IBM56B9DED433C499A77AF4EEE2671673AED74C61114610F505E0F51C6D00D09339Security Bulletin: IBM Tivoli Monitoring clients affected by vulnerabilities in IBM® SDK, Java™ Technology Edition
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
Summary
IBM Tivoli Monitoring clients affected by vulnerabilities in IBM® SDK, Java™ Technology Edition, disclosed in the Oracle January 2014 Critical Patch Update.
Vulnerability Details
CVE IDs: CVE-2014-0428 CVE-2014-0422 CVE-2013-5907 CVE-2014-0415 CVE-2014-0410 CVE-2013-5889 CVE-2014-0417 CVE-2014-0387 CVE-2014-0424 CVE-2013-5878 CVE-2014-0373 CVE-2014-0375 CVE-2014-0403 CVE-2014-0423 CVE-2014-0376 CVE-2013-5910 CVE-2013-5884 CVE-2013-5896 CVE-2013-5899 CVE-2014-0416 CVE-2013-5887 CVE-2014-0368 CVE-2013-5888 CVE-2013-5898 CVE-2014-0411****
**DESCRIPTION:**This bulletin covers all applicable Java SE CVEs published by Oracle as part of their January 2014 Critical Patch Update. For more information please refer to Oracle’s January 2014 CPU Advisory and the X-Force database entries referenced below.
CVEID: CVE-2014-0428
CVSS Base Score: 10
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90325> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2014-0422
CVSS Base Score: 10
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90326> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5907
CVSS Base Score: 10
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90324> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2014-0415
CVSS Base Score: 10
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90323> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2014-0410
CVSS Base Score: 10
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/90322>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)
CVEID: CVE-2013-5889
CVSS Base Score: 9.3
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/90328>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/C:I/C:A/C)
CVEID: CVE-2014-0417
CVSS Base Score: 9.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90331> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/C:I/C:A/C)
CVEID: CVE-2014-0387
CVSS Base Score: 7.6
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/90332>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/H:Au/N:C/C:I/C:A/C)
CVEID: CVE-2014-0424
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90333> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/P)
CVEID: CVE-2013-5878
CVSS Base Score: 7.5
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/90335>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/P)
CVEID: CVE-2014-0373
CVSS Base Score: 7.5
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/90334>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/P)
CVEID: CVE-2014-0375
CVSS Base Score: 5.8
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/90339>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/P:A/N)
CVEID: CVE-2014-0403
CVSS Base Score: 5.8
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/90338>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/P:A/N)
CVEID: CVE-2014-0423
CVSS Base Score: 5.5
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/90340>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/S:C/P:I/N:A/P)
CVEID: CVE-2014-0376
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90350> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)
CVEID: CVE-2013-5910
CVSS Base Score: 5
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/90352>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)
CVEID: CVE-2013-5884
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90348> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)
CVEID: CVE-2013-5896
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90347> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)
CVEID: CVE-2013-5899
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90346> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)
CVEID: CVE-2014-0416
CVSS Base Score: 5
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/90349>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)
CVEID: CVE-2013-5887
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90345> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)
CVEID: CVE-2014-0368
CVSS Base Score: 5
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/90351>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)
CVEID: CVE-2013-5888
CVSS Base Score: 4.6
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/90354>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/L:AC/L:Au/N:C/P:I/P:A/P)
CVEID: CVE-2013-5898
CVSS Base Score: 4
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/90356>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/H:Au/N:C/P:I/P:A/N)
CVEID: CVE-2014-0411
CVSS Base Score: 4
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/90357>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/H:Au/N:C/P:I/P:A/N)
Affected Products and Versions
IBM Application Manager for Smart Business 1.2.1
IBM Tivoli Foundations Application Manager 1.2
IBM Tivoli Foundations Application Manager 1.1.1
Remediation/Fixes
These vulnerabilities exist where the affected Java Runtime Environment (JRE) is installed on systems running the Tivoli Enterprise Portal Browser client or Java WebStart client. The affected JRE is installed on a system when logging into the IBM Tivoli Enterprise Portal using the Browser client or WebStart client and a JRE at the required level does not exist. The portal provides an option to download the provided JRE to the system.
