IBM Support

Security Bulletin for IBM Integration Bus and IBM WebSphere Message Broker: Multiple security vulnerabilities in IBM JREs 6 & 7

Security Bulletin


Summary

Multiple security vulnerabilities exist in the IBM Java Runtime Environment component of WebSphere Message Broker for IBM JRE 6.0 SR15 (and earlier) and the IBM Java Runtime Environment component of IBM Integration Bus for JRE 7.0 SR6 (and earlier)

Vulnerability Details

All vulnerabilities are applicable to both IBM JRE 6.0 and IBM JRE 7.0

CVEID: CVE-2013-5878


Unspecified vulnerability in Oracle Java SE 6u65 and 7u45, Java SE Embedded 7u45, and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Security. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the Security component does not properly handle null XML namespace (xmlns) attributes during XML document canonicalization, which allows attackers to escape the sandbox.

CVSS:
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90335 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2013-5887


Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect availability via unknown vectors related to Deployment.

CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90345 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2013-5888


Unspecified vulnerability in Oracle Java SE 6u65 and 7u45, when running with GNOME, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.

CVSS:
CVSS Base Score: 4.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90354 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2013-5889


Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5902, CVE-2014-0410, CVE-2014-0415, CVE-2014-0418, and CVE-2014-0424.

CVSS:
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90328 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-5898


Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-0375 and CVE-2014-0403.

CVSS:
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90356 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVEID: CVE-2013-5899


Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality via unknown vectors related to Deployment.

CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90346 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector:(AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2013-5907


Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit R27.7.7 and R28.2.9; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is due to incorrect input validation in LookupProcessor.cpp in the ICU Layout Engine, which allows attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted font file.

CVSS:
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90324 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector:(AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-5910


Unspecified vulnerability in Oracle Java SE 6u65 and 7u45, Java SE Embedded 7u45, and OpenJDK 7 allows remote attackers to affect integrity via unknown vectors related to Security. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that CanonicalizerBase.java in the XML canonicalizer allows untrusted code to access mutable byte arrays.

CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90352 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-0368


Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45, and Java SE Embedded 7u45, allows remote attackers to affect confidentiality via unknown vectors related to Networking. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to incorrect permission checks when listening on a socket, which allows attackers to escape the sandbox.

CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90351 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2014-0373


Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serviceability. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to throwing of an incorrect exception when SnmpStatusException should have been used in the SNMP implementation, which allows attackers to escape the sandbox.

CVSS:
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90334 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2014-0375


Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5898 and CVE-2014-0403.

CVSS:
CVSS Base Score: 5.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90339 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector:(AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVEID: CVE-2014-0376


Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect integrity via vectors related to JAXP. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to an improper check for "code permissions when creating document builder factories."

CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90350 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-0387


Unspecified vulnerability in Oracle Java SE 6u65 and Java SE 7u45, when running on Firefox, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.

CVSS:
CVSS Base Score: 7.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90332 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-0403


Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5898 and CVE-2014-0375.

CVSS:
CVSS Base Score: 5.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90338 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector:(AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVEID: CVE-2014-0410


Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5889, CVE-2013-5902, CVE-2014-0415, CVE-2014-0418, and CVE-2014-0424.

CVSS:
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90322 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-0411


Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit R27.7.7 and R28.2.9; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that this issue allows remote attackers to obtain sensitive information about encryption keys via a timing discrepancy during the TLS/SSL handshake.

CVSS:
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90357 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector:(AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVEID: CVE-2014-0415


Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5889, CVE-2013-5902, CVE-2014-0410, CVE-2014-0418, and CVE-2014-0424.

CVSS:
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90323 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-0416


Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect integrity via vectors related to JAAS. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to how principals are set for the Subject class, which allows attackers to escape the sandbox using deserialization of a crafted Subject instance.

CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90349 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-0417


Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JavaFX 2.2.45; and Java SE Embedded 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.

