IBM Support

Security Bulletin: Rational Insight - Oracle CPU October 2013 (CVE-2013-5802, CVE-2013-5825)

Created by Cheng-Yee Lin on
Published URL:
https://www.ibm.com/support/pages/node/238845
238845

Security Bulletin


Summary

Multiple security vulnerabilities exist in the IBM JRE that is shipped with Rational Insight. The same security vulnerabilities also exist in the IBM Java SDK that is shipped with the IBM WebSphere Application Server (WAS).

Vulnerability Details

Subscribe to My Notifications to be notified of important product support alerts like this.
  • Follow this link for more information (requires login with your IBM ID)


The IBM JRE installed with Rational Insight is based on the Oracle JRE and the IBM Java SDK installed with WAS is based on the Oracle JDK. Oracle has released Critical Patch Updates (CPU) October 2013 which contain security vulnerability fixes and the IBM JRE and Java SDK have been updated to incorporate those updates.

See http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html for the list of security vulnerabilities fixed by the Oracle CPU October 2013.

Note: WAS itself is not vulnerable to all the advisories. However, Rational Insight is vulnerable to the following two advisories:

CVE ID: CVE-2013-5802

Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component. A malicious user is able to exploit vulnerabilities in the JAXP component to affect confidentiality, integrity and availability of the Rational Insight report server

CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87982 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/P)


CVE ID: CVE-2013-5825

Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component. A malicious user is able to exploit vulnerabilities in the JAXP component to affect the availability of the Rational Insight report server.

CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87988 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)

Affected Products and Versions

Rational Insight 1.0.1, 1.0.1 iFix1, 1.0.1.1, 1.1, 1.1.1, 1.1.1.1, 1.1.1.2 and 1.1.1.3

Remediation/Fixes

The recommended solution is to apply the recommended fixes to all affected versions of Rational Insight as soon as practical.

Rational Insight 1.0.1, 1.0.1 iFix1 and 1.0.1.1

  1. Download and install the Cognos 8 Business Intelligence 8.4.1 Interim Fix 4 for Security Exposure.
    Read technote 1664606: Install Cognos 8 Business Intelligence 8.4.1 Interim Fix 4 for Security Exposure to resolve security vulnerabilities in RRDI 1.0.2.x and Rational Insight 1.0.1.x - Oracle CPU October 2013 for instructions.

  2. Upgrade your WAS Java SDK to IBM Java 6 SR15, IBM Java 6.0.1 SR7 or IBM Java 7 SR6. Read technote 1664395: Upgrade the WebSphere Application Server Java SDK to resolve security vulnerabilities in Rational Reporting for Development Intelligence and Rational Insight - Oracle CPU October 2013 for detailed instructions.


Rational Insight 1.1

  1. Download and install the Cognos Business Intelligence 10.1.1 Interim Fix 5. Read technote 1664618: Install Cognos Business Intelligence 10.1.1 Interim Fix 5 to resolve security vulnerabilities in Rational Insight 1.1 - Oracle CPU October 2013 for detailed instructions.

  2. Upgrade your WAS Java SDK to IBM Java 6 SR15, IBM Java 6.0.1 SR7 or IBM Java 7 SR6. Read technote 1664395: Upgrade the WebSphere Application Server Java SDK to resolve security vulnerabilities in Rational Reporting for Development Intelligence and Rational Insight - Oracle CPU October 2013 for detailed instructions.


Rational Insight 1.1.1, 1.1.1.1 and 1.1.1.2

  1. Download and install the Cognos Business Intelligence 10.1.1 Interim Fix 5. Read technote 1664614: Install Cognos Business Intelligence 10.1.1 Interim Fix 5 to resolve security vulnerabilities in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x - Oracle CPU October 2013 for the detailed instructions.

  2. Upgrade your WAS Java SDK to IBM Java 6 SR15, IBM Java 6.0.1 SR7 or IBM Java 7 SR6. Read technote 1664395: Upgrade the WebSphere Application Server Java SDK to resolve security vulnerabilities in Rational Reporting for Development Intelligence and Rational Insight - Oracle CPU October 2013 for the detailed instructions.

  3. Download and install the RRDI 2.0.x JRE Patch. Read technote 1664393: Install the RRDI 2.0.x JRE Patch to resolve security vulnerabilities in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x - Oracle CPU October 2013 for the detailed instructions.


Rational Insight 1.1.1.3

  1. Download and install the Cognos Business Intelligence 10.2.1 Interim Fix 4. Read technote 1664630: Install Cognos Business Intelligence 10.2.1 Interim Fix 4 to resolve security vulnerabilities in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x - Oracle CPU October 2013 for the detailed instructions.

  2. Upgrade your WAS Java SDK to IBM Java 6 SR15, IBM Java 6.0.1 SR7 or IBM Java 7 SR6. Read technote 1664395: Upgrade the WebSphere Application Server Java SDK to resolve security vulnerabilities in Rational Reporting for Development Intelligence and Rational Insight - Oracle CPU October 2013 for the detailed instructions.

  3. Download and install the RRDI 2.0.x JRE Patch. Read technote 1664393: Install the RRDI 2.0.x JRE Patch to resolve security vulnerabilities in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x - Oracle CPU October 2013 for the detailed instructions.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

None

Change History

* 25 March 2014: Added steps to install the updated Cognos security patches.
* 20 March 2014 Restore instructions to download Cognos security patches.
* 6 March 2014: Temporarily removed Cognos security patch due to defect.
* 28 February 2014: Original copy published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSRL5J","label":"Rational Insight"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"1.0.1;1.0.1.1;1.1;1.1.1;1.1.1.1;1.1.1.2;1.1.1.3","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
16 June 2018

UID

swg21664391