Security Bulletin: Multiple security vulnerabilities exist in WebSphere Transformation Extender (CVE-2013-5802 CVE-2013-4002 CVE-2013-5825 CVE-2013-5372 CVE-2013-0599 CVE-2013-0464 CVE-2013-0467 CVE-2013-2962 CVE-2013-2415)

Security Bulletin


Summary

WebSphere Transformation Extender products are affected by multiple security vulnerabilities that exist in Oracle JRE and IBM Eclipse Help System. Additionally, WTX Launcher is vulnerable to a denial of service attack using a buffer overflow.

Vulnerability Details


WebSphere Transformation Extender is affected by the following unspecified vulnerabilities which could allow an attacker to exploit some JRE vulnerabilities. WebSphere Transformation Extender includes an IBM Java Runtime Environment (JRE) that is based on the Oracle JRE. Oracle has released critical patch updates (CPU) which contain security vulnerability fixes. The IBM JRE has been updated to incorporate these fixes, as well as fixes for security vulnerabilities specific to the IBM JRE. See Security Bulletin: Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Edition for details.

CVEID: CVE-2013-5802
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87982 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/P)

CVEID: CVE-2013-4002
CVSS Base Score: 7.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85260 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)

CVEID: CVE-2013-5825
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87988 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)

CVEID: CVE-2013-5372
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86662 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVEID: CVE-2013-2415
Description: Temporary files may be read by users other than the user that launched the JVM.
CVSS Base Score: 2.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83592
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)

Affected Products:
* WebSphere Transformation Extender Design Studio
* WebSphere Transformation Extender with Command Server
* WebSphere Transformation Extender for Integration Servers
* WebSphere Transformation Extender for Application Programming
* WebSphere Transformation Extender with Launcher
* WebSphere Transformation Extender with Launcher Hypervisor Edition
* WebSphere Transformation Extender with Launcher Hypervisor Edition for AIX

Affected Platforms:
* AIX
* HP-UX
* Linux (including Linux for System z)
* Solaris
* Windows

Affected Versions and Remediation/Fixes:

Version Remediation
8.3.0.0 - 8.3.0.5 Download and install 8.3.0.6 from http://www.ibm.com/software/howtobuy/passportadvantage
8.4.0.0 - 8.4.0.4 Download and install the interim fix from http://www.ibm.com/support/fixcentral
8.4.1.0 - 8.4.1.1 Download and install the interim fix from http://www.ibm.com/support/fixcentral

Workarounds/Mitigations:
None.




The following vulnerabilities exist in the IBM Eclipse Help System that is utilized by WebSphere Transformation Extender users on Windows when viewing the product documentation that is shipped with the product:

CVEID: CVE-2013-0599
Description: An unspecified vulnerability in IBM Eclipse Help System related to parameter path crafting could allow a remote attacker to access sensitive information.
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83613 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:N/A:N)

CVEID: CVE-2013-0464
Description: An unspecified vulnerability in IBM Eclipse Help System related to search could allow a remote attacker to affect confidentiality and integrity.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81060 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2013-0467
Description: An unspecified vulnerability in IBM Eclipse Help System related to URL crafting could allow a remote attacker to access unauthorized information.
CVSS Base Score: 4.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81102 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

Affected Products:
* WebSphere Transformation Extender Design Studio
* WebSphere Transformation Extender with Command Server
* WebSphere Transformation Extender for Integration Servers
* WebSphere Transformation Extender for Application Programming
* WebSphere Transformation Extender with Launcher

Affected Platforms: Windows only

Affected Versions and Remediation/Fixes:
Version Remediation
8.3.0.0 - 8.3.0.5 Download and install 8.3.0.6 from http://www.ibm.com/software/howtobuy/passportadvantage
8.4.0.0 - 8.4.0.4 Download and install the interim fix from http://www.ibm.com/support/fixcentral
8.4.1.0 - 8.4.1.1 Download and install the interim fix from http://www.ibm.com/support/fixcentral

Workarounds/Mitigations:
To avoid using the IBM Eclipse Help System to view documentation shipped with the product, view the WebSphere Transformation Extender documentation online at http://www.ibm.com/software/integration/wdatastagetx/library/index.html




WebSphere Transformation Extender Launcher is vulnerable to a denial of service attack whereby an local unauthorized user could crash the Launcher process, or prohibit Launcher Admin Console operational commands from reaching the Launcher by causing a buffer overflow. While this exploit could impact availability of the Launcher, the integrity of the data and the confidentiality of information are not compromised.

CVEID: CVE-2013-2962
CVSS Base Score: 4.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83722 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/AU:N/C:N/I:N/A:C)

Affected Products:
* WebSphere Transformation Extender with Launcher
* WebSphere Transformation Extender with Launcher Hypervisor Edition

Affected Platforms:
* AIX
* HP-UX
* Linux (including Linux for System z)
* Solaris
* Windows

Affected Versions and Remediation/Fixes:
Version Remediation
8.4.0.0 - 8.4.0.3 Download and install 8.4.0.4 from http://www.ibm.com/software/howtobuy/passportadvantage

Workarounds/Mitigations:
None.

Important note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References

Related information

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Product Alias/Synonym

WTX

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere Transformation Extender

Software version:

8.3.0.0, 8.3.0.1, 8.3.0.2, 8.3.0.3, 8.3.0.4, 8.3.0.5, 8.4.0.0, 8.4.0.1, 8.4.0.2, 8.4.0.3, 8.4.0.4, 8.4.1.0, 8.4.1.1

Operating system(s):

AIX, HP Itanium, HP-UX, Linux, Linux zSeries, Solaris, Windows, z/OS

Reference #:

1662870

Modified date:

2014-02-10

Translate my page

Machine Translation

Content navigation