVE-2013-2446 (CVSS 5)
Description:
The org.omg.CORBA_2_3.portable.OutputStream is an abstract class. It can be extended by 3rd party code and may be used in conjunction with the javax.rmi.CORBA.ValueHandler class to create malicious code whereby serializable objects passed over a CORBA - IIOP stream may be intercepted (and possibly modified).
The solution is to add a Permission check to the org.omg.CORBA_2_3.portable.OutputStream default constructor.
Applications extending this class (or subclasses) will require an extra Permission to continue if a SecurityManager is installed.
A new new system property has been created to restore the old behaviour when set to any value other than "false". The system property is "jdk.corba.allowOutputStreamSubclass".

CVSS Base Score: 5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85048
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)


CVEID: CVE-2013-2447 (CVSS 5)
Description:
Unlike InetAddress.getLocalHost(), Socket.getLocalAddress() discloses the local IP address without checking for the relevant permission. The fix adds the appropriate permission check.

CVSS Base Score: 5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85056
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)


CVEID: CVE-2013-2448 (CVSS 7.6)
Description:
This CVE covers several vulnerabilities in the MIDI sound area.

CVSS Base Score: 7.6
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85040
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-2449 (CVSS 4.3)
Description:
The java.nio.file.Files.probeContentType() API may expose file existence under GNOME 2.2+ to untrusted code under certain circumstances.
The fix adds an appropriate permission check.

CVSS Base Score: 4.3
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85060
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)


CVEID: CVE-2013-2450 (CVSS 5)
Description:
Specially crafted serialized data containing a self-referencing or circular class hierarchy may cause a denial-of-service condition in a Java application that deserializes untrusted data.

CVSS Base Score: 5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85057
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)


CVEID: CVE-2013-2451 (CVSS 3.7)
Description:
Under certain circumstances, malicious Java code can "steal" a port that is in use by another process and access the information being sent/received on that port.

CVSS Base Score: 3.7
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85061
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:P/I:P/A:P)


CVEID: CVE-2013-2452 (CVSS 5)
Description:
It is possible for untrusted code to reverse engineer the host IP addressfrom the RMI VMID. This undermines the security manager protection to block access to this information, and is a confidentiality leak.

CVSS Base Score: 5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85055
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)


CVEID: CVE-2013-2453 (CVSS 5)
Description:
Part of the internal implementation of the JMX component can be used to gain access to interfaces that should be restricted.
The fix adds an appropriate package access check.

CVSS Base Score: 5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85053
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)


CVEID: CVE-2013-2454 (CVSS 5.8)
Description:
Part of the javax.sql.rowset APi allows untrusted code to access fields in restricted classes under certain limited circumstances.
The fix adds appropriate permission checks to secure the API.

CVSS Base Score: 5.8
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85045
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)


CVEID: CVE-2013-2455 (CVSS 5)
Description:
Incorrect handling of the EnclosingMethod attribute when parsing a class file enables access to declared Method objects of arbitrary classes.
The fix ensures that the EnclosingMethod attribute is processed correctly.

CVSS Base Score: 5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/84146
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)


CVEID: CVE-2013-2456 (CVSS 5)
Description:
An attacker can use the ObjectStreamClass to gain access to classes that should be restricted.
The fix adds package access checks to secure the relevant APIs.

CVSS Base Score: 5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85058
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)


CVEID: CVE-2013-2457 (CVSS 5)
Description:
A class in the JMX component does not perform adequate validation during deserialization. This provides a way for attackers to bypass the validation that is present in the class constructors, and construct classes that could be used to access sensitive information.

CVSS Base Score: 5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85052
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)


CVEID: CVE-2013-2458 (CVSS 5.8)
Description:
Untrusted code can exploit a vulnerability in the MethodHandles API to gain access to restricted methods.
The fix adds appropriate permission checks to secure the API.

CVSS Base Score: 5.8
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85046
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)


CVEID: CVE-2013-2459 (CVSS 10)
Description:
An attacker can create a malicious java.awt.Shape object which triggers an integer overflow. The resulting memory corruption might facilitate arbitrary code execution.

CVSS Base Score: 10
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85033
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-2460 (CVSS 9.3)
Description:
Untrusted code can use part of the com.sun.tracing.ProviderFactory API to invoke static methods in restricted classes.
The fix adds appropriate permission checks to secure the API.

CVSS Base Score: 9.3
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85038
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-2462 (CVSS 9.3)
Description:
A correctly crafted JNLP file can set system properties based on an untrusted source.

CVSS Base Score: 9.3
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85037
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-2463 (CVSS 10)
Description:
Malicious code can extend part of the java.awt.image API and override a method to prevent detection of malformed images (such images may facilitate to memory corruption or arbitrary code execution).
The fix corrects the AWT code so that validation is always carried out correctly.

CVSS Base Score: 10
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85029
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-2464 (CVSS 10)
Description:
Malicious code can cause heap corruption by constructing invalid image objects.
The fix ensures that these invalid objects are detected and rejected gracefully.

