IBM Support

Security Bulletin: IBM Lotus Expeditor fixes for multiple vulnerabilities in IBM JRE

Security Bulletin


Summary

IBM Lotus Expeditor is shipped with an IBM SDK for Java that is based on the Oracle JDK. Oracle has released January 2014 critical patch updates (CPU) which contain security vulnerability fixes. The IBM SDK for Java has been updated to incorporate these fixes.

Vulnerability Details

CVEID: CVE-2014-0428
DESCRIPTION: A vulnerability allows remote attackers to affect confidentiality, integrity and availability via unknown vectors related to CORBA component.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90325 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-0422
DESCRIPTION: A vulnerability allows remote attackers to affect confidentiality, integrity and availability via unknown vectors related to JNDI component
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90326 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-5907
DESCRIPTION: A vulnerability allows remote attackers to affect confidentiality, integrity and availability via unknown vectors related to 2D component.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90324 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-0417
DESCRIPTION: A vulnerability allows remote attackers to affect confidentiality, integrity and availability via unknown vectors related to 2D component.
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90331 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-0423
DESCRIPTION: A vulnerability allows remote attackers to affect confidentiality and availability via unknown vectors related to Beans component.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90340 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:P)

CVEID: CVE-2013-5910
DESCRIPTION: A vulnerability allows remote attackers to affect integrity via unknown vectors related to Security component.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90352 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-0416
DESCRIPTION: A vulnerability allows remote attackers to affect integrity via unknown vectors related to JAAS component.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90349 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-0368
DESCRIPTION: A vulnerability allows remote attackers to affect confidentiality via unknown vectors related to Networking component.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90351 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2013-5888
DESCRIPTION: A vulnerability allows remote attackers to affect confidentiality, integrity and availability via unknown vectors related to Deployment component.
CVSS Base Score: 4.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90354 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2014-0411
DESCRIPTION: A vulnerability allows remote attackers to affect confidentiality and integrity via unknown vectors related to JSSE component.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90357 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

The following CVEs are included in the SDK but IBM Lotus Expeditor is not vulnerable to them. You will need to evaluate your own code to determine if you are vulnerable. Refer to the Reference section for more information on the advisories not applicable to IBM Lotus Expeditor:

CVE-2014-0415
CVE-2014-0410
CVE-2013-5893
CVE-2013-5889
CVE-2013-0408
CVE-2014-0387
CVE-2014-0424
CVE-2013-5878
CVE-2014-0373
CVE-2013-5904
CVE-2014-0375
CVE-2014-0403
CVE-2014-0418
CVE-2013-5902
CVE-2014-0376
CVE-2013-5884
CVE-2013-5896
CVE-2014-0376
CVE-2013-5899
CVE-2013-5887
CVE-2013-5898

Affected Products and Versions

IBM Lotus Expeditor 6.2.x

Remediation/Fixes

A fix for the issue is introduced in the following releases.


-- Interim Fix 1 for IBM Lotus Expeditor 6.2.3

Fix Central ID
File name & download link
XPD-6.2.3.0-Client-IFix3


-- Interim Fix 1 for IBM Lotus Expeditor 6.2.2
Fix Central ID
File name & download link
XPD-6.2.2.0-Client-IFix3
-- Interim Fix 1 for IBM Lotus Expeditor 6.2.1
Fix Central ID
File name & download link
XPD-6.2.1.0-Client-IFix3

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Complete CVSS v2 Guide
On-line Calculator v2

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: Lotus Expeditor
Client for Desktop

Software version: 6.2.1, 6.2.2, 6.2.3

Operating system(s): Linux, Windows

Reference #: 1670805

Modified date: 05 May 2014