Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM26515D82CBE564FD841E30BEDD98666504A91C598E5AD7A19359583F7EA27CC7
HistorySep 25, 2022 - 9:06 p.m.

Security Bulletin: TADDM: Vulnerabilities in embedded JRE

2022-09-2521:06:56
www.ibm.com
15
taddm
jre
vulnerabilities
ibm
java runtime environment
security manager

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.829 High

EPSS

Percentile

98.5%

JSON

Abstract

Multiple security vulnerabilities exist in the Java Runtime Environments (JREs) IBM JRE 5.0 Service Release 15 or earlier, and non-IBM Java 5.0 or earlier, that can affect the security of IBM Tivoli Application Dependency Discovery Manager.

Content

VULNERABILITY DETAILS:
CVEID: CVE-2013-1475 Description:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA.
NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to “IIOP type reuse management” in ObjectStreamClass.java.

CVSS Base Score: 10.0
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81760&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-4820 Description:
Unspecified vulnerability in the JRE component in IBM Java 7 SR2 and earlier, Java 6.0.1 SR3 and earlier, Java 6 SR11 and earlier, Java 5 SR14 and earlier, and Java 142 SR13 FP13 and earlier; as used in IBM Rational Host On-Demand, Rational Change, Tivoli Monitoring, Smart Analytics System 5600, Tivoli Remote Control 5.1.2, WebSphere Real Time, Lotus Notes & Domino, Tivoli Storage Productivity Center, and Service Deliver Manager; and other products from other vendors such as Red Hat, when running under a security manager, allows remote attackers to gain privileges by modifying or removing the security manager via vectors related to “insecure use of the java.lang.reflect.Method invoke() method.”

CVSS Base Score: 9.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/78765&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-4822 Description :
Multiple unspecified vulnerabilities in the JRE component in IBM Java 7 SR2 and earlier, Java 6.0.1 SR3 and earlier, Java 6 SR11 and earlier, Java 5 SR14 and earlier, and Java 142 SR13 FP13 and earlier; as used in IBM Rational Host On-Demand, Rational Change, Tivoli Monitoring, Smart Analytics System 5600, Tivoli Remote Control 5.1.2, WebSphere Real Time, Lotus Notes & Domino, Tivoli Storage Productivity Center, and Service Deliver Manager; and other products from other vendors such as Red Hat, allow remote attackers to execute arbitrary code via vectors related to “insecure use [of] multiple methods in the java.lang.class class.”

CVSS Base Score: 9.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/78766&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-3216 Description :
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Libraries.

CVSS Base Score: 2.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/79436&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)

CVEID: CVE-2012-3143 Description :
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, and 5.0 Update 36 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to JMX.

CVSS Base Score: 10
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/79419&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-5073 Description :
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect integrity via unknown vectors related to Libraries.

CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/79432&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2012-5075 Description :
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, and 5.0 Update 36 and earlier allows remote attackers to affect confidentiality, related to JMX.

CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/79431&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2012-5083 Description :
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, 1.4.2_38 and earlier, and JavaFX 2.2 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.

CVSS Base Score: 10
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/79412&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-1531

Description :
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier; and JavaFX 2.2 and earlier; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.

CVSS Base Score: 10.0
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/79413&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-5081 Description :
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect availability, related to JSSE.

CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/79435&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2012-5069 Description :
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, and 5.0 Update 36 and earlier allows remote attackers to affect confidentiality and integrity via unknown vectors related to Concurrency.

CVSS Base Score: 5.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/79428&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVEID: CVE-2012-5071 Description :
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, and 5.0 Update 36 and earlier allows remote attackers to affect confidentiality and integrity, related to JMX.

CVSS Base Score: 6.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/79427&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)

CVEID: CVE-2012-5084 Description :
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Swing.

CVSS Base Score: 7.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/79423&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-5079 Description :
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect integrity via unknown vectors related to Libraries.

CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/79433&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2012-5089 Description :
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, and 5.0 Update 36 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to JMX.

CVSS Base Score: 7.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/79422&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

AFFECTED PRODUCTS AND VERSIONS:
TADDM 7.2.0.0 through 7.2.1.3

REMEDIATION:

_Fix_* VRMF APAR How to acquire fix
7.2.1-TIV-ITADM-FP0004 7.2.1.4 None Download from Fix Central
None 7.2.0.0 None Upgrade to 7.2.1.4

Workaround(s):
None

Mitigation(s):
JRE embedded in TADDM should not be used outside the product and never installed as system JRE.

