Security Bulletin: IBM Tivoli Directory Integrator can be affected by a vulnerability in IBM Java Runtime Environment (CVE-2012-5081)

Abstract

The JDK’s TLS implementation may not check the TLS vector length as set out in the Internet Engineering Task Force Request For Comments (RFC) 5246. The fix enhances the checking for the vector length.

Content

VULNERABILITY DETAILS:

DESCRIPTION:
The JDK’s TLS implementation may not check the TLS vector length as set out in the latest RFC 5246. This issue is exploitable on server deployments that use JSSE.

A Java program running on Tivoli Directory Integrator uses Java Secure Socket Extensions (JSSE) to establish the Secure Socket Layer (SSL) connection. The vulnerability could occur when the SSL connection is enabled and only solution is to upgrade the JRE.

The attack does not require local network access nor does it require authentication. but some degree of specialized knowledge and techniques are required. An exploit would not impact the confidentiality of information or the integrity of data, however availability of the system could be compromised.

CVEID: CVE-2012-5081
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/79435 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

AFFECTED PRODUCTS AND VERSIONS:
TDI v6.1.1 , TDI v7.0, TDI v7.1 and TDIv7.1.1

REMEDIATION:
The following IBM JREs have the fixes for this vulnerability.
6.0.0 SR12
5.0.0 SR15
TDI v6.1.1 and v7.0: Move to JRE 5.0.0 SR 15.
TDI, v7.1 and v7.1.1: Move to JRE 6.0.0 SR 12.

ContactTDI Level 2 support** to upgrade to the above required JREs.**

Workaround(s):
None

Mitigation(s):
None

REFERENCES:
 Complete CVSS Guide
 On-line Calculator V2
 CVE-2012-5081
 https://exchange.xforce.ibmcloud.com/vulnerabilities/79435

RELATED INFORMATION:
_IBM Secure Engineering Web Portal _

ACKNOWLEDGEMENT
None

_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _

_Note: _According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{“Product”:{“code”:“SSCQGF”,“label”:“Tivoli Directory Integrator”},“Business Unit”:{“code”:“BU008”,“label”:“Security”},“Component”:“–”,“Platform”:[{“code”:“PF025”,“label”:“Platform Independent”}],“Version”:“6.1.1;7.0;7.1;7.1.1”,“Edition”:“”,“Line of Business”:{“code”:“LOB24”,“label”:“Security Software”}}]