Security Bulletin:Tivoli Multiple vulnerabilities in Tivoli Business Service Manager (CVE-2013-5802,CVE-2013-5825,CVE-2013-5372)

Security Bulletin


Summary

Multiple security vulnerabilities exist in the IBM SDK for Java that is shipped with Tivoli Business Service Manager

Vulnerability Details

The Tivoli Business Service Manager is shipped with IBM WebSphere Application Server that includes an IBM SDK for Java that is based on the Oracle JDK. Oracle has released October 2013 critical patch updates (CPU) which contain security vulnerability fixes. The IBM SDK for Java has been updated to incorporate these fixes. The IBM SDK for Java has also been updated to fix security vulnerabilities specific to the IBM SDK for Java.

Vulnerability Details :

CVEID: CVE-2013-5802
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87982 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/P)

CVEID: CVE-2013-5825
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87988 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)

CVEID: CVE-2013-5372
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86662 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

Affected Products

SDK shipped with Tivoli Business Service Manager releases 4.2.x through 6.1.x

Remediation/Fixes

The remediation for the IBM SDK is available as APARs for IBM WebSphere Application Server as listed below. Users can go to the following locations and download the efixes available from WAS to remediate the issues. http://www-01.ibm.com/support/docview.wss?uid=swg21655990

The specific APAR number for each Tivoli Business Service Manager release is listed below.

Release Java level WAS level APAR
420 5 6.1 PM98600
421 5 6.1 PM98600
61 6 7 PM98578
611 6 7 PM98578

Workarounds/Mitigations

none

Important note:

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References:

Complete CVSS Guide
On-line Calculator V2

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

12 December 2013: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Tivoli Business Service Manager

Software version:

4.2, 4.2.1, 6.1, 6.1.1

Operating system(s):

AIX, Linux, Linux zSeries, Solaris, Windows

Reference #:

1659951

Modified date:

2013-12-13

Translate my page

Machine Translation

Content navigation