IBM Support

Security Bulletin: TADDM 7.2.1.4: Vulnerabilities in embedded JRE.

Flashes (Alerts)


Abstract

Multiple security vulnerabilities exist in the Java Runtime Environments (JREs) IBM JRE 5.0 Service Release 16 or earlier, and non-IBM Java 5.0 or earlier, that can affect the security of IBM Tivoli Application Dependency Discovery Manager.

Content

VULNERABILITY DETAILS:


CVEID: CVE-2013-1478
Description:
An attacker can create a malicious java.awt.image.Raster object which allows memory values to be manipulated. On client deployments, this potentially allows an attacker to remove the security manager under certain circumstances. On server deployments the risks are less clear, but inducing memory corruption and a crash (i.e. a DoS) would seem to be the least an attacker could achieve.

The fix adds appropriate checks to the code involved, to verify the integrity of the Raster object.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81754
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-0445
Description:
Certain system generated events bypass the AWT event queue mechanism so that the user's AccessControlContext is not used. This allows malicious code to chain together methods from trusted code and create an exploit.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81756
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-1480
Description:
An attacker can create a malicious java.awt.image.Raster object which allows memory values to be manipulated. On client deployments, this potentially allows an attacker to remove the security manager under certain circumstances. On server deployments the risks are less clear, but inducing memory corruption and a crash (i.e. a DoS) would seem to be the least an attacker could achieve.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81757
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-1475
Description:
ObjectStreamClass uses a Hashtable to cache information about the layout of fields declared in an incompatible class. For serialization, classes can explicitly declare which fields take part in this process by declaring serialPersistentFields appropriately.

If two different classes use the same reference for the value of their serialPersistentFields, the layout of the fields stored in the cache will be the same for both classes, regardless of type compatibility. An attacker can misuse this scenario in a type confusion attack.

The fix improves the implementation of the cache to prevent collisions between types.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81759
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-1476
Description:
Modification/removal of CORBA serialization classes which were used to assist in achieving a full exploit in conjunction with CR 8000540. The changes will prevent future attacks from using a similar strategy.

The main fix is to restrict access to constructors in sensitive classes.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81760
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-0442
Description:
Certain system generated events bypass the AWT event queue mechanism so that the user's AccessControlContext is not used. This allows malicious code to chain together methods from trusted code and create an exploit.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81755
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:/AC:L/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-0450
Description:
The javax.management.modelmbean.RequiredModelMBean class can be made to call arbitrary methods, including those in restricted classes, from a privileged callback (method chaining) scenario.

The fix prevents this by ensuring that the relevant code takes the current AccessControlContext into account correctly.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81764
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-0425
Description:
The java.util.Logger class is mutable via addHandler(). LogManager.getLogger() and Logger.getLogger() will return the same instance to all AppContexts. This allows a malicious applet to access potentially sensitive logging data from another applet running on the same JVM.

The fix ensures that AppContext boundaries are respected properly by the logging code.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81766
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-0426
Description:
Logging Level objects have non-final methods which can be exploited by an attacker to trick a victim applet into running malicious code from another applet via the Logger.

The methods concerned cannot be made final as they are part of the public Java SE API, which cannot be modified in a service release. Instead, the fix adds code to maintain a global list of all known Level objects to prevent malicious Level objects being created.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81767
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-0428
Description:
Under certain circumstances, code in the java.lang.reflect package fails to check for package access permission.

This allows the creation of reflective Proxies for non-public interfaces that appear to be public, which in turn enables untrusted code to instantiate classes that should be restricted.

The fix ensures that package access is checked correctly.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81768
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-1481
Description:
An attacker can reference arbitrary memory addresses due to a flaw in the way that an array index is handled in part of the internal implementation of the javax.sound component.

The fix adds a check to properly handle invalid index values.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81770
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-0432
Description:
The java.awt.TestComponent class allows access to the clipboard before subsequently revoking the access if a security check fails.

This brief window potentially enables untrusted code running under a security manager to gain unauthorised access to the contents of the clipboard.

The fix ensures that the permission check is conducted correctly.

