Security Bulletin: Multiple vulnerabilities in current IBM SDK for Java for WebSphere Application Server Community 3.0.0.4 October 2013 CPU (CVE-2013-5802,CVE-2013-5825)

Summary

Multiple security vulnerabilities exist in the IBM SDK for Java that is shipped with IBM WebSphere Application Server Community 3.0.0.4.

Vulnerability Details

CVE ID: CVE-2013-5802 **DESCRIPTION:**Potential denial of service vulnerability in JRE via malformed XML data. CVSS: **CVSS Base Score:**7.5 **CVSS Temporal Score:**See https://exchange.xforce.ibmcloud.com/vulnerabilities/87982 for the current score *CVSS Environmental Score:**Undefined CVSS Vector:(AV/N:AC/L:Au/N:C/P:I/P:A/P) CVE ID:CVE-2013-5825 **DESCRIPTION:**Malicious XML data can cause DoS conditions in a variety of different ways. This fix adds properties to the JAXP implementation to help prevent such attacks. CVSS: *CVSS Base Score:5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87988 for the current score
CVSS Environmental Score: **Undefined CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)

Affected Products and Versions

WebSphere Application Server Community Edition 3.0.0.4

Workarounds and Mitigations

Upgrade your IBM SDK for Java to an interim fix level as determined below:
IBM SDK 6.0:
Please upgrade your SDK to IBM SDK 6 SR15 or later.
IBM SDK 7.0:
Please upgrade your SDK to IBM SDK 7 SR6 or later.

Upgrade your Oracle SDK as determined below:
Oracle SDK 1.6:
Please upgrade your SDK to Oracle SDK 1.6.0_65.
Oracle SDK 1.7:
Please upgrade your SDK to Oracle SDK 1.7.0_45.