Security Bulletin: IBM Tivoli Security Policy Manager can be affected by multiple vulnerabilities in the IBM Java SDK (CVE-2013-4002, CVE-2013-5825, CVE-2013-5802, CVE-2013-5372)

Flash (Alert)


Abstract

IBM Tivoli Security Policy Manager (TSPM) runs as a WebSphere application. Multiple security vulnerabilities have been discovered in IBM SDK for Java that is shipped with IBM WebSphere Application Server (WAS). Tivoli Security Policy Manager customers should upgrade the SDK used by TSPM to patch the Java vulnerabilities identified in this security bulletin.

Content

VULNERABILITY DETAILS
CVEID:
CVE-2013-4002

Description:
The Apache Xerces-J XML parser (XML4J) used by IBM SDK for Java is vulnerable to a denial of service attack, triggered by malformed XML data. The attack does not require local network access nor does it require authentication, but some degree of specialized knowledge and techniques are required. An exploit would not impact the confidentiality of information or the integrity of data, however accessibility of the system can be compromised.

CVSS:
CVSS Base Score: 7.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85260 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)



CVEID:
CVE-2013-5825

Description:
An unspecified vulnerability in the IBM Java SDK related to the JAXP component could allow a remote attacker to cause a denial of service. The attack does not require local network access, authentication, or specialized knowledge / techniques. An exploit would not impact the confidentiality of information or the integrity of data, however accessibility of the system could be compromised.

CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87988 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)

CVEID:
CVE-2013-5802

Description:
An unspecified vulnerability in the IBM Java SDK related to the JAXP component allows remote attackers to affect all vectors related to JAXP. The attack does not require local network access, authentication, or specialized knowledge / techniques. An exploit could partially impact the confidentiality of information, the integrity of data, and accessibility of the system.

CVSS:
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87982 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/P)

CVEID:
CVE-2013-5372

Description:
The XML4J parser in IBM Java SDK allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document. The attack does not require local network access nor does it require authentication, but some degree of specialized knowledge and techniques are required. An exploit would not impact the confidentiality of information or the integrity of data, however accessibility of the system could be compromised.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86662 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)



AFFECTED PRODUCTS:
Tivoli Security Policy Manager 7.1.0.0 and higher fixpacks.

REMEDIATION:
The IBM Java SDK is obtained through the WebSphere application server, which is entitled and distributed with TSPM. Patch instructions for all WebSphere versions is available through the WebSphere security bulletin accessed at this link: http://www-01.ibm.com/support/docview.wss?uid=swg21655990

Vendor Fix(es):
For TSPM, download and apply the interim fix APARs below, for your appropriate release of Websphere:

Version WebSphere version Interim fix
TSPM 7.1 WAS 6.1 Contact WAS support
WAS 7.0 PM98578
WAS 8.0 PM98576



Workaround(s) & MITIGATION(s):
No workaround



REFERENCES:

http://xforce.iss.net/xforce/xfdb/85260
http://xforce.iss.net/xforce/xfdb/87988
http://xforce.iss.net/xforce/xfdb/87982
http://xforce.iss.net/xforce/xfdb/86662
CVE-2013-4002
CVE-2013-5825
CVE-2013-5802
CVE-2013-5372
X-Force Vulnerability Database
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog


CHANGE HISTORY:

· 31 December 2013: Original copy published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Tivoli Security Policy Manager

Software version:

7.1

Operating system(s):

AIX, Linux xSeries, Linux zSeries, Solaris, Windows

Reference #:

1660500

Modified date:

2013-12-31

Translate my page

Machine Translation

Content navigation