Security Bulletin: Rational Reporting for Development Intelligence - Oracle CPU October 2013 (CVE-2013-5802, CVE-2013-5825)

Security Bulletin


Summary

Multiple security vulnerabilities exist in the IBM JRE that is shipped with the Rational Reporting for Development Intelligence (RRDI). The same security vulnerabilities also exist in the IBM Java SDK that is shipped with the IBM WebSphere Application Server (WAS).

Vulnerability Details

Subscribe to My Notifications to be notified of important product support alerts like this.
  • Follow this link for more information (requires login with your IBM ID)

The IBM JRE installed with RRDI is based on the Oracle JRE and the IBM Java SDK installed with WAS is based on the Oracle JDK. Oracle has released Critical Patch Updates (CPU) October 2013 which contain security vulnerability fixes and the IBM JRE and Java SDK have been updated to incorporate those updates.

See http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html for the list of security vulnerabilities fixed by the Oracle CPU October 2013.

Note: WAS itself is not vulnerable to all the advisories. However, RRDI is vulnerable to the following two advisories:

CVE ID: CVE-2013-5802

Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component. A malicious user is able to exploit vulnerabilities in the JAXP component to affect confidentiality, integrity and availability of the RRDI report server

CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87982 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/P)


CVE ID: CVE-2013-5825

Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component. A malicious user is able to exploit vulnerabilities in the JAXP component to affect the availability of the RRDI report server.

CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87988 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)

Affected Products and Versions

RRDI 1.0.2, 1.0.2.1, 2.0, 2.0.0.1, 2.0.1, 2.0.3, 2.0.4, 2.0.5 and 2.0.6

Remediation/Fixes

Apply the recommended fixes to all affected versions of RRDI as soon as practical.

RRDI 1.0.2 and 1.0.2.1

  1. Download and install the Cognos 8 Business Intelligence 8.4.1 Interim Fix 4 for Security Exposure.
    Read technote 1664606: Install Cognos 8 Business Intelligence 8.4.1 Interim Fix 4 for Security Exposure to resolve security vulnerabilities in RRDI 1.0.2.x and Rational Insight 1.0.1.x - Oracle CPU October 2013 for instructions.

  2. Upgrade your WAS Java SDK to IBM Java 6 SR15, IBM Java 6.0.1 SR7 or IBM Java 7 SR6. Read technote 1664395: Upgrade the WebSphere Application Server Java SDK to resolve security vulnerabilities in Rational Reporting for Development Intelligence and Rational Insight - Oracle CPU October 2013 for detailed instructions.


RRDI 2.0, 2.0.0.1, 2.0.1, 2.0.3 and 2.0.4

  1. Download and install the Cognos Business Intelligence 10.1.1 Interim Fix 5. Read technote 1664614: Install Cognos Business Intelligence 10.1.1 Interim Fix 5 to resolve security vulnerabilities in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x - Oracle CPU October 2013 for the detailed instructions.

  2. Upgrade your WAS Java SDK to IBM Java 6 SR15, IBM Java 6.0.1 SR7 or IBM Java 7 SR6. Read technote 1664395: Upgrade the WebSphere Application Server Java SDK to resolve security vulnerabilities in Rational Reporting for Development Intelligence and Rational Insight - Oracle CPU October 2013 for the detailed instructions.

  3. Download and install the RRDI 2.0.x JRE Patch. Read technote 1664393: Install the RRDI 2.0.x JRE Patch to resolve security vulnerabilities in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x - Oracle CPU October 2013 for the detailed instructions.


RRDI 2.0.5

  1. Download and install the Cognos Business Intelligence 10.2.1 Interim Fix 4. Read technote 1664630: Install Cognos Business Intelligence 10.2.1 Interim Fix 4 to resolve security vulnerabilities in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x - Oracle CPU October 2013 for the detailed instructions.

  2. Upgrade your WAS Java SDK to IBM Java 6 SR15, IBM Java 6.0.1 SR7 or IBM Java 7 SR6. Read technote 1664395: Upgrade the WebSphere Application Server Java SDK to resolve security vulnerabilities in Rational Reporting for Development Intelligence and Rational Insight - Oracle CPU October 2013 for the detailed instructions.

  3. Download and install the RRDI 2.0.x JRE Patch. Read technote 1664393: Install the RRDI 2.0.x JRE Patch to resolve security vulnerabilities in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x - Oracle CPU October 2013 for the detailed instructions.


RRDI 2.0.6

  1. Download and install the Cognos Business Intelligence 10.2.1 Interim Fix 4. Read technote 1664630: Install Cognos Business Intelligence 10.2.1 Interim Fix 4 to resolve security vulnerabilities in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x - Oracle CPU October 2013 for the detailed instructions.

  2. Upgrade your WAS Java SDK to IBM Java 6 SR15, IBM Java 6.0.1 SR7 or IBM Java 7 SR6. Read technote 1664395: Upgrade the WebSphere Application Server Java SDK to resolve security vulnerabilities in Rational Reporting for Development Intelligence and Rational Insight - Oracle CPU October 2013 for the detailed instructions.

Workarounds and Mitigations

None

References

Related information

Acknowledgement

None

Change History

* 25 March 2014: Added steps to install the updated Cognos security patches.
* 20 March 2014 Restore instructions to download Cognos security patches.
* 6 March 2014: Temporarily removed Cognos security patch due to defect.
* 28 February 2014: Original copy published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information


More support for:

Rational Reporting for Development Intelligence
Report Server

Software version:

1.0.2, 2.0, 2.0.1, 2.0.3, 2.0.4, 2.0.5, 2.0.6

Operating system(s):

AIX, Linux, Windows

Reference #:

1664389

Modified date:

2014-03-25

Translate my page

Content navigation