CVSS Base Score: 6.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81788
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)


CVEID: CVE-2013-0434
Description:
The same-origin-policy for applets can be bypassed due to a flaw in the JAXP component. If an attacker is on control of the server hosting the applet, they are potentially able to redirect a privileged resource request to an arbitrary URL.

The fix ensures that the same-origin-policy is enforced correctly.

CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81792
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)


CVEID: CVE-2013-0409
Description:
The JMX internal implementation method com.sun.jmx.snmp.SnmpPeer.toString() calls InetAddress.getHostName() to perform a reverse DNS lookup.

This potentially allows an attacker to determine hostnames for machines on the user's network.

The fix removes the call to getHostName(), replacing it with getHostAddress().

CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81793
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)


CVEID: CVE-2013-0427
Description:
Under certain circumstances, the java.util.concurrent.ThreadPoolExecutor class may incorrectly interrupt non-pooled threads.

This potentially allows an attacker to conduct a DoS on client JVM processes running multiple applets in the browser.

The fix ensures that this cannot happen.

CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81795
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)


CVEID: CVE-2013-0433
Description:
InetAddress instances can be modified during deserialisation, allowing time-of-check-to-time-of-use (TOCTOU) issues through stages of initialisation.

An attacker could potentially exploit this to bypass security checks for sockets.

CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81797
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)


CVEID: CVE-2013-0424
Description:
Part of the RMI component does not validate input data properly. As a result, an attacker can inject Javascript into error messages produced by the internal CGI Handler. This behaviour can potentially be used to facilitate an XSS attack.

The fix prevents the input data from being passed on as-is without validation.

CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81798
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)


CVEID: CVE-2013-0440
Description:
The current implementation of the JSSE provider shipped with the JDK allows duplicate handshake messages, which consume considerable resources on the server side.

An attacker can therefore mount an effective DoS by repeatedly sending handshake messages (particularly the ClientHello message).

The fix prevent multiple handshake messages from being processed.

CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81799
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)


CVEID: CVE-2013-0443
Description:
Diffie-Hellman key exchange is known to be vulnerable to weak key attacks. A peer's public key needs to be validated according to section 2.1.5 of RFC 2631.

The JDK does not conduct the validation, which means that TLS transactions based on Diffie-Hellman cipher suites are vulnerable to Man-in-the-middle (MITM) attacks.

The fix implements the validation in accordance with the RFC.

CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81801
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)


CVEID: CVE-2013-1486
Description:
An attackers can create an MBeanServer and get a reference to the MBeanInstantiator, which can in turn be used to access restricted classes due to missing permission checks.

The fix makes a number of changes to ensure that this execution path, and others, are protected by several layers of security.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/82178
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-1493
Description:
This is the issue that is being actively exploited in the wild.

Untrusted (sandboxed) code can exploit a buffer overflow in the Java 2D Color Management Module (CMM) to gain direct read/write access to arbitrary memory addresses. This capability can be used to overwrite and null the area of memory that contains the reference to the System security manager, thus escalating the untrusted code's privileges. As is usually the case, the in-the-wild exploit uses these privileges to download and install a trojan.

The vulnerability is exploited in a multi-step process which can only be achieved by malicious code running on the target machine.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/82514
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-0809
Description:
Untrusted (sandboxed) code can exploit a buffer overflow in the AWT image component to gain direct read/write access to arbitrary memory addresses. The testcase / proof of concept we received from Oracle causes a crash, but it seems likely that the security manager could be removed using a strategy similar to that used by the exploit for CVE-2013-1493, or that execution flow could be redirected to an area of memory containing malicious code.

The vulnerability is exploited by extending part of the Java SE API with a special class whose constructor overwrites fields in the parent class with values which will cause a buffer overflow during subsequent processing. This can only be achieved by malicious code running on the target machine.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/82515
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)




CVEID: CVE-2013-1491
Description:
An attacker can use a maliciously crafted font to exploit a flaw in the JDK's font parsing code to overwrite memory addresses and cause a crash. On client deployments, the same flaw may allow an attacker to escalate privileges and execute arbitrary code.

