logo
DATABASE RESOURCES PRICING ABOUT US

IBM WebSphere Cast Iron Security Bulletin: Multiple security vulnerabilities in IBM JRE 6

Description

## Abstract Multiple security vulnerabilities exist in the IBM Java Runtime Environment component of WebSphere Cast Iron in IBM JRE 6.0 SR13FP1 (and earlier). ## Content **VULNERABILITY DETAILS** There are multiple security vulnerabilities in the IBM Java Runtime Environment used in WebSphere Cast Iron. **CVE ID: **CVE-2013-2422 **Description**: An unspecified vulnerability in Oracle Java SE related to Libraries has complete confidentiality impact, complete integrity impact, and complete availability impact. **CVSS Base Score:** 10 **CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83570> **CVSS Environmental Score*:** Undefined **CVSS Vector:** (AV:N/AC:L/Au:N/C:C/I:C/A:C) **CVE ID: **CVE-2013-1491** ** **Description: **Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. **CVSS Base Score:** 10 **CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83559> **CVSS Environmental Score*: **Undefined **CVSS Vector: **(AV:N/AC:L/Au:N/C:C/I:C/A:C) **CVE ID:** CVE-2013-2435 **Description:** An unspecified vulnerability in Oracle Java SE related to Deployment has complete confidentiality impact, complete integrity impact, and complete availability impact. **CVSS Base Score:** 10 **CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83563> **CVSS Environmental Score*:** Undefined **CVSS Vector:** (AV:N/AC:L/Au:N/C:C/I:C/A:C) **CVE ID**: CVE-2013-2420 **Description**: An unspecified vulnerability in Oracle Java SE related to 2D has complete confidentiality impact, complete integrity impact, and complete availability impact. **CVSS Base Score**: 10 **CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83560> **CVSS Environmental Score*:** Undefined **CVSS Vector:** (AV:N/AC:L/Au:N/C:C/I:C/A:C) **CVE ID:** CVE-2013-2432 **Description:** An unspecified vulnerability in Oracle Java SE related to 2D has complete confidentiality impact, complete integrity impact, and complete availability impact. **CVSS Base Score**: 10 **CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83559> **CVSS Environmental Score*:** Undefined **CVSS Vector:** (AV:N/AC:L/Au:N/C:C/I:C/A:C) **CVE ID: **CVE-2012-1569 **Description: ** Oracle Java is vulnerable to a stack-based buffer overflow in the fontmanager native component, caused by improper handling of Ligature Substitution subtables embedded within a mort table. A remote attacker could exploit this vulnerability to execute arbitrary code with the privileges of the victim user by persuading the victim to open a malicious Web page or file. **CVSS Base Score:** 9.3 **CVSS Temporal Score: **See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83557> **CVSS Environmental Score*:** Undefined **CVSS Vector: **(AV:N/AC:L/Au:N/C:C/I:C/A:C) **CVE ID: **CVE-2013-2384 **Description: **A vulnerability in Oracle Java related to the fontmanager native component could allow a remote attacker to execute arbitrary code on the system. An attacker could exploit this vulnerability using an overly large LookupCount sum in a TTF file to execute code with the privileges of a victim user by persuading the victim to open a malicious Web page or file. **CVSS Base Score:** 9.3 **CVSS Temporal Score: **See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83556> **CVSS Environmental Score*:** Undefined **CVSS Vector:** (AV:N/AC:L/Au:N/C:C/I:C/A:C) **CVE ID:** CVE-2013-2383 **Description: **A vulnerability in Oracle Java related to the fontmanager component could allow a remote attacker to execute arbitrary code on the system. An attacker could exploit this vulnerability using a Ligature Substitution subtable embedded within a mort table to execute code with the privileges of the victim user by persuading the victim to open a malicious Web page or file. **CVSS Base Score:** 9.3 **CVSS Temporal Score: **See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83555> **CVSS Environmental Score*:** Undefined **CVSS Vector:** (AV:N/AC:L/Au:N/C:C/I:C/A:C) **CVE ID:** CVE-2013-1557 **Description: **An unspecified vulnerability in Oracle Java SE related to RMI has complete confidentiality impact, complete integrity impact, and complete availability impact. **CVSS