CVSS Base Score: 10
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85030
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-2465 (CVSS 10)
Description:
Malicious code can cause heap corruption by constructing invalid image objects.
The fix ensures that these invalid objects are detected and rejected gracefully.

CVSS Base Score: 10
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85031
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-2466 (CVSS 10)
Description:
Under certain circumstances, signed applet or Web Start application jar files may be redeployed with higher permissions than the signer intended.

CVSS Base Score: 10
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85035
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-2468 (CVSS 10)
Description:
Incorrect handling of the java-vm-args JNLP property allows user data to appear on the command line when the plugin reinvokes java.
The fix ensures that arguments are processed and validated correctly.

CVSS Base Score: 10
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85034
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-2469 (CVSS 10)
Description:
Malicious code can cause heap corruption by constructing invalid image objects.
The fix ensures that these invalid objects are detected and rejected gracefully.

CVSS Base Score: 10
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85032
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-2470 (CVSS 10)
Description:
Untrusted code can use part of the java.awt.image.BufferedImage API to access arbitrary memory addresses. This may allow execution of arbitrary code.
The fix adds code to validate the relevant input correctly.

CVSS Base Score: 10
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85025
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-2471 (CVSS 10)
Description:
Untrusted code can use part of the java.awt.image.Raster API to write beyond the limits of an array. This will cause memory corruption and may allow execution of arbitrary code.
The fix adds code to validate the relevant input correctly.

CVSS Base Score: 10
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85026
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-2472 (CVSS 10)
Description:
Untrusted code can use part of the java.awt.image.Raster API to write beyond the limits of an array. This will cause memory corruption and may allow execution of arbitrary code.
The fix adds code to validate the relevant input correctly.

CVSS Base Score: 10
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85027
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-2473 (CVSS 10)
Description:
Untrusted code can use part of the java.awt.image.Raster API to write beyond the limits of an array. This will cause memory corruption and may allow execution of arbitrary code.
The fix adds code to validate the relevant input correctly.

CVSS Base Score: 10
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85028
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-3006 (CVSS 9.3)
Description:
The absence of a receiver binding for protect methods in MethodHandles.lookup allows the invocation of protected methods of arbitrary objects.
The fix ensures that the protected methods are bound correctly.

CVSS Base Score: 9.3
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/84147
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-3007 (CVSS 9.3)
Description:
Unsafe implementation of deserialization functionality in the ORB allows access to arbitrary fields of Serializable classes.
The fix ensures that the deserialization is implemented safely.

CVSS Base Score: 9.3
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/84148
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-3008 (CVSS 9.3)
Description:
Unsafe deserialization of MethodType objects allows MethodType objects to be mutated.
The fix clones the arguments array preventing modification of internal parameters.

CVSS Base Score: 9.3
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/84149
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-3009 (CVSS 9.3)
Description:
Insecure use of the invoke method of java.lang.reflect.Method class in the ORB allows arbitrary method invocation inside AccessController's doPrivileged block.
The fix ensures that invoke is used securely.

CVSS Base Score: 9.3
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/84150
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-3010 (CVSS 9.3)
Description:
Insecure implementation of reflective Field access in the ORB allows privileged access to arbitrary fields of Serializable classes.
The fix implements reflection safely.

CVSS Base Score: 9.3
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/84151
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-3011 (CVSS 9.3)
Description:
XSLT unsafely allows calls to Java extension functions.
The fix makes these calls safely.

CVSS Base Score: 9.3
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/84152
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-3012 (CVSS 9.3)
Description:
XSLT extends a ClassLoader unsafely.
The fix extends the ClassLoader safely.

CVSS Base Score: 9.3
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/84153
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-3743 (CVSS 9.3)
Description:
Some methods in the AWT component are being invoked under a different AppContext than the one they belong to. This can lead to privilege escalation and sandbox escape.

CVSS Base Score: 9.3
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85036
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-3744 (CVSS 5)
Description:
LiveConnect enables Java APIs to be invoked from Javascript in the web browser. There is no way to sign the code in this scenario, and unsigned Java code is intentionally blocked as of 7 SR4-FP2 (Oracle 7u21) under the following conditions:
- Security slider at Very High
- Security slider at High (default/minimum recommended) and the JRE is
flagged as "insecure", which is triggered by either being below the
security baseline or past its built in expiration date.
(The IBM Java SDK has no concept of a security baseline, but it does
have an expiration date, which is set to 6 months after the build
date.)
This CVE deals with the fact that LiveConnect is not properly blocked by the security slider settings in 7 SR4-FP2 (Oracle 7u21). The fix, in 7 SR5 (Oracle 7u25), corrects this problem.
This will break applications that use LiveConnect to make calls from Javascript to Java when they are launched under either of the two scenarios listed above.
In a future release, additional constraints will be added to LiveConnect such that applications will need to identify the specific Java APIs that will be callable from Javascript, at that time the ability to use LiveConnect under these scenarios may be relaxed as long as the APIs are properly identified using this new mechanism.

