Security Bulletin: Multiple security vulnerabilities exist in WebSphere Transformation Extender (CVE-2013-5802 CVE-2013-4002 CVE-2013-5825 CVE-2013-5372 CVE-2013-0599 CVE-2013-0464 CVE-2013-0467 CVE-2013-2962 CVE-2013-2415)

Summary

WebSphere Transformation Extender products are affected by multiple security vulnerabilities that exist in Oracle JRE and IBM Eclipse Help System. Additionally, WTX Launcher is vulnerable to a denial of service attack using a buffer overflow.

Vulnerability Details

WebSphere Transformation Extender is affected by the following unspecified vulnerabilities which could allow an attacker to exploit some JRE vulnerabilities. WebSphere Transformation Extender includes an IBM Java Runtime Environment (JRE) that is based on the Oracle JRE. Oracle has released critical patch updates (CPU) which contai****n security vulnerability fixes. The IBM JRE has been updated to incorporate these fixes, as well as fixes for security vulnerabilities specific to the IBM JRE. SeeSecurity Bulletin: Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Edition** for details.**

CVEID: CVE-2013-5802
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87982 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/P)

CVEID:CVE-2013-4002
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85260 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)

CVEID: CVE-2013-5825
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87988 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)

CVEID: CVE-2013-5372
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/86662 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVEID: CVE-2013-2415 Description: Temporary files may be read by users other than the user that launched the JVM.
CVSS Base Score: 2.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83592
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)

Affected Products:

• WebSphere Transformation Extender Design Studio
• WebSphere Transformation Extender with Command Server
• WebSphere Transformation Extender for Integration Servers
• WebSphere Transformation Extender for Application Programming
• WebSphere Transformation Extender with Launcher
• WebSphere Transformation Extender with Launcher Hypervisor Edition
• WebSphere Transformation Extender with Launcher Hypervisor Edition for AIX

Affected Platforms:

• AIX
• HP-UX
• Linux (including Linux for System z)
• Solaris
• Windows

Affected Versions and Remediation/Fixes:

Workarounds/Mitigations:
None.

The following vulnerabilities exist in the IBM Eclipse Help System that is utilized by WebSphere Transformation Extender users on Windows when viewing the product documentation that is shipped with the product:

CVEID:CVE-2013-0599
Description: An unspecified vulnerability in IBM Eclipse Help System related to parameter path crafting could allow a remote attacker to access sensitive information.
CVSS Base Score: 5.0
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/83613 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:N/A:N)

CVEID: CVE-2013-0464 Description: An unspecified vulnerability in IBM Eclipse Help System related to search could allow a remote attacker to affect confidentiality and integrity.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81060 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2013-0467 Description: An unspecified vulnerability in IBM Eclipse Help System related to URL crafting could allow a remote attacker to access unauthorized information.
CVSS Base Score: 4.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81102 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

Affected Products:

• WebSphere Transformation Extender Design Studio
• WebSphere Transformation Extender with Command Server
• WebSphere Transformation Extender for Integration Servers
• WebSphere Transformation Extender for Application Programming
• WebSphere Transformation Extender with Launcher

Affected Platforms: Windows only

Workarounds/Mitigations:
To avoid using the IBM Eclipse Help System to view documentation shipped with the product, view the WebSphere Transformation Extender documentation online at <http://www.ibm.com/software/integration/wdatastagetx/library/index.html&gt;

WebSphere Transformation Extender Launcher is vulnerable to a denial of service attack whereby an local unauthorized user could crash the Launcher process, or prohibit Launcher Admin Console operational commands from reaching the Launcher by causing a buffer overflow. While this exploit could impact availability of the Launcher, the integrity of the data and the confidentiality of information are not compromised.

CVEID:CVE-2013-2962
CVSS Base Score: 4.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83722&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/AU:N/C:N/I:N/A:C)

Affected Products:

• WebSphere Transformation Extender with Launcher
• WebSphere Transformation Extender with Launcher Hypervisor Edition

Affected Platforms:

• AIX
• HP-UX
• Linux (including Linux for System z)
• Solaris
• Windows

Workarounds/Mitigations:
None.