IBM Support

Security Bulletin: SmartCloud Orchestrator - Multiple security vulnerabilities exist in the IBM SDK, Java™ Technology Edition (CVE-2013-5802, CVE-2013-5772, CVE-2014-0411)

Created by Shyamala Rajagopalan on
Published URL:
https://www.ibm.com/support/pages/node/509409
509409

Security Bulletin


Summary

IBM SmartCloud Orchestrator is shipped with an IBM SDK that is based on Oracle JDK. Oracle released October 2013 and January 2014 critical patch updates (CPU), which contain security vulnerability fixes. IBM SDK, Java™ Technology Edition, has been updated to include those fixes. The IBM SDK has also been updated to fix security vulnerabilities that are specific to the IBM SDK.

Vulnerability Details

CVEID: CVE-2013-5802
DESCRIPTION: An unspecified vulnerability in the Oracle Java SE, which is related to the JAXP component, has a partial confidentiality impact, partial integrity impact, and partial availability impact.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87982 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/P)

CVEID: CVE-2013-5772
DESCRIPTION: An unspecified vulnerability in the Oracle Java SE, which is related to the jhat component, has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 2.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/88007 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/H:Au/N:C/N:I/P:A/N)


CVEID: CVE-2014-0411
DESCRIPTION: An unspecified vulnerability in the Oracle Java SE, which is related to the JSSE component, has a partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90357 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/H:Au/N:C/P:I/P:A/N)

Affected Products and Versions

  • IBM SmartCloud Orchestrator V2.3 Fix Pack 1
  • IBM SmartCloud Orchestrator V2.3
  • IBM SmartCloud Orchestrator V2.2 Fix Pack 1
  • IBM SmartCloud Orchestrator V2.2

Remediation/Fixes

The recommended solution is to apply IBM SmartCloud Orchestrator Version 2.3.0 Fix Pack 1 Interim Fix 2 as soon as practical.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

May 9 first version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SS4KMC","label":"IBM SmartCloud Orchestrator"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF016","label":"Linux"}],"Version":"2.2;2.2.0.1;2.3","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
17 June 2018

UID

swg21672576

Page Feedback