Security Bulletin: Tivoli Storage Productivity Center - Oracle CPU February 2012, June 2012

Summary

Multiple security vulnerabilities exist in the IBM Java SDK that is shipped with IBM Tivoli Storage Productivity Center.

Vulnerability Details

IBM Tivoli Storage Productivity Center 4.x is shipped with an IBM Java SDK that is based on the Oracle JDK. Oracle released February 2012 and April 2012 critical patch updates (CPU) which contain security vulnerability fixes and the IBM Java SDK has been updated to incorporate those fixes.

Vulnerability Details
Oracle February 2012 CPU
CVE-2012-0502
CVSS Base Score: 6.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/73193&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)

CVE-2012-0503
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/73191&gt;
CVSS Environmental Score*: Undefined
CVSS Vector (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2012-0506
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/73196&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE-2011-3563
CVSS Base Score: 6.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/73194&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)

CVE-2012-0499
CVSS Base Score: 9.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/73187&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-2012-0505
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/73192&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Oracle June 2012 CPU
CVE-2012-1717
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/76251&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)

CVE-2012-1713
CVSS Base Score: 9.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/76239&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-2012-1718
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/76249&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-2012-1719
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/76247&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

AFFECTED PRODUCTS AND VERSIONS:
Tivoli Storage Productivity Center 4.2.0 through 4.2.2.145
Tivoli Storage Productivity Center 4.1.x

**Note:**Tivoli Storage Productivity Center 5.x is not affected.

**REMEDIATION: **All of these steps are required to resolve the security vulnerabilities.

1. Apply the Tivoli Storage Productivity Center fix pack as soon as practical. (See Latest Downloads.)
   Affected TPC Version|APAR|Fixed TPC Version|Target Availability
   —|—|—|—
   4.2.x
   4.1.x| IC93514| 4.2.2.170 (FP4)| June 2013
2. Apply embedded WebSphere Application Server fix pack 6.1.0.45 to Tivoli Storage Productivity Center for Replication 4.2.2.4.
3. If you have downloaded and installed an IBM JRE from an older version of Tivoli Storage Productivity Center, you should download it again after applying the fix pack and reinstall the IBM JRE.

Note: If you are updating a System Storage Productivity Center (SSPC) appliance, use the IBM JRE downloaded from your upgraded Tivoli Storage Productivity Center installation, as referenced in step 3, to also update the IBM JRE on that system.

Workaround(s):
None.

Mitigation(s):
None

CHANGE HISTORY
None

_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _

_Note: _According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.