Base Score: **10 **CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83572> **CVSS Environmental Score*:** Undefined **CVSS Vector: **(AV:N/AC:L/Au:N/C:C/I:C/A:C) **CVE ID:** CVE-2013-1537 **Description: **An unspecified vulnerability in Oracle Java SE related to RMI has complete confidentiality impact, complete integrity impact, and complete availability impact. **CVSS Base Score:** 10 **CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83571> **CVSS Environmental Score*:** Undefined **CVSS Vector:** (AV:N/AC:L/Au:N/C:C/I:C/A:C) **CVE ID:** CVE-2012-1558 **Description: **An unspecified vulnerability in Oracle Java SE related to Beans has complete confidentiality impact, complete integrity impact, and complete availability impact. **CVSS Base Score:** 10 **CVSS Temporal Score: **See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83561> **CVSS Environmental Score*:** Undefined **CVSS Vector:** (AV:N/AC:L/Au:N/C:C/I:C/A:C) **CVE ID:** CVE-2013-2440 **Description: **An unspecified vulnerability in Oracle Java SE related to Deployment has complete confidentiality impact, complete integrity impact, and complete availability impact. **CVSS Base Score: **10 **CVSS Temporal Score: **See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83562> **CVSS Environmental Score*:** Undefined **CVSS Vector: **(AV:N/AC:L/Au:N/C:C/I:C/A:C) **CVE ID:** CVE-2013-1518 **Description: **An unspecified vulnerability in Oracle Java SE related to JAXP has complete confidentiality impact, complete integrity impact, and complete availability impact. **CVSS Base Score:** 10 **CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83566> **CVSS Environmental Score*:** Undefined **CVSS Vector:** (AV:N/AC:L/Au:N/C:C/I:C/A:C) **CVE ID:** CVE-2013-2429 **Description: **An unspecified vulnerability in Oracle Java SE related to ImageIO has complete confidentiality impact, complete integrity impact, and complete availability impact. **CVSS Base Score**: 7.6 **CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83578> **CVSS Environmental Score*:** Undefined **CVSS Vector:** (AV:N/AC:H/Au:N/C:C/I:C/A:C) **CVE ID:** CVE-2013-2430 **Description: **An unspecified vulnerability in Oracle Java SE related to ImageIO has complete confidentiality impact, complete integrity impact, and complete availability impact. **CVSS Base Score:** 7.6 **CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83577> **CVSS Environmental Score*:** Undefined **CVSS Vector:** (AV:N/AC:H/Au:N/C:C/I:C/A:C) **CVE ID:** CVE-2013-1563 **Description: **An unspecified vulnerability in Oracle Java SE related to Install has complete confidentiality impact, complete integrity impact, and complete availability impact. **CVSS Base Score:** 7.6 **CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83579> **CVSS Environmental Score*:** Undefined **CVSS Vector:** (AV:N/AC:H/Au:N/C:C/I:C/A:C) **CVE ID:** CVE-2013-2394 **Description: **A vulnerability in Oracle Java related to the handling of Type1 fonts in t2k.dll could allow a remote attacker to execute arbitrary code on the system. An attacker could exploit this vulnerability to execute arbitrary code with the privileges of the victim user by persuading the victim to open a malicious Web page or file. **CVSS Base Score:** 9.3 **CVSS Temporal Score: **See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83576> **CVSS Environmental Score*: **Undefined **CVSS Vector:** (AV:N/AC:H/Au:N/C:C/I:C/A:C) **CVE ID:** CVE-2013-0401 **Description: ** An unspecified vulnerability in Oracle Java related to AWT could allow a remote attacker to execute arbitrary code on the system. An attacker could exploit this vulnerability to execute arbitrary code with the privileges of the victim user by persuading the victim to open a malicious Web page or file. **CVSS Base Score:** 9.3 **CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/82823> **CVSS Environmental Score*:** Undefined **CVSS Vector:** (AV:N/AC:M/Au:N/C:C/I:C/A:C) **CVE ID:** CVE-2013-2424 **Description: **An unspecified vulnerability in Oracle Java SE related to JMX could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors. **CVSS Base Score:** 5 **CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83582> **CVSS Environmental Score*:** Undefined **CVSS