IBM Support

Security Bulletin: Multiple vulnerabilities in current IBM SDK for Java for WebSphere Application Server October 2013 CPU

Flashes (Alerts)


Abstract

Multiple security vulnerabilities exist in the IBM SDK for Java that is shipped with IBM WebSphere Application Server

Content

The IBM WebSphere Application Server is shipped with an IBM SDK for Java that is based on the Oracle JDK. Oracle has released October 2013 critical patch updates (CPU) which contain security vulnerability fixes. The IBM SDK for Java has been updated to incorporate these fixes. The IBM SDK for Java has also been updated to fix security vulnerabilities specific to the IBM SDK for Java.


Vulnerability Details

CVEID: CVE-2013-5780
Description: Potential information disclosure vulnerability in JSSE.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/88001 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2013-5372
Description: Potential denial of service vulnerability in XML. This is specific to the IBM SDK for Java.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/86662 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVEID: CVE-2013-5803
Description: Potential denial of service vulnerability in JSSE.
CVSS Base Score: 2.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/88008 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:N/A:P)

The following advisories are included in the SDK but WebSphere Application Server is not vulnerable to them. You will need to evaluate your own code to determine if you are vulnerable. Please refer to the Reference section for more information on the advisories not applicable to WebSphere Application Server :

CVE-2013-5456
CVE-2013-5457
CVE-2013-5458
CVE-2013-4041
CVE-2013-5375
CVE-2013-5843
CVE-2013-5789
CVE-2013-5830
CVE-2013-5829
CVE-2013-5787
CVE-2013-5788
CVE-2013-5824
CVE-2013-5842
CVE-2013-5782
CVE-2013-5817
CVE-2013-5809
CVE-2013-5814
CVE-2013-5832
CVE-2013-5850
CVE-2013-5838
CVE-2013-5802
CVE-2013-5812
CVE-2013-5804
CVE-2013-5783
CVE-2013-3829
CVE-2013-5823
CVE-2013-5831
CVE-2013-5820
CVE-2013-5819
CVE-2013-5818
CVE-2013-5848
CVE-2013-5776
CVE-2013-5774
CVE-2013-5825
CVE-2013-5840
CVE-2013-5801
CVE-2013-5778
CVE-2013-5851
CVE-2013-5800
CVE-2013-5784
CVE-2013-5849
CVE-2013-5790
CVE-2013-5797
CVE-2013-5772


Versions affected:

  • SDK shipped with IBM WebSphere Application Server Version 8.5.0.0 through 8.5.5.1, Version 8.0.0.0 through 8.0.0.7, Version 7.0.0.0 through 7.0.0.30, Version 6.1.0.0 through 6.1.0.47
  • This does not occur on SDK versions shipped with WebSphere Application Servers fix pack 8.5.5.2, 8.0.0.8 and 7.0.0.31 or later.


  • Warning:
    For mixed cells that contain WebSphere Application Server version 6.0.2 nodes where java 2 security is enabled, ensure APAR PM92206 or its circumvention is applied to the Deployment Manager to prevent sync operation failure. PM92206 has been delivered with an Interim Fix or with WebSphere Application Server Fix Packs 8.5.5.1, 8.0.0.7 and 7.0.0.31.

    Solutions:
    Upgrade your SDK to an interim fix level as determined below:

    For IBM WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition:

    Download and apply the interim fix APARs below, for your appropriate release:


    For V8.5.0.0 through 8.5.5.1:
  • Apply Interim Fix PM98572: Will upgrade you to SDK 7 SR6

  • --OR-
  • Apply Interim Fix PM98574: Will upgrade you to SDK 6 (J9 2.6) SR7

  • --OR--
  • Apply IBM SDK for Java shipped with the WebSphere Application Server Fix pack 8.5.5.2 or later.


  • For 8.0.0.0 through 8.0.0.7:
  • Apply Interim Fix PM98576: Will upgrade you to SDK 6 (J9 2.6) SR7

  • --OR--
  • Apply IBM SDK for Java shipped with WebSphere Application Server Fix pack 8 (8.0.0.8) or later. HP Platforms should apply IBM SDK for Java shipped with WebSphere Application Server Fix pack 9 (8.0.0.9) or later.


  • For V7.0.0.0 through 7.0.0.29:
  • Apply Interim Fix PM98578: Will upgrade you to SDK 6 SR15

  • --OR--
  • Apply IBM SDK for Java shipped with WebSphere Application Server Fix pack 31 (7.0.0.31) or later. HP Platforms should apply IBM SDK for Java shipped with WebSphere Application Server Fix pack 33 (7.0.0.33) or later.


  • For V6.1.0.0 through 6.1.0.47:
  • Contact IBM Support and apply Interim Fix PM98600: Will upgrade you to SDK 5 SR16 FP4


  • For IBM WebSphere Application Server for i5/OS operating systems:

    The IBM Developer Kit for Java is prerequisite software for WebSphere Application Server for IBM i. Please refer to Java on IBM i for updates on when these fixes will be available.

    Important note: IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.


    Change history
  • 21 November 2013 Original publish date
  • 25 November 2013 Add descriptions for CVEs
  • 2 December 2013 Update Fix Pack level
  • 5 December 2013 Add HP platform levels
  • 8 January 2014 Corrected 2Q2013 dates to 2Q2014
  • 18 February 2014 updated Fix pack dates


  • REFERENCES:
  • IBM Security Alerts
  • Oracle Java SE Critical Patch Update Advisory - October 2013
  • IBM SDK Java Technology Edition Security Bulletin October 2013
  • Java on IBM i
  • Complete CVSS Guide
  • On-line Calculator V2
  • WebSphere Application Server Recommended Fixes Page
  • *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


    Note:
    According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

    [{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Java SDK","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5;8.0;7.0;6.1","Edition":"Base;Developer;Express;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSCKBL","label":"WebSphere Application Server Hypervisor Edition"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

    Document Information

    Modified date:
    25 September 2022

    UID

    swg21655990