CVSS:
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90331 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-0422


Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JNDI. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to missing package access checks in the Naming / JNDI component, which allows attackers to escape the sandbox.

CVSS:
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90326 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector:(AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-0423


Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit R27.7.7 and R28.2.9; Java SE Embedded 7u45; and OpenJDK 7 allows remote authenticated users to affect confidentiality and availability via unknown vectors related to Beans. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that this issue is an XML External Entity (XXE) vulnerability in DocumentHandler.java, related to Beans decoding.

CVSS:
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90340 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:S/C:P/I:N/A:P)

CVEID: CVE-2014-0424


Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5889, CVE-2013-5902, CVE-2014-0410, CVE-2014-0415, and CVE-2014-0418.

CVSS:
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90333 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2014-0428


Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to "insufficient security checks in IIOP streams," which allows attackers to escape the sandbox.

CVSS:
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90325 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)

Affected Products and Versions

IBM WebSphere Message Broker V7.0 and V8.0 & IBM Integration Bus V9.0 are affected on all platforms except IBM z/OS.

Remediation/Fixes

For IBM WebSphere Message Broker V7.0 and V8.0 an interim fix for APAR IC99332 is available from IBM Fix Central:

http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Message+Broker&release=All&platform=All&function=aparId&apars=IC99332

APAR IC99332 is targeted for availability in IBM WebSphere Message Broker V7.0.0.7 and V8.0.0.5

For IBM Integration Bus V9.0 an interim fix for APAR IC99333 available from IBM Fix Central:

http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/Integration+Bus&release=All&platform=All&function=aparId&apars=IC99333

Please note this fix is not yet available on IBM Integration Bus V9.0 for HP, contact your IBM Support Centre for more details.
APAR IC99333 is targeted for availability in IBM Integration Bus V9.0.0.2

Workarounds and Mitigations

None Known

Get Notified about Future Security Bulletins

References

Off
CVE-2013-5878
http://xforce.iss.net/xforce/xfdb/90335
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5878

CVE-2013-5887
http://xforce.iss.net/xforce/xfdb/90345
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5887

CVE-2013-5889
http://xforce.iss.net/xforce/xfdb/90328
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5889

CVE-2013-5899
http://xforce.iss.net/xforce/xfdb/90346
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5899

CVE-2013-5907
http://xforce.iss.net/xforce/xfdb/90324
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5907

CVE-2013-5910
http://xforce.iss.net/xforce/xfdb/90352
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5910

CVE-2014-0373
http://xforce.iss.net/xforce/xfdb/90334
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0373

CVE-2014-0375
http://xforce.iss.net/xforce/xfdb/90339
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0375

CVE-2014-0376
http://xforce.iss.net/xforce/xfdb/90350
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0376

CVE-2014-0387
http://xforce.iss.net/xforce/xfdb/90332
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0387

CVE-2014-0403
http://xforce.iss.net/xforce/xfdb/90338
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0403

CVE-2014-0410
http://xforce.iss.net/xforce/xfdb/90322
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0410

CVE-2014-0415
http://xforce.iss.net/xforce/xfdb/90323
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0415

CVE-2014-0416
http://xforce.iss.net/xforce/xfdb/90349
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0416

CVE-2014-0417
http://xforce.iss.net/xforce/xfdb/90331
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0417

CVE-2014-0422
http://xforce.iss.net/xforce/xfdb/90326
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0422

CVE-2014-0423
http://xforce.iss.net/xforce/xfdb/90340
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0423

CVE-2014-0424
http://xforce.iss.net/xforce/xfdb/90333
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0424

CVE-2014-0428
http://xforce.iss.net/xforce/xfdb/90325
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0428

Change History

<30 - Apr - 2014>: Original Copy Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSKM8N","label":"WebSphere Message Broker"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.0;8.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Product":{"code":"SSNQK6","label":"IBM Integration Bus"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.0","Edition":"All Editions","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
23 March 2020

UID

swg21671348