Vector:** (AV:N/AC:L/Au:N/C:P/I:N/A:N) **CVE ID:** CVE-2013-2419 **Description: **Oracle Java SE ActiveX control (deployJava1.dll) could allow a remote attacker to execute arbitrary code on the system. By persuading a victim to visit a specially-crafted Web page that passes an overly long string argument to the insecure launchApp() method, a remote attacker could exploit this vulnerability to possibly execute arbitrary code on the system or cause a denial of service. **CVSS Base Score:** 9.3 **CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83581> **CVSS Environmental Score*:** Undefined **CVSS Vector:** (AV:N/AC:M/Au:N/C:C/I:C/A:C) **CVE ID:** CVE-2013-2417 **Description: **An unspecified vulnerability in Oracle Java SE related to Networking could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors. **CVSS Base Score:** 5 **CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83586> **CVSS Environmental Score*: **Undefined **CVSS Vector:** (AV:N/AC:L/Au:N/C:N/I:N/A:P) **CVE ID:** CVE-2013-2418 **Description: **An unspecified vulnerability in Oracle Java SE related to Deployment has partial confidentiality impact, partial integrity impact, and partial availability impact. **CVSS Base Score:** 4.6 **CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83587> **CVSS Environmental Score*:** Undefined **CVSS Vector:** (AV:L/AC:L/Au:N/C:P/I:P/A:P) **CVE ID:** CVE-2013-1540 **Description: **An unspecified vulnerability in Oracle Java SE related to Deployment has no confidentiality impact, partial integrity impact, and no availability impact. **CVSS Base Score:** 4.3 **CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83590> **CVSS Environmental Score*:** Undefined **CVSS Vector:** (AV:N/AC:M/Au:N/C:N/I:P/A: **CVE ID:** CVE-2013-2433 **Description: **An unspecified vulnerability in Oracle Java SE related to Deployment has no confidentiality impact, partial integrity impact, and no availability impact. **CVSS Base Score:** 4.3 **CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83589> **CVSS Environmental Score*:** Undefined **CVSS Vector:** (AV:N/AC:M/Au:N/C:N/I:P/A:N) ***The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. ** **AFFECTED PLATFORMS:** IBM WebSphere Cast Iron v6.0, v6.1 v6.3 and v6.4 Studio, Virtual Appliance and Physical Appliance IBM WebSphere Cast Iron v6.1 and v6.3 Live SaaS offering. **WORKAROUND** None available; Apply the fix detailed below. **REMEDIATION: ** Apply the fix detailed below. **FIX** For WebSphere Cast Iron version v6.0 : Upgrade to the v6.1.0.15 interim fix or upgrade to v6.3.0.1/v6.4.0.1 by applying the relevant interim fix. For WebSphere Cast Iron version v6.1 : Upgrade to the v6.1.0.15 interim fix or upgrade to v6.3.0.1/v6.4.0.1 by applying the relevant interim fix. For IBM WebSphere Cast Iron v6.3: Apply the v6.3.0.1 or v6.4.0.1 interim fix. For IBM WebSphere Cast Iron v6.4: Apply the v6.4.0.1 interim fix. The WebSphere Cast Iron V6.1 interim fix can be obtained via this[](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Cast+Iron+Cloud+integration&release=6.1.0.12&platform=All&function=fixId&fixids=6.1.0.12-WS-WCI-20130110-1257_H2-CSIFIX-001.studio,6.1.0.12-WS-WCI-20130110-1253_H4-CSIFIX-001.vcrypt2,6.1.0.12-WS-WCI-20130110-1253_H4-CSIFIX-001.scrypt2&includeSupersedes=0>)[](<www-01.ibm.com/support/docview.wss?uid=swg21633766>) [link](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Cast+Iron+Cloud+integration&release=6.1.0.15&platform=All&function=fixId&fixids=6.1.0.15-WS-WCI-20130523-1619_H4-CUMIFIX-001.scrypt2,6.1.0.15-WS-WCI-20130523-1619_H4-CUMIFIX-001.vcrypt2,6.1.0.15-WS-WCI-20130523-1609_H2-CUMIFIX-001.studio&includeSupersedes=0>) The WebSphere Cast Iron V6.3 interim fix can be obtained via this[](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Cast+Iron+Cloud+integration&release=6.1.0.12&platform=All&function=fixId&fixids=6.1.0.12-WS-WCI-20130110-1257_H2-CSIFIX-001.studio,6.1.0.12-WS-WCI-20130110-1253_H4-CSIFIX-001.vcrypt2,6.1.0.12-WS-WCI-20130110-1253_H4-CSIFIX-001.scrypt2&includeSupersedes=0>)[](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Cast+Iron+Cloud+integration&release=6.3.0.1&platform=All&function=fixId&fixids=6.3.0.1-WS-WCI-20130415-2154_H6-CUMIFIX-005.vcrypt2,6.3.0.1-WS-WCI-20130415-2154_H6-CUMIFIX-005.scrypt2,6.3.0.1-WS-WCI-20130415-2201_H2-CUMIFIX-005.studio&includeSupersedes=0>) [link](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Cast+Iron+Cloud+integration&release=6.3.0.1&platform=All&function=fixId&fixids=6.3.0.1-WS-WCI-20130613-1203_H5-CUMIFIX-007.vcrypt2,6.3.0.1-WS-WCI-20130613-1203_H5-CUMIFIX-007.scrypt2,6.3.0.1-WS-WCI-20130613-1203_H3-CUMIFIX-007.studio&includeSupersedes=0>) The