CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
96.0%
Multiple security vulnerabilities exist in the IBM SDK for Java that is shipped with IBM WebSphere Application Server
The IBM WebSphere Application Server is shipped with an IBM SDK for Java that is based on the Oracle JDK. Oracle has released October 2013 critical patch updates (CPU) which contain security vulnerability fixes. The IBM SDK for Java has been updated to incorporate these fixes. The IBM SDK for Java has also been updated to fix security vulnerabilities specific to the IBM SDK for Java.
Vulnerability Details
CVEID: CVE-2013-5780
Description: Potential information disclosure vulnerability in JSSE.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/88001 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVEID: CVE-2013-5372
Description: Potential denial of service vulnerability in XML. This is specific to the IBM SDK for Java.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/86662 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVEID: CVE-2013-5803
Description: Potential denial of service vulnerability in JSSE.
CVSS Base Score: 2.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/88008 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:N/A:P)
The following advisories are included in the SDK but WebSphere Application Server is not vulnerable to them. You will need to evaluate your own code to determine if you are vulnerable. Please refer to the Reference section for more information on the advisories not applicable to WebSphere Application Server :
CVE-2013-5456
CVE-2013-5457
CVE-2013-5458
CVE-2013-4041
CVE-2013-5375
CVE-2013-5843
CVE-2013-5789
CVE-2013-5830
CVE-2013-5829
CVE-2013-5787
CVE-2013-5788
CVE-2013-5824
CVE-2013-5842
CVE-2013-5782
CVE-2013-5817
CVE-2013-5809
CVE-2013-5814
CVE-2013-5832
CVE-2013-5850
CVE-2013-5838
CVE-2013-5802
CVE-2013-5812
CVE-2013-5804
CVE-2013-5783
CVE-2013-3829
CVE-2013-5823
CVE-2013-5831
CVE-2013-5820
CVE-2013-5819
CVE-2013-5818
CVE-2013-5848
CVE-2013-5776
CVE-2013-5774
CVE-2013-5825
CVE-2013-5840
CVE-2013-5801
CVE-2013-5778
CVE-2013-5851
CVE-2013-5800
CVE-2013-5784
CVE-2013-5849
CVE-2013-5790
CVE-2013-5797
CVE-2013-5772
Versions affected:
Warning:
For mixed cells that contain WebSphere Application Server version 6.0.2 nodes where java 2 security is enabled, ensure APAR PM92206 or its circumvention is applied to the Deployment Manager to prevent sync operation failure. PM92206 has been delivered with an Interim Fix or with WebSphere Application Server Fix Packs 8.5.5.1, 8.0.0.7 and 7.0.0.31.
**** **Solutions: **
Upgrade your SDK to an interim fix level as determined below:
For IBM WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition****:
Download and apply the interim fix APARs below, for your appropriate release:
For V8.5.0.0 through 8.5.5.1:
--OR–
**** ** For 8.0.0.0 through 8.0.0.7:**
--OR–
**
For V7.0.0.0 through 7.0.0.29:**
--OR–
For V6.1.0.0 through 6.1.0.47:
** For IBM WebSphere Application Server for i5/OS operating systems:**
** **The IBM Developer Kit for Java is prerequisite software for WebSphere Application Server for IBM i. Please refer to Java on IBM i for updates on when these fixes will be available.
**Important note:**IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk. ** **
Change history
REFERENCES:
_
Note: _According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
[{“Product”:{“code”:“SSEQTP”,“label”:“WebSphere Application Server”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“Java SDK”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF010”,“label”:“HP-UX”},{“code”:“PF012”,“label”:“IBM i”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF033”,“label”:“Windows”},{“code”:“PF035”,“label”:“z/OS”}],“Version”:“8.5;8.0;7.0;6.1”,“Edition”:“Base;Developer;Express;Network Deployment”,“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}},{“Product”:{“code”:“SSCKBL”,“label”:“WebSphere Application Server Hypervisor Edition”},“Business Unit”:{“code”:“BU053”,“label”:“Cloud \u0026 Data Platform”},“Component”:" “,“Platform”:[{“code”:”“,“label”:”“}],“Version”:”“,“Edition”:”",“Line of Business”:{“code”:“LOB36”,“label”:“IBM Automation”}}]