CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
AI Score
Confidence
High
EPSS
Percentile
99.7%
Issues disclosed in the Oracle June 2013 Java SE Critical Patch Update, plus 8 additional vulnerabilities.
VULNERABILITY DETAILS:
CVE IDs:
CVE-2013-3006 CVE-2013-3007 CVE-2013-3008 CVE-2013-3009 CVE-2013-3010 CVE-2013-3011 CVE-2013-3012 CVE-2013-4002 CVE-2013-2468 CVE-2013-2469 CVE-2013-2465 CVE-2013-2464 CVE-2013-2463 CVE-2013-2473 CVE-2013-2472 CVE-2013-2471 CVE-2013-2470 CVE-2013-2459 CVE-2013-2466 CVE-2013-2462 CVE-2013-2460 CVE-2013-3743 CVE-2013-2448 CVE-2013-2442 CVE-2013-2407 CVE-2013-2454 CVE-2013-2458 CVE-2013-3744 CVE-2013-2400 CVE-2013-2456 CVE-2013-2453 CVE-2013-2457 CVE-2013-2455 CVE-2013-2412 CVE-2013-2443 CVE-2013-2447 CVE-2013-2437 CVE-2013-2444 CVE-2013-2452 CVE-2013-2446 CVE-2013-2450 CVE-2013-1571 CVE-2013-2449 CVE-2013-2451 CVE-2013-1500
DESCRIPTION:
There are a number of vulnerabilities in the IBM Java SDK that affect various components: CVE-2013-3006, CVE-2013-3007, CVE-2013-3008, CVE-2013-3009, CVE-2013-3010, CVE-2013-3011, and CVE-2013-3012. These vulnerabilities allow code running under a security manager to escalate its privileges by modifying or removing the security manager. Some of the issues need to be combined in sequence to achieve an exploit. The vulnerabilities could occur when untrusted code is executed under a security manager, or when the IBM Java SDK has been associated with a web browser for running applets and Web Start applications.
This bulletin also includes CVE-2013-4002. This is a denial of service vulnerability, which could result in a complete availability impact on the affected system.
This bulletin also covers all applicable CVEs published by Oracle as part of their June 2013 Java SE Critical Patch Update. For more information please refer to Oracle’s June 2013 Java SE CPU Advisory.
CVEID : CVE-2013-3006
CVSS Base Score: 9.3
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/84147_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID : CVE-2013-3007
CVSS Base Score: 9.3
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/84148_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID : CVE-2013-3008
CVSS Base Score: 9.3
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/84149_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID : CVE-2013-3009
CVSS Base Score: 9.3
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/84150_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID : CVE-2013-3010
CVSS Base Score: 9.3
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/84151_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID : CVE-2013-3011
CVSS Base Score: 9.3
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/84152_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID : CVE-2013-3012
CVSS Base Score: 9.3
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/84153_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-4002
CVSS Base Score: 7.1
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85260_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)
CVEID : CVE-2013-2468
CVSS Base Score: 10.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85034_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID : CVE-2013-2469
CVSS Base Score: 10.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85032_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID : CVE-2013-2465
CVSS Base Score: 10.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85031_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID : CVE-2013-2464
CVSS Base Score: 10.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85030_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID : CVE-2013-2463
CVSS Base Score: 10.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85029_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID : CVE-2013-2473
CVSS Base Score: 10.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85028_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID : CVE-2013-2472
CVSS Base Score: 10.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85027_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID : CVE-2013-2471
CVSS Base Score: 10.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85026_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID : CVE-2013-2470
CVSS Base Score: 10.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85025_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID : CVE-2013-2459
CVSS Base Score: 10.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85033_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID : CVE-2013-2466
CVSS Base Score: 10.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85035_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID : CVE-2013-2462
CVSS Base Score: 9.3
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85037_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID : CVE-2013-2460
CVSS Base Score: 9.3
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85038_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID : CVE-2013-3743
CVSS Base Score: 9.3
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85036_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID : CVE-2013-2448
CVSS Base Score: 7.6
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85040_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CVEID : CVE-2013-2442
CVSS Base Score: 7.5
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85041_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVEID : CVE-2013-2407
CVSS Base Score: 6.4
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85044_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)
CVEID : CVE-2013-2454
CVSS Base Score: 5.8
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85045_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVEID : CVE-2013-2458
CVSS Base Score: 5.8
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85046_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVEID : CVE-2013-3744
CVSS Base Score: 5.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85051_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID : CVE-2013-2400
CVSS Base Score: 5.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85050_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID : CVE-2013-2456
CVSS Base Score: 5.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85058_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID : CVE-2013-2453
CVSS Base Score: 5.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85053_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID : CVE-2013-2457
CVSS Base Score: 5.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85052_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID : CVE-2013-2455
CVSS Base Score: 5.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/84146_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID : CVE-2013-2412
CVSS Base Score: 5.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85059_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID : CVE-2013-2443
CVSS Base Score: 5.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85054_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID : CVE-2013-2447
CVSS Base Score: 5.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85056_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID : CVE-2013-2437
CVSS Base Score: 5.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85049_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID : CVE-2013-2444
CVSS Base Score: 5.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85047_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID : CVE-2013-2452
CVSS Base Score: 5.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85055_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID : CVE-2013-2446
CVSS Base Score: 5.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85048_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID : CVE-2013-2450
CVSS Base Score: 5.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85057_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID : CVE-2013-1571
CVSS Base Score: 4.3
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/84715_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID : CVE-2013-2449
CVSS Base Score: 4.3
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85060_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVEID : CVE-2013-2451
CVSS Base Score: 3.7
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85061_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:P/I:P/A:P)
CVEID : CVE-2013-1500
CVSS Base Score: 3.6
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/85062_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:N)
AFFECTED PRODUCTS AND VERSIONS:
IBM Java SDK 1.4.2 SR13-FP17 and earlier
IBM Java SDK 5.0 SR16-FP2 and earlier
IBM Java SDK 6 SR13-FP2 and earlier
IBM Java SDK 6.0.1 SR5-FP2 and earlier
IBM Java SDK 7 SR4-FP2 and earlier
For detailed information on which CVEs affect which releases, please refer to the IBM Java Security Alerts page.