REFERENCES:

RELATED INFORMATION:
_IBM Secure Engineering Web Portal _

ACKNOWLEDGEMENT
None

CHANGE HISTORY
27 March 2013: Original Copy Published

_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{“Product”:{“code”:“SSPLFC”,“label”:“Tivoli Application Dependency Discovery Manager”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“–”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF033”,“label”:“Windows”}],“Version”:“7.2.1”,“Edition”:“”,“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}}]

Affected configurations

Vulners
Node
ibmtivoli_application_dependency_discovery_managerMatch7.2.1

Related

redhat 9
nessus 43
openvas 36
suse 9
veracode 22
ibm 9
threatpost 1
oraclelinux 3
amazon 2
centos 3
ubuntu 1
nvd 12
cvelist 12
ubuntucve 9
prion 12
cve 12
securityvulns 1
checkpoint_advisories 3
redhat
redhat
(RHSA-2012:1465) Critical: java-1.5.0-ibm security update
2012-11-15 00:00:00
(RHSA-2012:1485) Critical: java-1.4.2-ibm security update
2012-11-22 00:00:00
(RHSA-2012:1466) Critical: java-1.6.0-ibm security update
2012-11-15 00:00:00
nessus
nessus
SUSE SLED10 / SLES10 Security Update : IBM Java 1.5.0 (SUSE-SU-2012:1489-1)
2015-05-20 00:00:00
RHEL 5 / 6 : java-1.5.0-ibm (RHSA-2012:1465) (ROBOT)
2012-11-16 00:00:00
RHEL 5 : java-1.4.2-ibm (RHSA-2012:1485) (ROBOT)
2013-01-24 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2012:1489-1)
2021-06-09 00:00:00
SUSE: Security Advisory (SUSE-SU-2012:1490-1)
2021-06-09 00:00:00
SUSE: Security Advisory (SUSE-SU-2012:1595-1)
2021-06-09 00:00:00
suse
suse
Security update for IBM Java 1.5.0 (important)
2012-11-16 21:08:57
Security update for IBM Java 1.6.0 (important)
2012-11-28 21:08:41
Security update for IBM Java 1.4.2 (important)
2012-11-16 21:09:15
veracode
veracode
Memory Corruption
2019-05-02 04:41:04
Privilege Escalation
2019-05-02 04:41:05
Privilege Escalation
2019-05-02 04:41:07
ibm
ibm
Security Bulletin: IBM Tivoli Monitoring clients affected by vulnerabilities in IBM JRE excuted under a security manager.
2022-09-25 23:13:40
Security Bulletin: IBM Rational Build Forge Java (CVE-2012-3216, CVE-2012-5077, CVE-2012-5073, CVE-2012-5074, CVE-2012-5083, CVE-2012-5072, CVE-2012-1531, CVE-2012-5081, CVE-2012-5069, CVE-2012-5079, CVE-2012-5088)
2018-06-17 04:45:18
Security Bulletin: Vulnerabilities in Rational Functional Tester versions 8.x due to security vulnerabilities in IBM JRE 7.0 Service Release 2 or earlier, and non-IBM Java 7.0
2019-05-07 13:40:01
threatpost
threatpost
Apple Patches Java Flaws
2012-10-18 13:44:08
oraclelinux
oraclelinux
java-1.6.0-openjdk security update
2012-10-17 00:00:00
java-1.6.0-openjdk security update
2012-10-17 00:00:00
java-1.7.0-openjdk security update
2012-10-17 00:00:00
amazon
amazon
Important: java-1.6.0-openjdk
2012-10-23 10:38:00
Important: java-1.7.0-openjdk
2012-10-23 10:38:00
centos
centos
java security update
2012-10-17 21:21:03
java security update
2012-10-17 21:15:32
java security update
2012-10-17 21:16:08
ubuntu
ubuntu
OpenJDK vulnerabilities
2012-10-26 00:00:00
nvd
nvd
CVE-2012-5073
2012-10-16 21:55:01
CVE-2012-3143
2012-10-16 21:55:01
CVE-2012-5079
2012-10-16 21:55:02
cvelist
cvelist
CVE-2012-5079
2012-10-16 21:29:00
CVE-2012-5089
2012-10-16 21:29:00
CVE-2012-5073
2012-10-16 21:29:00
ubuntucve
ubuntucve
CVE-2012-5073
2012-10-16 00:00:00
CVE-2012-3143
2012-10-16 00:00:00
CVE-2012-5089
2012-10-16 00:00:00
prion
prion
Design/Logic Flaw
2012-10-16 21:55:00
Design/Logic Flaw
2012-10-16 21:55:00
Design/Logic Flaw
2012-10-16 21:55:00
cve
cve
CVE-2012-5073
2012-10-16 21:55:01
CVE-2012-3202
2012-10-17 00:55:02
CVE-2012-5079
2012-10-16 21:55:02
securityvulns
securityvulns
Oracle Java / OpenJDK multiple security vulnerabilities
2012-10-30 00:00:00
checkpoint_advisories
checkpoint_advisories
IBM Java ProxyUtil Sandbox Breach - Ver2 (CVE-2012-4820)
2015-05-18 00:00:00
IBM Java ProxyUtil Sandbox Breach (CVE-2012-4820)
2013-02-20 00:00:00
IBM Java Multiple Packages Sandbox Breach (CVE-2012-4822)
2013-03-13 00:00:00

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.829 High

EPSS

Percentile

98.5%

JSON
Related for 26515D82CBE564FD841E30BEDD98666504A91C598E5AD7A19359583F7EA27CC7
redhat9nessus43openvas36suse9veracode22ibm9threatpost1oraclelinux3amazon2centos3ubuntu1nvd12cvelist12ubuntucve9prion12cve12securityvulns1checkpoint_advisories3