This fix below provides updated JRE packages for the portal which can be downloaded by new client systems. Once the fix has been installed on the portal server, instructions in the README can be used to download the updated JRE from the portal to the portal clients.
| Fix | VRMF | APAR | How to acquire fix |
|---|---|---|---|
| 6.X.X-TIV-ITM_JRE_TEP-20140404 | 6.2.0 through 6.3.0 FP2 | IV52806 | http://www.ibm.com/support/docview.wss?uid=swg2403276 |
Installation Instructions
Updating the portal server
1. Back up your TFAM 1.1.1 / IAMSB.
2. Close any open Lotus Foundations Web Console, TEP, TCR and Welcome Page windows.
3. Create a temporary directory and make it the current directory.
mkdir/home/tfam-appliance_patch/Files/TIV-ITM_JRE_TEP_5.16.05.00
cd /home/tfam-appliance_patch/Files/TIV-ITM_JRE_TEP_5.16.05.00
4. Download 6.X.X-TIV-ITM_JRE_TEP_5.16.05.00.tar from Fix Central and extract to the temporary directory.
tar -xf 6.X.X-TIV-ITM_JRE_TEP_5.16.05.00.tar
5. Enter the NVS via “nvs” command and select "IBM Application Manager for Smart Business " or “IBM Tivoli Foundations Application Manager 1.2”
6. Shutdown TFAM / IAMSB
/images/setupScripts/TFAM_shutdown.sh
7. Switch to the patch directory and apply the patch
cd /opt/patch/TIV-ITM_JRE_TEP_5.16.05.00
./jreupdate.sh -h /opt/IBM/ITM
8. Start TFAM / IAMSB
/images/setupScripts/TFAM_startup.sh
Updating the portal clients
After the portal server is updated, each portal client, has to be updated.
Windows Platform
1. Click “Start->Run…”, open “appwiz.cpl”, and click “OK”
2. Find the entry for IBM Runtime Environment for Java, select it, and click “Uninstall” or “Remove” (depending on Windows version).
3. Log back into the portal client using your web browser. You will be prompted to download and install the new JRE from the portal server.
4. Restart the portal client.
Linux Platform:
1. Find the full name of the currently installed package:
rpm -qa | grep "^ibm-java"
2. Uninstall using the full package name from step 1:
rpm -ev OLD_PACKAGE_NAME
3. Log back into the portal client using your web browser. You will be prompted to download and install the new JRE from the portal server.
4. Install the package using the full name from step 3:
rpm -ivh NEW_PACKAGE_NAME
5. Restart the portal client.
Additional installation information
You can verify the new JRE level on the TFAM / IAMSB using cinfo -t jr command.
tfamindia01:~ # /opt/IBM/ITM/bin/cinfo -t jr
*********** Mon May 12 16:32:03 IST 2014******************
User: root Groups: root
Host name : tfamindia01 Installer Lvl:06.22.09.00
CandleHome: /opt/IBM/ITM
Version Format: VV.RM.FF.II (V: Version; R: Release; M: Modification; F: Fix; I: Interim Fix)
…Product inventory
PC PRODUCT DESC PLAT VER BUILD INSTALL DATE
jr Tivoli Enterprise-supplied JRE li6263 05.12.01.00 d2115a
PC APPLICATION SUPPORT DESC PLAT APP VER BUILD INSTALL DATE
jr Tivoli Enterprise-supplied JRE tpj 05.16.05.00 201403041716
Known problems and workarounds
If you update the portal server with a new fix pack, the JRE files are replaced by the content of the fix pack. You may need to re-apply this package to restore the JRE files.
If you install IBM JRE version 5 for the portal client, the Tivoli Enterprise Portal Java Web Start client version 6.20.xx.xx and 6.21.xx.xx may fail to launch. Use the Tivoli Enterprise Portal
browser client with these versions.
When the Java Web Start client is started, it may hang with an empty window. This problem can be bypassed by enabling Java’s “Show Console” option in the Java Control Panel.
Windows: <http://java.com/en/download/help/javaconsole.xml>
Linux: <http://java.com/en/download/help/enable_console_linux.xml>
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm application manager for smart business | eq | any |
Related
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C