Security Bulletin: Rational Insight - Oracle CPU October 2013 (CVE-2013-5802, CVE-2013-5825)

Security Bulletin


Summary

Multiple security vulnerabilities exist in the IBM JRE that is shipped with Rational Insight. The same security vulnerabilities also exist in the IBM Java SDK that is shipped with the IBM WebSphere Application Server (WAS).

Vulnerability Details

Subscribe to My Notifications to be notified of important product support alerts like this.
  • Follow this link for more information (requires login with your IBM ID)

The IBM JRE installed with Rational Insight is based on the Oracle JRE and the IBM Java SDK installed with WAS is based on the Oracle JDK. Oracle has released Critical Patch Updates (CPU) October 2013 which contain security vulnerability fixes and the IBM JRE and Java SDK have been updated to incorporate those updates.

See http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html for the list of security vulnerabilities fixed by the Oracle CPU October 2013.

Note: WAS itself is not vulnerable to all the advisories. However, Rational Insight is vulnerable to the following two advisories:

CVE ID: CVE-2013-5802

Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component. A malicious user is able to exploit vulnerabilities in the JAXP component to affect confidentiality, integrity and availability of the Rational Insight report server

CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87982 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/P)


CVE ID: CVE-2013-5825

Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component. A malicious user is able to exploit vulnerabilities in the JAXP component to affect the availability of the Rational Insight report server.

CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87988 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)

Affected Products and Versions

Rational Insight 1.0.1, 1.0.1 iFix1, 1.0.1.1, 1.1, 1.1.1, 1.1.1.1, 1.1.1.2 and 1.1.1.3

Remediation/Fixes

The recommended solution is to apply the recommended fixes to all affected versions of Rational Insight as soon as practical.

Rational Insight 1.0.1, 1.0.1 iFix1 and 1.0.1.1

  1. Download and install the Cognos 8 Business Intelligence 8.4.1 Interim Fix 4 for Security Exposure.
    Read technote 1664606: Install Cognos 8 Business Intelligence 8.4.1 Interim Fix 4 for Security Exposure to resolve security vulnerabilities in RRDI 1.0.2.x and Rational Insight 1.0.1.x - Oracle CPU October 2013 for instructions.

  2. Upgrade your WAS Java SDK to IBM Java 6 SR15, IBM Java 6.0.1 SR7 or IBM Java 7 SR6. Read technote 1664395: Upgrade the WebSphere Application Server Java SDK to resolve security vulnerabilities in Rational Reporting for Development Intelligence and Rational Insight - Oracle CPU October 2013 for detailed instructions.


Rational Insight 1.1

  1. Download and install the Cognos Business Intelligence 10.1.1 Interim Fix 5. Read technote 1664618: Install Cognos Business Intelligence 10.1.1 Interim Fix 5 to resolve security vulnerabilities in Rational Insight 1.1 - Oracle CPU October 2013 for detailed instructions.

  2. Upgrade your WAS Java SDK to IBM Java 6 SR15, IBM Java 6.0.1 SR7 or IBM Java 7 SR6. Read technote 1664395: Upgrade the WebSphere Application Server Java SDK to resolve security vulnerabilities in Rational Reporting for Development Intelligence and Rational Insight - Oracle CPU October 2013 for detailed instructions.


Rational Insight 1.1.1, 1.1.1.1 and 1.1.1.2

  1. Download and install the Cognos Business Intelligence 10.1.1 Interim Fix 5. Read technote 1664614: Install Cognos Business Intelligence 10.1.1 Interim Fix 5 to resolve security vulnerabilities in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x - Oracle CPU October 2013 for the detailed instructions.

  2. Upgrade your WAS Java SDK to IBM Java 6 SR15, IBM Java 6.0.1 SR7 or IBM Java 7 SR6. Read technote 1664395: Upgrade the WebSphere Application Server Java SDK to resolve security vulnerabilities in Rational Reporting for Development Intelligence and Rational Insight - Oracle CPU October 2013 for the detailed instructions.

  3. Download and install the RRDI 2.0.x JRE Patch. Read technote 1664393: Install the RRDI 2.0.x JRE Patch to resolve security vulnerabilities in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x - Oracle CPU October 2013 for the detailed instructions.


Rational Insight 1.1.1.3

  1. Download and install the Cognos Business Intelligence 10.2.1 Interim Fix 4. Read technote 1664630: Install Cognos Business Intelligence 10.2.1 Interim Fix 4 to resolve security vulnerabilities in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x - Oracle CPU October 2013 for the detailed instructions.

  2. Upgrade your WAS Java SDK to IBM Java 6 SR15, IBM Java 6.0.1 SR7 or IBM Java 7 SR6. Read technote 1664395: Upgrade the WebSphere Application Server Java SDK to resolve security vulnerabilities in Rational Reporting for Development Intelligence and Rational Insight - Oracle CPU October 2013 for the detailed instructions.

  3. Download and install the RRDI 2.0.x JRE Patch. Read technote 1664393: Install the RRDI 2.0.x JRE Patch to resolve security vulnerabilities in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x - Oracle CPU October 2013 for the detailed instructions.

Workarounds and Mitigations

None

References

Related information

Acknowledgement

None

Change History

* 25 March 2014: Added steps to install the updated Cognos security patches.
* 20 March 2014 Restore instructions to download Cognos security patches.
* 6 March 2014: Temporarily removed Cognos security patch due to defect.
* 28 February 2014: Original copy published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Document information


More support for:

Rational Insight
General Information

Software version:

1.0.1, 1.0.1.1, 1.1, 1.1.1, 1.1.1.1, 1.1.1.2, 1.1.1.3

Operating system(s):

Linux, Windows

Reference #:

1664391

Modified date:

2014-03-25

Translate my page

Machine Translation

Content navigation