IBM Support

Security Bulletin: Multiple vulnerabilities in IBM WebSphere Real Time

Flashes (Alerts)


Abstract

Issues disclosed in the Oracle October 2013 Java SE Critical Patch Update, plus 6 additional vulnerabilities.

Content

VULNERABILITY DETAILS:

CVE IDs: CVE-2013-5456 CVE-2013-5457 CVE-2013-5458 CVE-2013-4041 CVE-2013-5375 CVE-2013-5372 CVE-2013-5843 CVE-2013-5789 CVE-2013-5830 CVE-2013-5829 CVE-2013-5787 CVE-2013-5788 CVE-2013-5824 CVE-2013-5842 CVE-2013-5782 CVE-2013-5817 CVE-2013-5809 CVE-2013-5814 CVE-2013-5832 CVE-2013-5850 CVE-2013-5838 CVE-2013-5802 CVE-2013-5812 CVE-2013-5804 CVE-2013-5783 CVE-2013-3829 CVE-2013-5823 CVE-2013-5831 CVE-2013-5820 CVE-2013-5819 CVE-2013-5818 CVE-2013-5848 CVE-2013-5776 CVE-2013-5774 CVE-2013-5825 CVE-2013-5840 CVE-2013-5801 CVE-2013-5778 CVE-2013-5851 CVE-2013-5800 CVE-2013-5784 CVE-2013-5849 CVE-2013-5790CVE-2013-5780 CVE-2013-5797 CVE-2013-5803 CVE-2013-5772

DESCRIPTION: There are a number of vulnerabilities in IBM WebSphere Real Time that affect various components. CVE-2013-5456, CVE-2013-5457 and CVE-2013-5458 allow code running under a security manager to escalate its privileges by modifying or removing the security manager. CVE-2013-4041 and CVE-2013-5375 allow code running under a security manager to access restricted classes. These vulnerabilities could occur when untrusted code is executed under a security manager, or when IBM WebSphere Real Time has been manually associated with a web browser for running applets and Web Start applications.

CVE-2013-5372 is a denial of service vulnerability which could result in a complete availability impact on the affected system.

This bulletin also covers all applicable CVEs published by Oracle as part of their October 2013 Java SE Critical Patch Update. For more information please refer to Oracle's October 2013 Java SE CPU Advisory.

CVEID: CVE-2013-5456
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/88255 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-5457
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/88256 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-5458
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/88257 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-4041
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/86416 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVEID: CVE-2013-5375
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/86901 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2013-5372
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/86662 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVEID: CVE-2013-5843
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87971 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5789
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87968 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5830
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87961 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5829
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87963 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5787
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87967 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5788
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87966 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5824
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87965 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5842
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87970 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5782
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87960 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5817
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87969 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5809
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87962 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5814
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87964 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5832
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87972 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5850
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87973 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5838
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87974 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5802
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87982 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/P)

CVEID: CVE-2013-5812
CVSS Base Score: 6.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87985 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/P)

CVEID: CVE-2013-5804
CVSS Base Score: 6.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87984 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/N)

CVEID: CVE-2013-5783
CVSS Base Score: 6.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87987 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/N)

CVEID: CVE-2013-3829
CVSS Base Score: 6.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87986 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/N)

CVEID: CVE-2013-5823
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87989 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)

CVEID: CVE-2013-5831
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87995 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)

CVEID: CVE-2013-5820
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87996 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)

CVEID: CVE-2013-5819
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87994 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)

CVEID: CVE-2013-5818
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87993 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)

CVEID: CVE-2013-5848
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/88000 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)

CVEID: CVE-2013-5776
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87992 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)

CVEID: CVE-2013-5774
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87999 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)

CVEID: CVE-2013-5825
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87988 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)

CVEID: CVE-2013-5840
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87998 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)

CVEID: CVE-2013-5801
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87991 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)

CVEID: CVE-2013-5778
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87990 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)