WebSphere Cast Iron V6.4 interim fix can be obtained via this[](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Cast+Iron+Cloud+integration&release=6.1.0.12&platform=All&function=fixId&fixids=6.1.0.12-WS-WCI-20130110-1257_H2-CSIFIX-001.studio,6.1.0.12-WS-WCI-20130110-1253_H4-CSIFIX-001.vcrypt2,6.1.0.12-WS-WCI-20130110-1253_H4-CSIFIX-001.scrypt2&includeSupersedes=0>)[](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Cast+Iron+Cloud+integration&release=6.3.0.1&platform=All&function=fixId&fixids=6.3.0.1-WS-WCI-20130415-2154_H6-CUMIFIX-005.vcrypt2,6.3.0.1-WS-WCI-20130415-2154_H6-CUMIFIX-005.scrypt2,6.3.0.1-WS-WCI-20130415-2201_H2-CUMIFIX-005.studio&includeSupersedes=0>) [link](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Cast+Iron+Cloud+integration&release=6.4.0.1&platform=All&function=fixId&fixids=6.4.0.1-WS-WCI-20130909-1205_H4-CUMUIFIX-001.studio,6.4.0.1-WS-WCI-20130909-1204_H6-CUMUIFIX-001.vcrypt2,6.4.0.1-WS-WCI-20130909-1204_H6-CUMUIFIX-001.scrypt2&includeSupersedes=0>) SaaS offering (WebSphere Cast Iron Live v6.1 and v6.3): Customers still on the v6.1 SaaS offering can request from the WebSphere Cast Iron cloud operations team that their tennant is migrated to the Cast Iron v6.3 Live offering. The WebSphere Cast Iron V6.3 SaaS offering is scheduled to be updated during July 2013's maintenance window to address the IBM Java 6 Security Vulnerability. APAR LI77479 is targeted for availability in IBM WebSphere Cast Iron v6.1.0.16, v6.3.0.2 and v6.4.0.2 fixPacks. **MITIGATION:** None known **REFERENCES**: Complete CVSS Guide (<http://www.first.org/cvss/v2/guide>) CVE-2013-2422 (<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2422>) CVE-2013-1491 (<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1491>) CVE-2013-2435 (<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2435>) CVE-2013-2420 (<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2420>) CVE-2013-2432 (<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2432>) CVE-2013-1569 (<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1569>) CVE-2013-2384 (<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2384>) CVE-2013-2383 (<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2383>) CVE-2013-1557 (<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1557>) CVE-2013-1537 (<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1537>) CVE-2013-1558 (<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1558>) CVE-2013-2440 (<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2440>) CVE-2013-1518 (<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1518>) CVE-2013-2429 (<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2429>) CVE-2013-2430 (<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2430>) CVE-2013-1563 (<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1563>) CVE-2013-2394 (<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2394>) CVE-2013-0401 (<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0401>) CVE-2013-2424 (<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2424>) CVE-2013-2419 (<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2419>) CVE-2013-2417 (<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2417>) CVE-2013-2418 (<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2418>) CVE-2013-1540 (<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1540>) CVE-2013-2433 (<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2433>) **CHANGE HISTORY:** <2013/06/28>: Original Copy Published _Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY._ [{"Product":{"code":"SSGR73","label":"IBM Cast Iron Cloud Integration"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Not Applicable","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF009","label":"Firmware"}],"Version":"6.4.0.0;6.3;6.1;6.0.0","Edition":"Virtual;Physical;Cloud","Line of Business":{"code":"LOB45","label":"Automation"}}]


Related