The fix adds code to ensure that address offsets are validated correctly

CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/82820
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-2420
Description:
Part of the internal AWT imaging implementation has an integer overflow in its parameter validation code. This potentially allows untrusted code to escalate its privileges.

The fix corrects the relevant code.

CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83560
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-2432
Description:
An attacker can use a maliciously crafted font to exploit a flaw in the JDK's font parsing code to overwrite memory addresses and cause a crash. On client deployments, the same flaw may allow an attacker to escalate privileges and execute arbitrary code, but that has not been proved.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83559
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-1569
Description:
An attacker can use a maliciously crafted font to exploit a flaw in the JDK's font parsing code to overwrite memory addresses and cause a crash. On client deployments, the same flaw may allow an attacker to escalate privileges and execute arbitrary code.

The fix makes extensive modifications to the font parser to correct the flaw.

CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83557
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-2384
Description:
An attacker can use a maliciously crafted font to exploit a flaw in the JDK's font parsing code to overwrite memory addresses and cause a crash. On client deployments, the same flaw may allow an attacker to escalate privileges and execute arbitrary code.

The fix makes extensive modifications to the font parser to correct the flaw.

CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83556
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-2383
Description:
An attacker can use a maliciously crafted font to exploit a flaw in the JDK's font parsing code to overwrite memory addresses and cause a crash. On client deployments, the same flaw may allow an attacker to escalate privileges and execute arbitrary code.

The fix makes extensive modifications to the font parser to correct the flaw.

CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83555
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-1557
Description:
The java.rmi.server.LogStream.setDefaultStream() method is used to set the default logging stream for RMI logging. This method can be called by anyone, and the change affects all code running on the JVM. Therefore, a malicious applet may be able to access potentially sensitive logging information from other applets running on the same JVM instance.

The fix adds a permission check to ensure the caller is authorised to set the RMI logging stream.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83572
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-1537
Description:
The system property java.rmi.server.useCodebaseOnly is a boolean that governs an aspect of RMI's class loading behavior. Its value is false by default. When false, this property allows one side of an RMI connection to specify a network location from which the other side of the RMI connection should download and execute Java classes.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83571
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-1518
Description:
Mutable statics in the JAXP component can allow untrusted code to escalate its privileges.

The fix makes changes to the JAXP code, and restricts access to sensitive packages for untrusted code running under the default security policy.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83566
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-2429
Description:
A use-after-free situation can be created by malicious code, which potentially allows the code to escalate privileges and execute arbitrary code.

CVSS Base Score: 7.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83578
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-2430
Description:
A use-after-free situation can be created by malicious code, which potentially allows the code to escalate privileges and execute arbitrary code.

CVSS Base Score: 7.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83577
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-2394
Description:
An attacker can use a maliciously crafted font to cause a buffer overflow in the JDK's font parsing code and potentially execute arbitrary code.

The fix makes the buffer overflow impossible.

CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83576
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-0401
Description:
A flaw in the internal AWT implementation allows untrusted code to get references to restricted classes.

The fix ensures that restricted classes are not accessible in this way.

CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/82823
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-2424
Description:
Various issues in the JMX component allow untrusted code to access restricted code and potentially escalate its privileges.

The fix adds permission checks and other measures to prevent the unauthorized access.

CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83582
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)


CVEID: CVE-2013-2419
Description:
An attacker can use a maliciously crafted font to trick part of the JDK's font parsing code into accessing an illegal memory address. The result is a JVM crash.

The fix adds the relevant checks to prevent this

CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83581
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-2417
Description:
The checks for illegal states during InetAddress deserialization happen too late, which potentially allows malicious code to create an InetAddress instance with a mutable state. Untrusted applets could leverage this to connect to hosts other than the host they originate from, thus violating the same-origin-policy.

The fix ensures that the illegal state checks occur at the correct time during deserialization of InetAddress objects.

CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83586
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

AFFECTED PRODUCTS AND VERSIONS:
TADDM 7.2.0.0 through 7.2.1.4

REMEDIATION:

Fix*VRMFAPARHow to acquire fix
7.2.1-TIV-ITADM-FP00057.2.1.5NoneDownload from fix central
None7.2.0.0NoneUpgrade to 7.2.1.5

Workaround(s):
None

Mitigation(s):
The only solution is to upgrade the TADDM to version 7.2.1.5.
JRE embedded in TADDM should not be used outside the product and never installed as system JRE.

REFERENCES:
· IBM Java security alerts
· X-Force Vulnerability Database
https://exchange.xforce.ibmcloud.com/vulnerabilities/81754
https://exchange.xforce.ibmcloud.com/vulnerabilities/81756
https://exchange.xforce.ibmcloud.com/vulnerabilities/81757
https://exchange.xforce.ibmcloud.com/vulnerabilities/81759
https://exchange.xforce.ibmcloud.com/vulnerabilities/81760
https://exchange.xforce.ibmcloud.com/vulnerabilities/81755
https://exchange.xforce.ibmcloud.com/vulnerabilities/81764
https://exchange.xforce.ibmcloud.com/vulnerabilities/81766
https://exchange.xforce.ibmcloud.com/vulnerabilities/81767
https://exchange.xforce.ibmcloud.com/vulnerabilities/81768
https://exchange.xforce.ibmcloud.com/vulnerabilities/81770
https://exchange.xforce.ibmcloud.com/vulnerabilities/81788
https://exchange.xforce.ibmcloud.com/vulnerabilities/81792
https://exchange.xforce.ibmcloud.com/vulnerabilities/81793
https://exchange.xforce.ibmcloud.com/vulnerabilities/81795
https://exchange.xforce.ibmcloud.com/vulnerabilities/81797
https://exchange.xforce.ibmcloud.com/vulnerabilities/81798
https://exchange.xforce.ibmcloud.com/vulnerabilities/81799
https://exchange.xforce.ibmcloud.com/vulnerabilities/81801
https://exchange.xforce.ibmcloud.com/vulnerabilities/82178
https://exchange.xforce.ibmcloud.com/vulnerabilities/82514
https://exchange.xforce.ibmcloud.com/vulnerabilities/82515
https://exchange.xforce.ibmcloud.com/vulnerabilities/82820
https://exchange.xforce.ibmcloud.com/vulnerabilities/83560
https://exchange.xforce.ibmcloud.com/vulnerabilities/83559
https://exchange.xforce.ibmcloud.com/vulnerabilities/83557
https://exchange.xforce.ibmcloud.com/vulnerabilities/83556
https://exchange.xforce.ibmcloud.com/vulnerabilities/83555
https://exchange.xforce.ibmcloud.com/vulnerabilities/83572
https://exchange.xforce.ibmcloud.com/vulnerabilities/83571
https://exchange.xforce.ibmcloud.com/vulnerabilities/83566
https://exchange.xforce.ibmcloud.com/vulnerabilities/83578
https://exchange.xforce.ibmcloud.com/vulnerabilities/83577
https://exchange.xforce.ibmcloud.com/vulnerabilities/83576
https://exchange.xforce.ibmcloud.com/vulnerabilities/82873
https://exchange.xforce.ibmcloud.com/vulnerabilities/83582
https://exchange.xforce.ibmcloud.com/vulnerabilities/83581
https://exchange.xforce.ibmcloud.com/vulnerabilities/83586

· Common Vulnerabilities and Exposures (CVE)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1478
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0445
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1480
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1475
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1476
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0442
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0425
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0426
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0428
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1481
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0432
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0434
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0409
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0427
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0433
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0424
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0440
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0443
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1486
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1493
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0809
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1491
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2420
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2432
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1569
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2384
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2383
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1557
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1537
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1518
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2429
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2430
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2394
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0401
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2424
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2419
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2417


RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog


ACKNOWLEDGEMENT
None

CHANGE HISTORY
9 September 2013: Original Copy Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{"Product":{"code":"SSPLFC","label":"Tivoli Application Dependency Discovery Manager"},"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.2.1","Edition":""}]

Document Information

Modified date:
17 June 2018

UID

swg21649318