REMEDIATION:
IBM Java SDK 1.4.2 SR13-FP18 and later
IBM Java SDK 5.0 SR16-FP3 and later
IBM Java SDK 6 SR14 and later
IBM Java SDK 6.0.1 SR6 and later
IBM Java SDK 7 SR5 and later
IBM Java SDK and JRE releases can be downloaded from
_http://www.ibm.com/developerworks/java/jdk/index.html_
APAR numbers are as follows:
IV44790 (CVE-2013-3006) IX90117(CVE-2013-3007) IV44791(CVE-2013-3008) IX90118(CVE-2013-3009) IX90119(CVE-2013-3010) IV44793(CVE-2013-3011) IV44796(CVE-2013-3012) IV45895(CVE-2013-4002) IV44618(CVE-2013-2468) IV44619(CVE-2013-2469) IV44621(CVE-2013-2465) IV44623(CVE-2013-2464) IV44625(CVE-2013-2463) IV44627(CVE-2013-2473) IV44629(CVE-2013-2472) IV44631(CVE-2013-2471) IV44633(CVE-2013-2470) IV44635(CVE-2013-2459) IV44637(CVE-2013-2466) IV44638(CVE-2013-2462) IV44639(CVE-2013-2460) IV44642(CVE-2013-2448) IV44644(CVE-2013-2442) IV44674(CVE-2013-2407) IV44645(CVE-2013-2454) IV44647(CVE-2013-2458) IV44648(CVE-2013-3744) IV44649(CVE-2013-2400) IV44650(CVE-2013-2456) IV44652(CVE-2013-2453) IV44653(CVE-2013-2457) IV44656(CVE-2013-2455) IV44657(CVE-2013-2412) IV44659(CVE-2013-2443) IV44660(CVE-2013-2447) IV44661(CVE-2013-2437) IV44662(CVE-2013-2444) IV44664(CVE-2013-2452) IX90117(CVE-2013-2446) IV44667(CVE-2013-2450) IV44669(CVE-2013-1571) IV44670(CVE-2013-2449) IV44671(CVE-2013-2451) IV44672 (CVE-2013-1500)
WORKAROUND(S):
None.
MITIGATION(S):
None.
REFERENCES:
ACKNOWLEDGEMENT:
The vulnerabilities described by the following CVEs were reported to IBM by Adam Gowdiak of Security Explorations: CVE-2013-3006, CVE-2013-3007, CVE-2013-3008, CVE-2013-3009, CVE-2013-3010, CVE-2013-3011, and CVE-2013-3012.
CHANGE HISTORY:
None
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note:According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
[{“Product”:{“code”:“SSNVBF”,“label”:“Runtimes for Java Technology”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“Java SDK”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF010”,“label”:“HP-UX”},{“code”:“PF012”,“label”:“IBM i”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF033”,“label”:“Windows”},{“code”:“PF035”,“label”:“z/OS”}],“Version”:“7.0;6.0;5.0;1.4.2”,“Edition”:“Java SE”,“Line of Business”:{“code”:“LOB36”,“label”:“IBM Automation”}}]
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | runtimes_for_java_technology | 7.0 | cpe:2.3:a:ibm:runtimes_for_java_technology:7.0:*:*:*:*:*:*:* |
ibm | runtimes_for_java_technology | 6.0 | cpe:2.3:a:ibm:runtimes_for_java_technology:6.0:*:*:*:*:*:*:* |
ibm | runtimes_for_java_technology | 5.0 | cpe:2.3:a:ibm:runtimes_for_java_technology:5.0:*:*:*:*:*:*:* |
ibm | runtimes_for_java_technology | 1.4.2 | cpe:2.3:a:ibm:runtimes_for_java_technology:1.4.2:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
AI Score
Confidence
High
EPSS
Percentile
99.7%