Security Bulletin
Summary
WebSphere Transformation Extender products are affected by multiple security vulnerabilities that exist in Oracle JRE and IBM Eclipse Help System. Additionally, WTX Launcher is vulnerable to a denial of service attack using a buffer overflow.
Vulnerability Details
WebSphere Transformation Extender is affected by the following unspecified vulnerabilities which could allow an attacker to exploit some JRE vulnerabilities. WebSphere Transformation Extender includes an IBM Java Runtime Environment (JRE) that is based on the Oracle JRE. Oracle has released critical patch updates (CPU) which contain security vulnerability fixes. The IBM JRE has been updated to incorporate these fixes, as well as fixes for security vulnerabilities specific to the IBM JRE. See Security Bulletin: Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Edition for details.
CVEID: CVE-2013-5802
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87982 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/P)
CVEID: CVE-2013-4002
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85260 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)
CVEID: CVE-2013-5825
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87988 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)
CVEID: CVE-2013-5372
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/86662 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVEID: CVE-2013-2415
Description: Temporary files may be read by users other than the user that launched the JVM.
CVSS Base Score: 2.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83592
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)
Affected Products:
* WebSphere Transformation Extender Design Studio
* WebSphere Transformation Extender with Command Server
* WebSphere Transformation Extender for Integration Servers
* WebSphere Transformation Extender for Application Programming
* WebSphere Transformation Extender with Launcher
* WebSphere Transformation Extender with Launcher Hypervisor Edition
* WebSphere Transformation Extender with Launcher Hypervisor Edition for AIX
Affected Platforms:
* AIX
* HP-UX
* Linux (including Linux for System z)
* Solaris
* Windows
Affected Versions and Remediation/Fixes:
| Version | Remediation |
| 8.3.0.0 - 8.3.0.5 | Download and install 8.3.0.6 from http://www.ibm.com/software/howtobuy/passportadvantage |
| 8.4.0.0 - 8.4.0.4 | Download and install the interim fix from http://www.ibm.com/support/fixcentral |
| 8.4.1.0 - 8.4.1.1 | Download and install the interim fix from http://www.ibm.com/support/fixcentral |
Workarounds/Mitigations:
None.
The following vulnerabilities exist in the IBM Eclipse Help System that is utilized by WebSphere Transformation Extender users on Windows when viewing the product documentation that is shipped with the product:
CVEID: CVE-2013-0599
Description: An unspecified vulnerability in IBM Eclipse Help System related to parameter path crafting could allow a remote attacker to access sensitive information.
CVSS Base Score: 5.0
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/83613 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:N/A:N)
CVEID: CVE-2013-0464
Description: An unspecified vulnerability in IBM Eclipse Help System related to search could allow a remote attacker to affect confidentiality and integrity.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81060 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2013-0467
Description: An unspecified vulnerability in IBM Eclipse Help System related to URL crafting could allow a remote attacker to access unauthorized information.
CVSS Base Score: 4.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81102 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)
Affected Products:
* WebSphere Transformation Extender Design Studio
* WebSphere Transformation Extender with Command Server
* WebSphere Transformation Extender for Integration Servers
* WebSphere Transformation Extender for Application Programming
* WebSphere Transformation Extender with Launcher
Affected Platforms: Windows only
Affected Versions and Remediation/Fixes:
| Version | Remediation |
| 8.3.0.0 - 8.3.0.5 | Download and install 8.3.0.6 from http://www.ibm.com/software/howtobuy/passportadvantage |
| 8.4.0.0 - 8.4.0.4 | Download and install the interim fix from http://www.ibm.com/support/fixcentral |
| 8.4.1.0 - 8.4.1.1 | Download and install the interim fix from http://www.ibm.com/support/fixcentral |
Workarounds/Mitigations:
To avoid using the IBM Eclipse Help System to view documentation shipped with the product, view the WebSphere Transformation Extender documentation online at http://www.ibm.com/software/integration/wdatastagetx/library/index.html
WebSphere Transformation Extender Launcher is vulnerable to a denial of service attack whereby an local unauthorized user could crash the Launcher process, or prohibit Launcher Admin Console operational commands from reaching the Launcher by causing a buffer overflow. While this exploit could impact availability of the Launcher, the integrity of the data and the confidentiality of information are not compromised.
CVEID: CVE-2013-2962
CVSS Base Score: 4.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83722 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/AU:N/C:N/I:N/A:C)
Affected Products:
* WebSphere Transformation Extender with Launcher
* WebSphere Transformation Extender with Launcher Hypervisor Edition
Affected Platforms:
* AIX
* HP-UX
* Linux (including Linux for System z)
* Solaris
* Windows
Affected Versions and Remediation/Fixes:
| Version | Remediation |
| 8.4.0.0 - 8.4.0.3 | Download and install 8.4.0.4 from http://www.ibm.com/software/howtobuy/passportadvantage |
Workarounds/Mitigations:
None.
Get Notified about Future Security Bulletins
Important Note
IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
References
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Product Synonym
WTX
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21662870