CVEID: CVE-2013-5851
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87997 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)

CVEID: CVE-2013-5800
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/88002 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/N:A/N)

CVEID: CVE-2013-5784
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/88005 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/N:I/P:A/N)

CVEID: CVE-2013-5849
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/88003 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/N:A/N)

CVEID: CVE-2013-5790
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/88004 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/N:A/N)

CVEID: CVE-2013-5780
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/88001 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/N:A/N)

CVEID: CVE-2013-5797
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/88006 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/S:C/N:I/P:A/N)

CVEID: CVE-2013-5803
CVSS Base Score: 2.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/88008 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/H:Au/N:C/N:I/N:A/P)

CVEID: CVE-2013-5772
CVSS Base Score: 2.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/88007 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/H:Au/N:C/N:I/P:A/N)

AFFECTED PRODUCTS AND VERSIONS:
IBM WebSphere Real Time Version 3 Service Refresh 5 and earlier

REMEDIATION:
IBM WebSphere Real Time Version 3 Service Refresh 6 and later

IBM WebSphere Real Time releases can be downloaded from developerWorks.

APAR numbers are as follows:

IV51329 (CVE-2013-5456)
IV51334 (CVE-2013-5457)
IV51328 (CVE-2013-5458)
IV51087 (CVE-2013-4041)
IV51089 (CVE-2013-5375)
IV51102 (CVE-2013-5372)
IV50917 (CVE-2013-5843)
IV50919 (CVE-2013-5789)
IV50922 (CVE-2013-5830)
IV50923 (CVE-2013-5829)
IV50925 (CVE-2013-5787)
IV51048 (CVE-2013-5788)
IV50928 (CVE-2013-5824)
IV51104 (CVE-2013-5842)
IV50933 (CVE-2013-5782)
IV50935 (CVE-2013-5817)
IV50937 (CVE-2013-5809)
IV50939 (CVE-2013-5814)
IV50942 (CVE-2013-5832)
IV51109 (CVE-2013-5850)
IV51049 (CVE-2013-5838)
IV50948 (CVE-2013-5802)
IV50953 (CVE-2013-5812)
IV50955 (CVE-2013-5804)
IV50957 (CVE-2013-5783)
IV50960 (CVE-2013-3829)
IV50963 (CVE-2013-5823)
IV50965 (CVE-2013-5831)
IV50969 (CVE-2013-5820)
IV50971 (CVE-2013-5819)
IV50973 (CVE-2013-5818)
IV50974 (CVE-2013-5848)
IV50976 (CVE-2013-5776)
IV50978 (CVE-2013-5774)
IV50980 (CVE-2013-5825)
IV50982 (CVE-2013-5840)
IV50984 (CVE-2013-5801)
IV50986 (CVE-2013-5778)
IV51050 (CVE-2013-5851)
IV50695 (CVE-2013-5800)
IV50990 (CVE-2013-5784)
IV50992 (CVE-2013-5849)
IV51051 (CVE-2013-5790)
IV50994 (CVE-2013-5780)
IV50996 (CVE-2013-5797)
IV50999 (CVE-2013-5803)
IV51110 (CVE-2013-5772)

WORKAROUND(S) & MITIGATION(S):
None.

Important note: IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

REFERENCES:

  • Complete CVSS v2 Guide
  • On-line Calculator v2
  • Oracle October 2013 Java SE Critical Patch Update Advisory
  • IBM SDK, Java Technology Edition Security Alerts
  • ACKNOWLEDGEMENT:
    The vulnerabilities described by the following CVEs were reported to IBM by Adam Gowdiak of Security Explorations: CVE-2013-5456, CVE-2013-5457 and CVE-2013-5458.

    CHANGE HISTORY:
    None

    *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

    Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

    [{"Product":{"code":"SSSTCZ","label":"WebSphere Real Time"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Java SDK","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"}],"Version":"3.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

    Document Information

    Modified date:
    25 September 2022

    UID

    swg21655202