Security Bulletin: IBM Lotus Expeditor fixes for multiple vulnerabilities in IBM JRE

Security Bulletin


Summary

IBM Lotus Expeditor is shipped with an IBM SDK for Java that is based on the Oracle JDK. Oracle has released October 2013 critical patch updates (CPU) which contain security vulnerability fixes. The IBM SDK for Java has been updated to incorporate these fixes. The IBM SDK for Java has also been updated to fix security vulnerabilities specific to the IBM SDK for Java.

Vulnerability Details

CVEID: CVE-2013-5843
DESCRIPTION: A vulnerability allows remote attackers to affect confidentiality, integrity and availability via unknown vectors related to 2D.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87971 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5830
DESCRIPTION: A vulnerability allows remote attackers to execute arbitrary code on the system, caused by improper handling of LDAP deserialization.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87961 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5829
DESCRIPTION: A vulnerability allows remote attackers to execute arbitrary code on the system, caused by a vulnerability in the FileImageInputStream class.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87963 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5842
DESCRIPTION: A vulnerability allows remote attackers to execute arbitrary code on the system, caused by a vulnerability in the ObjectOutputStream class.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87970 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5782
DESCRIPTION: A vulnerability allows remote attackers to affect confidentiality, integrity and availability via unknown vectors related to 2D.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87960 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5817
DESCRIPTION: A vulnerability allows remote attackers to execute arbitrary code on the system, caused by a vulnerability in the com.sun.jndi.ldap.LdapCtx class.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87969 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5809
DESCRIPTION: A vulnerability allows remote attackers to affect confidentiality, integrity and availability via unknown vectors relate to 2D.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87962 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5814
DESCRIPTION: A vulnerability allows remote attackers to affect confidentiality, integrity and availability via unknown vectors related to CORBA component.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87964 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5850
DESCRIPTION: A vulnerability allows remote attackers to affect confidentiality, integrity and availability via unknown vectors related to Libraries component.
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87973 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5802
DESCRIPTION: A vulnerability allows remote attackers to affect confidentiality, integrity and availability via vectors related to JAXP.
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87982 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/P)

CVEID: CVE-2013-5804
DESCRIPTION: A vulnerability allows remote attackers to affect confidentiality and integrity via vectors related Javadoc component.
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87984 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/N)

CVEID: CVE-2013-5783
DESCRIPTION: A vulnerability allows remote attackers to execute arbitrary code on the system, caused by a vulnerability in theNumberFormatter and RealTimeSequencer class
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87987 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/N)

CVEID: CVE-2013-3829
DESCRIPTION: A vulnerability allows remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries component.
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87986 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/N)

CVEID: CVE-2013-5820
DESCRIPTION: A vulnerability allows remote attackers to affect integrity via unknown vectors related to JAX-WS component
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87996 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)

CVEID: CVE-2013-5825
DESCRIPTION: A vulnerability allows remote attackers to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87988 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)

CVEID: CVE-2013-5840
DESCRIPTION: A vulnerability allows remote attackers to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87998 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)

CVEID: CVE-2013-5801
DESCRIPTION: A vulnerability allows remote attackers to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87991 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)

CVEID: CVE-2013-5778
DESCRIPTION: A vulnerability allows remote attackers to obtain sensitive information..
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87990 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)

CVEID: CVE-2013-5784
DESCRIPTION: A vulnerability allows remote attackers to affect integrity via vectors the SCRIPTING component.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88005 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/N:I/P:A/N)

CVEID: CVE-2013-5849
DESCRIPTION: A vulnerability allows remote attackers to obtain sensitive information..
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88003 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/N:A/N)

CVEID: CVE-2013-5790
DESCRIPTION: A vulnerability allows remote attackers to obtain sensitive information..
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88004 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/N:A/N)

CVEID: CVE-2013-5780
DESCRIPTION: A vulnerability allows remote attackers to obtain sensitive information..
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88001 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/N:A/N)

CVEID: CVE-2013-5797
DESCRIPTION: A vulnerability allows remote attackers to affect integrity via vectors related to Javadoc component.
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88006 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/S:C/N:I/P:A/N)

CVEID: CVE-2013-5772
DESCRIPTION: A vulnerability allows remote attackers to affect integrity via vectors related to jhat component.
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88007 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/H:Au/N:C/N:I/P:A/N)

CVEID: CVE-2013-4041
DESCRIPTION: A vulnerability allows remote attackers access to restricted classes.
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86416 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVEID: CVE-2013-5375
DESCRIPTION: A vulnerability allows remote attackers access to restricted classes.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86901 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2013-5372
DESCRIPTION: The XML4J parser shipped with WebSphere Message Broker and IBM Integration Bus is vulnerable to a denial of service attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86662 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVEID: CVE-2013-5457
DESCRIPTION: A vulnerability allows remote attacker to execute arbitrary code on the system.
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88256 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

The following advisories are included in the SDK but IBM Lotus Expeditor is not vulnerable to them. You will need to evaluate your own code to determine if you are vulnerable. Refer to the Reference section for more information on the advisories not applicable to IBM Lotus Expeditor:

CVE-2013-5789
CVE-2013-5787
CVE-2013-5788
CVE-2013-5824
CVE-2013-5806
CVE-2013-5805
CVE-2013-5832
CVE-2013-5812
CVE-2013-5823
CVE-2013-5831
CVE-2013-5819
CVE-2013-5818
CVE-2013-5848
CVE-2013-5776
CVE-2013-5774
CVE-2013-5803
CVE-2013-5838
CVE-2013-5851
CVE-2013-5800
CVE-2013-5458
CVE-2013-5456

Affected Products and Versions

IBM Lotus Expeditor 6.2.x

Remediation/Fixes

A fix for the issue is introduced in the following releases.


-- Interim Fix 1 for IBM Lotus Expeditor 6.2.3

Fix Central ID
File name & download link
XPD-6.2.3.0-Client-IFix2


-- Interim Fix 1 for IBM Lotus Expeditor 6.2.2
Fix Central ID
File name & download link
XPD-6.2.2.0-Client-IFix2
-- Interim Fix 1 for IBM Lotus Expeditor 6.2.1
Fix Central ID
File name & download link
XPD-6.2.1.0-Client-IFix2

Workarounds and Mitigations

None

References

Related information

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Lotus Expeditor
Client for Desktop

Software version:

6.2.1, 6.2.2, 6.2.3

Operating system(s):

Linux, Windows

Reference #:

1662535

Modified date:

2014-03-12

Translate my page

Machine Translation

Content navigation