Multiple security vulnerabilities exist in the IBM Java SDK shipped with IBM WebSphere Application Server that affects IBM InfoSphere Master Data Management versions 10.0.0, 10.1.0,and 11.0.0
VULNERABILITY DETAILS:
CVE-2013-0440 - Unspecified vulnerability in Java Runtime Environment allows remote attackers to affect availability via vectors related to JSSE.
CVSS Base Score: 5
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/81799>_
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2013-0443 - Unspecified vulnerability in Java Runtime Environment allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.
CVSS Base Score: 4
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/81801>_
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVE-2013-0169 - The TLS protocol does not properly consider timing side-channel attacks, which allows remote attackers to conduct distinguishing attacks and plain-text recovery attacks via statistical analysis of timing data for crafted packets, aka the “Lucky Thirteen” issue.
CVSS Base Score: 4.3
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>_
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
AFFECTED PRODUCTS:
IBM InfoSphere Master Data Management Reference Data Management Hub versions 10.0.0.0, 10.1.0.0, 11.0.0.0
REMEDIATION:
· For IBM InfoSphere Master Data Management Reference Data Management Hub version v10.0.0 using IBM WebSphere Application Server V7.0.0.0 through 7.0.0.27
o Apply Interim Fix PM80757: This will upgrade your system to SDK 6 SR13**_ _**+IV36426+IV37419+IV37656+IV38029
· For IBM InfoSphere Master Data Management Reference Data Management Hub version v10.1.0. using IBM WebSphere Application Server V8.0.0.0 through 8.0.0.5:
o Apply Interim Fix PM80758: This will upgrade your system to SDK 6 (J9 2.6) SR5_ _+IV36426+IV37419+IV37656+IV38029
· For IBM InfoSphere Master Data Management Reference Data Management Hub version v11.0.0.0 using IBM WebSphere Application Server V8.5.0.2
o Apply Interim Fix PM86919: Will upgrade you to SDK 6 (J9 2.6) SR5 +IV36426+IV37419+IV37656+IV38029
V_ENDOR _FIX(ES)
Fix* | VRMF | TDS Remote Code Vulnerability APAR | Download URL |
---|---|---|---|
7.0.0.0-WS-WASJavaSDK-<Platform>-IFPM80757 | 7.0.0.0 | PM80757 | __<http://www-01.ibm.com/support/docview.wss?uid=swg24034443>__ |
8.0.0.0-WS-WASJavaSDK-<Platform>-IFPM80758 | 8.0.0.0 | PM80758 | __<http://www-01.ibm.com/support/docview.wss?uid=swg24034447>__ |
8.5.0.0-WS-WASJavaSDK-<Platform>-IFPM86919 | 8.5.0.0 | PM86919 | __<http://www-01.ibm.com/support/docview.wss?uid=swg24034798>__ |
W****ORKAROUND(S):
· None known, apply fixes
MITIGATION(S):
· None known
REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2
· X-Force Vulnerability Database_ _
· CVE-2013-0440, _<https://exchange.xforce.ibmcloud.com/vulnerabilities/81799>_
· CVE-2013-0443, _<https://exchange.xforce.ibmcloud.com/vulnerabilities/81801>_
· CVE-2013-0169, _<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>_
[{“Product”:{“code”:“SSWSR9”,“label”:“IBM InfoSphere Master Data Management”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“Not Applicable”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF010”,“label”:“HP-UX”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”}],“Version”:“10.0;10.1;11.0”,“Edition”:“”,“Line of Business”:{“code”:“LOB10”,“label”:“Data and AI”}},{“Product”:{“code”:“SSFV65”,“label”:“InfoSphere Master Data Management Reference Data Management Hub”},“Business Unit”:{“code”:“BU053”,“label”:“Cloud \u0026 Data Platform”},“Component”:“Not Applicable”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF010”,“label”:“HP-UX”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”}],“Version”:“10.0;10.1;11.0”,“Edition”:“”,“Line of Business”:{“code”:“”,“label”:“”}}]