Security Bulletin: Security Bulletin: IBM Tivoli Monitoring affected by vulnerabilities in IBM® SDK, Java™ Technology Edition

Vulnerability Details

CVEID: CVE-2013-1500
Some native internal implementation code in the Java Abstract Window Toolkit (AWT) component creates a shared memory segment with world read/write permission. This allows potentially sensitive data to be accessed and modified by a local user. This issue is only exploitable by a local user with direct access to the environment on which the JRE is running.

This CVE affects the Manage Tivoli Enterprise Monitoring Services (MTEMS) GUI when used to configure IBM Tivoli Monitoring components and agents. The command line utility can be used to instead of the GUI to configure the components and agents. The CVE also affects the portal desktop client.

CVSS Base Score: 3.6
CVSS Temporal Score: See CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/85062 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:N)


CVEID: CVE-2014-0411
Timing differences based on validity of TLS messages can be exploited to decrypt the session.
The vulnerability does not require local network access or authentication, but a high degree of specialized knowledge and techniques are required. The exploit is not trivial, requiring a man-in-the-middle position and a long time (around 20 hours).

The base IBM Tivoli Monitoring and base agents (those shipped as part of IBM Tivoli Monitoring Fix Packs) are not affected by this vulnerability. Only Java-based agents utilizing JSSE which rely on the JRE in the IBM Tivoli Monitoring installation directory (for example, CANDLEHOME) can be affected. Agents affected will publish separate security bulletins and reference this bulletin for the remediation.

CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90357 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/H:Au/N:C/P:I/P:A/N)