10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
IBM Rational Host On-Demand provides a Java JRE as part of its server package for clients to download and install on client machines. The vulnerabilities are only applicable to client-side Java deployments where untrusted code may be executed (such as Java applets running in a web browser). Server applications such as Host On-Demand server are not vulnerable.
| Subscribe to My Notifications to be notified of important product support alerts like this.
CVE ID: CVE-2013-3012, CVE-2013-3011, CVE-2013-3010, CVE-2013-3009, CVE-2013-3008, CVE-2013-3007, CVE-2013-3006, CVE-2013-2455, CVE-2013-2436, CVE-2013-2467, CVE-2013-2466, CVE-2013-2468, CVE-2013-2462, CVE-2013-3743, CVE-2013-2400, CVE-2013-3744, CVE-2013-1571, CVE-2013-2437, CVE-2013-2443, CVE-2013-1500, CVE-2013-2442, CVE-2013-4002
Description: There are a number of vulnerabilities in the IBM JAVA SDK versions that affect various components, some of the issues need to be combined in sequence to achieve an exploit. This occurs when the affected JRE is installed as the system JRE.
This advisory is only applicable to client-side Java deployments where untrusted code may be executed (such as Java applets running in a web browser).
The vulnerabilities work by exploiting weaknesses in the internal implementation of various IBM SDK components. Some of the weaknesses need to be combined in sequence to achieve an exploit. All of the issues are only applicable to scenarios in which untrusted code is executed under a security manager. The exploits allow untrusted code to elevate its privileges by modifying or removing the security manager.
The most common vulnerable use case is a JRE running an untrusted Java applet or Java Web Start application. This occurs when the affected JRE is installed as the system JRE.
CVEID:CVE-2013-2436
CVSS Base Score: 9.3 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83575> CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-2455 **CVSS Base Score:**5 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/84146> CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2013-3006 **CVSS Base Score:**9.3 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/84147> CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-3007 **CVSS Base Score: **9.3 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/84148> CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-3008 **CVSS Base Score:**9.3 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/84149> CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-3009 **CVSS Base Score:**9.3 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/84150> CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-3010 **CVSS Base Score:**9.3 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/84151> CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-3011 **CVSS Base Score:**9.3 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/84152> CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-3012 **CVSS Base Score:**9.3 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/84153> CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-2467 **CVSS Base Score:**6.9 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/85043> CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-2466 **CVSS Base Score:**10 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/85035> CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C
CVEID: CVE-2013-2468 **CVSS Base Score:**10 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/85034> CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-2462 **CVSS Base Score:**9.3 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/85037> CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-3743 **CVSS Base Score:**9.3 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/85036> CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-2400 **CVSS Base Score:**5 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/85050> CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2013-3744 **CVSS Base Score:**5 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/85051> CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2013-1571 **CVSS Base Score:**4.3 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/84715> CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2013-2437 CVSS Base Score: 5 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/85049> CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N
CVEID: CVE-2013-2443 **CVSS Base Score:**5 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/85054> CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2013-1500 **CVSS Base Score:**3.6 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/85062> CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:N)
CVEID: CVE-2013-2442 **CVSS Base Score:**7.5 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/85041> CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2013-4002 **CVSS Base Score:**7.1 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/85260> CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)
IBM JRE shipped with Host On-Demand 11.0.0. Through 11.0.8
Upgrade IBM JRE to 1.7 SR5 or later on the client machines or switch to the Oracle JRE.
Review technote 1317268: How to replace the IBM JRE on the Host On-Demand Server for more details.
Do not visit untrusted websites while the browser has a vulnerable JRE enabled.