Multiple vulnerabilities in the IBM i Java SDK

Security Bulletin


Summary

Abstract: Issues disclosed in the Oracle October 2013 Java SE Critical Patch Update, plus 6 additional vulnerabilities.

Vulnerability Details

TITLE: Security Bulletin: Multiple vulnerabilities in the IBM i Java SDK
Abstract: Issues disclosed in the Oracle October 2013 Java SE Critical Patch Update, plus 6 additional vulnerabilities.

Content

VULNERABILITY DETAILS:
CVE IDs: CVE-2013-5456 CVE-2013-5457 CVE-2013-5458 CVE-2013-4041 CVE-2013-5375 CVE-2013-5372 CVE-2013-5843 CVE-2013-5789 CVE-2013-5830 CVE-2013-5829 CVE-2013-5787 CVE-2013-5788 CVE-2013-5824 CVE-2013-5842 CVE-2013-5782 CVE-2013-5817 CVE-2013-5809 CVE-2013-5814 CVE-2013-5832 CVE-2013-5850 CVE-2013-5838 CVE-2013-5802 CVE-2013-5812 CVE-2013-5804 CVE-2013-5783 CVE-2013-3829 CVE-2013-5823 CVE-2013-5831 CVE-2013-5820 CVE-2013-5819 CVE-2013-5818 CVE-2013-5848 CVE-2013-5776 CVE-2013-5774 CVE-2013-5825 CVE-2013-5840 CVE-2013-5801 CVE-2013-5778 CVE-2013-5851 CVE-2013-5800 CVE-2013-5784 CVE-2013-5849 CVE-2013-5790CVE-2013-5780 CVE-2013-5797 CVE-2013-5803 CVE-2013-5772

DESCRIPTION: There are a number of vulnerabilities in the IBM SDK, Java Technology Edition that affect various components. CVE-2013-5456, CVE-2013-5457 and CVE-2013-5458 allow code running under a security manager to escalate its privileges by modifying or removing the security manager. CVE-2013-4041 and CVE-2013-5375 allow code running under a security manager to access restricted classes. These vulnerabilities could occur when untrusted code is executed under a security manager, or when the IBM SDK, Java Technology Edition has been associated with a web browser for running applets and Web Start applications.

CVE-2013-5372 is a denial of service vulnerability which could result in a complete availability impact on the affected system.

This bulletin also covers all applicable CVEs published by Oracle as part of their October 2013 Java SE Critical Patch Update.
For more information please refer to Oracle's October 2013 Java SE CPU Advisory.

CVEID: CVE-2013-5456
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88255 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-5457
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88256 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-5458
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88257 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-4041
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86416 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVEID: CVE-2013-5375
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86901 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2013-5372
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86662 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVEID: CVE-2013-5843
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87971 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5789
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87968 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5830
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87961 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5829
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87963 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5787
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87967 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5788
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87966 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5824
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87965 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5842
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87970 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5782
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87960 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5817
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87969 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5809
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87962 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5814
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87964 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5832
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87972 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5850
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87973 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5838
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87974 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/C:I/C:A/C)

CVEID: CVE-2013-5802
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87982 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/P)

CVEID: CVE-2013-5812
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87985 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/P)

CVEID: CVE-2013-5804
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87984 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/N)

CVEID: CVE-2013-5783
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87987 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/N)

CVEID: CVE-2013-3829
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87986 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/N)

CVEID: CVE-2013-5823
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87989 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)

CVEID: CVE-2013-5831
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87995 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)

CVEID: CVE-2013-5820
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87996 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)

CVEID: CVE-2013-5819
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87994 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)

CVEID: CVE-2013-5818
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87993 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)

CVEID: CVE-2013-5848
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88000 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)

CVEID: CVE-2013-5776
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87992 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)

CVEID: CVE-2013-5774
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87999 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)

CVEID: CVE-2013-5825
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87988 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)

CVEID: CVE-2013-5840
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87998 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)

CVEID: CVE-2013-5801
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87991 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)

CVEID: CVE-2013-5778
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87990 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)

CVEID: CVE-2013-5851
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87997 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)

CVEID: CVE-2013-5800
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88002 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/N:A/N)

CVEID: CVE-2013-5784
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88005 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/N:I/P:A/N)

CVEID: CVE-2013-5849
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88003 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/N:A/N)

CVEID: CVE-2013-5790
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88004 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/N:A/N)

CVEID: CVE-2013-5780
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88001 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/N:A/N)

CVEID: CVE-2013-5797
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88006 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/S:C/N:I/P:A/N)

CVEID: CVE-2013-5803
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88008 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/H:Au/N:C/N:I/N:A/P)

CVEID: CVE-2013-5772
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88007 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/H:Au/N:C/N:I/P:A/N)


AFFECTED PRODUCTS AND VERSIONS:
Supported IBM i releases, IBM i 6.1 and IBM i 7.1, are affected. Unsupported releases that may be affected include: V3R7, V4R1, V4R2, V4R3, V4R4, V5R1, V5R2, V5R3 and V5R4.

For users of unsupported releases of IBM i, IBM recommends upgrading to a fixed and supported release of the IBM i Operating System.


REMEDIATION:
The issue can be fixed by applying a PTF to the IBM i Operating System.

Please see the Java document at this URL for the latest IBM i Java information:
http://www.ibm.com/developerworks/ibmi/techupdates/java

The IBM i Group PTF numbers are:

Release 6.1 – SF99562 level 26
Release 7.1 – SF99572 level 15

Important note: IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.

Workaround(s):
<None>

Mitigation(s):
<None>

REFERENCES:
Complete CVSS Guide
Online Calculator V2
Oracle October 2013 Java SE Critical Patch Update Advisory
IBM SDK, Java Technology Edition Security Alerts

ACKNOWLEDGEMENT:
The vulnerabilities described by the following CVEs were reported to IBM by Adam Gowdiak of Security Explorations: CVE-2013-5456, CVE-2013-5457 and CVE-2013-5458.

CHANGE HISTORY:
None

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

References:

Complete CVSS Guide
On-line Calculator V2

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM i
Java

Software version:

5.4.0, 5.4.5, 6.1.0, 6.1.1, 7.1.0

Operating system(s):

IBM i

Reference #:

N1019873

Modified date:

2013-12-20

Translate my page

Machine Translation

Content navigation