Security Flash: Multiple vulnerabilities in IBM's Java 5 and Java 6 JREs used by Web Experience Factory development components

Flash (Alert)


Abstract

Issues disclosed in the Oracle October 2013 Java SE Critical Patch Update
may impact customers using Web Experience Factory development components. The
patched vulnerabilities relevant to Web Experience Factory are CVE-2013-5802, CVE-
2013-5825, and CVE-2013-5372 (Non-Oracle. Specific to IBM JRE/SDK)

Content

VULNERABILITY DETAILS:
Web Experience Factory (WEF) uses an IBM JRE to run the components that comprise a
WEF development environment. These components include WEF's bundled copy of
Eclipse and WEF's bundled copy of the WebSphere Community Edition (WASCE)
application server. If customers have installed these optional components, then those
components will contain a version of IBM's JRE that has the vulnerabilities described
below. Customers may wish to update the IBM JREs installed by WEF to ensure their
development environments are not vulnerable to the documented exploits.
Note that WEF does not use it's bundled JREs in production. In production deployments
WEF will use the JDK/JRE provided by the WebSphere or Portal installation.
CVE ID: CVE-2013-5802
Description: An unspecified vulnerability in JAXP could allow DoS attacks on the JRE.
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87982 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/P)
CVE ID: CVE-2013-5825
Description: An unspecified vulnerability in JAXP could allow DoS attacks on the JRE.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87988 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)
CVE ID: CVE-2013-5372
Description: An unspecified vulnerability in XML4J could allow DoS attacks on the JRE.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86662 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

AFFECTED PRODUCTS AND VERSIONS:
All supported versions of Web Experience Factory, WebSphere Dashboard Framework,
and Lotus Widget Factory.
REMEDIATION:
Customers that choose to update their development environments must contact IBM
support to obtain an APAR appropriate for their licensed product and version. However,
these APARs are only appropriate for customers that use WEF's bundled copy of Eclipse
or WASCE. Customers that have provided their own copy of Eclipse or a development
application server must obtain patches from the provider of those components.
WORKAROUND(S):
None
MITIGATION(S):
None

REFERENCES:
Complete CVSS Guide (http://www.first.org/cvss/cvss-guide.html)
On-line Calculator V2 ( http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 )
CVE-2013-5802 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5802)
CVE-2013-5825 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5825)
CVE-2013-5372 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5372)
RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Security Bulletin: Multiple vulnerabilities in the IBM Java SDK
CHANGE HISTORY
17 January 2014: Original Copy Published
*The CVSS Environment Score is customer environment specific and will ultimately
impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability
in their environments by accessing the links in the References section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to
convey vulnerability severity and help to determine urgency and priority of response."
IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY
KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE
FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY
VULNERABILITY.

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Web Experience Factory

Software version:

6.1.5, 7.0, 7.0.1, 8.0

Operating system(s):

Windows

Software edition:

Deployment, Designer

Reference #:

1662705

Modified date:

2015-01-06

Translate my page

Machine Translation

Content navigation