Security Bulletin: IBM FileNet System Monitor/IBM Enterprise Content Management System Monitor is potentially affected by vulnerabilities in IBM Java SDK/JRE

Abstract

Multiple security vulnerabilities exist in the IBM Java SDK/JREs that are shipped with IBM FileNet System Monitor/IBM Enterprise Content Management System Monitor product.

Content

VULNERABILITY DETAILS:

DESCRIPTION:
The IBM FileNet System Monitor/IBM Enterprise Content Management System Monitor product ships with IBM Java SDK/JREs The IBM Java SDK/JREs are based on the Oracle version of the SDK/JRE. In February 2013, Oracle has released critical patch updates (CPU) that contain security vulnerability fixes. These issues are present in the IBM JDK/JREs that are shipped with the System Monitor product.

**CVEID:*CVE-2013-0440
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81799
for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

**CVEID:*CVE-2013-0169
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81902
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

AFFECTED PRODUCTS AND VERSIONS:
The following versions of the System Monitor product are potentially affected:

IBM FileNet System Monitor v4.5.0
IBM Enterprise Content Management System Monitor v5.1.0

REMEDIATION:

For IBM FileNet System Monitor v4.5.0:

Upgrade to the platform specific version of the IBM SDK/JRE that is available in IBM FileNet System Monitor v4.5.0 Fix Pack 3.

For IBM Enterprise Content Management System Monitor v5.1.0:

Upgrade to the platform specific version of the IBM SDK/JRE that is available in IBM Enterprise Content Management System Monitor v5.1.0 Fix Pack 1.

If you need further assistance, please contact IBM Support.

REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2_ _
· CVE-2013-0440__ __
· CVE-2013-0169
· _X-Force Vulnerability Database _https://exchange.xforce.ibmcloud.com/vulnerabilities/81799
· _X-Force Vulnerability Database _https://exchange.xforce.ibmcloud.com/vulnerabilities/81902
· Security Bulletin: WAS - Oracle CPU Feb 2013
· Updated Release of Oracle Java SE CPU Advisory Feb 2013

RELATED INFORMATION:
_IBM Secure Engineering Web Portal _
IBM Product Security Incident Response Blog

CHANGE HISTORY
12 July, 2013: Original Copy Published

_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _

_Note: _According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{“Product”:{“code”:“SSEM9N”,“label”:“Enterprise Content Management System Monitor”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“FileNet System Monitor”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF010”,“label”:“HP-UX”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF033”,“label”:“Windows”},{“code”:“PF016”,“label”:“Linux”}],“Version”:“5.1;4.5.0”,“Edition”:“All Editions”,“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}}]