CVSS Base Score: 5
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85051
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)


CVEID: CVE-2013-4002 (CVSS 7.1)
Description:
The Apache Xerces-J XML parser is vulnerable to a denial of service attack, triggered by malformed XML data. The malformed data causes the XML parser to consume CPU resource for several minutes before the data is eventually rejected. This behaviour can be used to launch a denial of service attack against any Java server application which processes XML data supplied by remote users. The same technique can be used to consume CPU resources on client deployments of Java.
The IBM Java SDK ships a variant of the Apache Xerces-J XML parser (XML4J) which has the same vulnerability. The vulnerability applies to all versions of the IBM Java SDK.

CVSS Base Score: 7.1
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85260
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)


AFFECTED PRODUCTS AND VERSIONS:
TADDM 7.2.0.0 through 7.2.1.5 and TADDM 7.2.2.0

REMEDIATION:

Fix* VRMF APAR How to acquire fix
efix_jdk7_SR5.zip 7.2.2.0 None Download EFix
efix_jdk1.5_SR16_FP3.zip 7.2.1.5 None Download EFix
efix_JAVASR16FP3_JDK_config_FP1020120928.zip 7.2.0.10 None Download EFix
Please get familiar with EFix readme in etc/<efix_name>_readme.txt

Workaround(s):
None

Mitigation(s):
The only solution is to upgrade the JRE embedded with TADDM. EFixes are prepared to be installed only on top of TADDM 7.2.0.10, 7.2.1.5 and TADDM 7.2.2.0 respectively.
If you need EFix for other TADDM version, please contact IBM Support.
JRE embedded in TADDM should not be used outside the product and never installed as system JRE.

REFERENCES:
IBM Java security alerts
X-Force Vulnerability Database
http://xforce.iss.net/xforce/xfdb/85062
http://xforce.iss.net/xforce/xfdb/84715
http://xforce.iss.net/xforce/xfdb/85050
http://xforce.iss.net/xforce/xfdb/85044
http://xforce.iss.net/xforce/xfdb/85059
http://xforce.iss.net/xforce/xfdb/85049
http://xforce.iss.net/xforce/xfdb/85041
http://xforce.iss.net/xforce/xfdb/85054
http://xforce.iss.net/xforce/xfdb/85047
http://xforce.iss.net/xforce/xfdb/85048
http://xforce.iss.net/xforce/xfdb/85056
http://xforce.iss.net/xforce/xfdb/85040
http://xforce.iss.net/xforce/xfdb/85060
http://xforce.iss.net/xforce/xfdb/85057
http://xforce.iss.net/xforce/xfdb/85061
http://xforce.iss.net/xforce/xfdb/85055
http://xforce.iss.net/xforce/xfdb/85053
http://xforce.iss.net/xforce/xfdb/85045
http://xforce.iss.net/xforce/xfdb/84146
http://xforce.iss.net/xforce/xfdb/85058
http://xforce.iss.net/xforce/xfdb/85052
http://xforce.iss.net/xforce/xfdb/85046
http://xforce.iss.net/xforce/xfdb/85033
ttp://xforce.iss.net/xforce/xfdb/85038
http://xforce.iss.net/xforce/xfdb/85037
http://xforce.iss.net/xforce/xfdb/85029
http://xforce.iss.net/xforce/xfdb/85030
http://xforce.iss.net/xforce/xfdb/85031
http://xforce.iss.net/xforce/xfdb/85035
http://xforce.iss.net/xforce/xfdb/85034
http://xforce.iss.net/xforce/xfdb/85032
http://xforce.iss.net/xforce/xfdb/85025
http://xforce.iss.net/xforce/xfdb/85026
http://xforce.iss.net/xforce/xfdb/85027
http://xforce.iss.net/xforce/xfdb/85028
http://xforce.iss.net/xforce/xfdb/84147
http://xforce.iss.net/xforce/xfdb/84148
http://xforce.iss.net/xforce/xfdb/84149
http://xforce.iss.net/xforce/xfdb/84150
http://xforce.iss.net/xforce/xfdb/84151
http://xforce.iss.net/xforce/xfdb/84152
http://xforce.iss.net/xforce/xfdb/84153
http://xforce.iss.net/xforce/xfdb/85036
http://xforce.iss.net/xforce/xfdb/85051
http://xforce.iss.net/xforce/xfdb/85260

Common Vulnerabilities and Exposures (CVE)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2400
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2407
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2412
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2437
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2442
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2443
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2444
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2446
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2447
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2448
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2449
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2451
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2452
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2453
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2454
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-245
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2456
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2457
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2458
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2459
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2460
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2462
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2463
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2464
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2466
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2470
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2471
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2472
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2473
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-300
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3007
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3008
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3009
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3010
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3011
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3012
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3743
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3744
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002

RELATED INFORMATION:
IBM Secure Engineering Web Portal


ACKNOWLEDGEMENT
None

CHANGE HISTORY
17 October 2013: Original Copy Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Document information


More support for:

Tivoli Application Dependency Discovery Manager

Software version:

7.2, 7.2.1, 7.2.2

Operating system(s):

AIX, Linux, Solaris, Windows

Reference #:

1652561

Modified date:

2014-01-02

Translate my page

Machine Translation

Content navigation