Security Bulletin: IBM Smart Analytics System 5600 clients affected by vulnerabilities in IBM JRE (CVE-2012-4820, CVE-2012-4821, CVE-2012-4822, CVE-2012-4823)

Abstract

These vulnerabilities are only applicable to Java deployments where untrusted code may be executed (e.g. Java applets running in a web browser).

Content

VULNERABILITY DETAILS

CVE IDs: CVE-2012-4820, CVE-2012-4821, CVE-2012-4822, CVE-2012-4823

DESCRIPTION:

The IBM Smart Analytics System 5600 contains a management node that is installed with the Mozilla Firefox browser software that might be configured to use an IBM JAVA SDK for Java Web Start applications. The browser software is configured in this manner to allow the use of the Remote Control features of the IBM Integrated Management Module (IMM) web interface. The browser software is accessible only by authorized users of the IBM Smart Analytics System 5600 system and is used primarily to access web pages that are internal to the system. However, it is possible to use the browser software to access external websites.

There are a number of vulnerabilities in the IBM JAVA SDK versions that affect various components (ORB, XML, and JMX). The vulnerabilities allow code running a security manager to escalate its privileges by modifying or removing the security manager. Some of the issues need to be combined in sequence to achieve an exploit. This occurs when the affected JRE is installed as the system JRE.

The exploit can occur when a JRE is used to execute untrusted Java applets or a Java Web Start applications in a browser.

CVE ID: CVE-2012-4820
CVSS Base Score: 9.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/78764&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE ID: CVE-2012-4821
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/78765 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE ID: CVE-2012-4822
CVSS Base Score: 9.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/78766&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE ID: CVE-2012-4823
CVSS Base Score: 9.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/78767&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

AFFECTED PRODUCTS AND VERSIONS:

IBM Smart Analytics System 5600 V1
IBM Smart Analytics System 5600 V2

REMEDIATION:
The recommended solution is to install a new IBM Java SDK and to update the Firefox browser configuration to use the new SDK.

1. Log in to the management node and start the Firefox browser software. If the browser software is disabled on the management node, then your system is not exposed to the security vulnerability.

2. Determine which version of the IBM Java SDK is registered in the Firefox browser software to run Java Web Start applications, which should be enabled for the root user. The following steps are for Firefox version 3.5.2, and should be similar for later versions of the Firefox browser software.

a. Click Edit > Preferences.

b. Click the** Application** tab.

c. Identify the JNLP file entry in theContent Typecolumn. If there is no**JNLP file** entry, then the Java Web Start application in the Firefox browser is not configured to use the IBM Java SDK, and your system is not exposed to the security vulnerability.

Note: If you do configure the Firefox browser to use the IBM Java SDK for Java Web Start applications at a later point in time, you must complete all steps in this procedure to address the security vulnerability.

d. Click the Action tab. The value in the description field should be**javaws**.

e. Click Application Details.

f. To find the SDK path, identify in the dialog window the line that contains the string The application is located at****:. The path displayed in the dialog window determines the Java JRE version that is used to run Java Web Start applications such as the one used by the Remote Control feature of the IMM web interface.

3. Download the appropriate updated IBM Java SDK version and transfer it to the management node. The IBM Java SDK downloads are found at the following URL: http://www.ibm.com/developerworks/java/jdk.

4. Install or update to the new version of the IBM Java SDK.

5. Update the Firefox configuration to use the sdkdir/bin/javaws from the newly installed SDK, where sdkdir represents the installation directory of the IBM Java SDK.

WORKAROUND(S):
None.

MITIGATION(S):
None.

REFERENCES:

• Complete CVSS Guide
• On-line Calculator V2
• CVE-2011-4820
• X-Force Vulnerability Database <https://exchange.xforce.ibmcloud.com/vulnerabilities/78764&gt;
• CVE-2011-4821
• X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/78765
• CVE-2011-4822
• X-Force Vulnerability Database <https://exchange.xforce.ibmcloud.com/vulnerabilities/78766&gt;
• CVE-2011-4823
• X-Force Vulnerability Database <https://exchange.xforce.ibmcloud.com/vulnerabilities/78767&gt;

RELATED INFORMATION:
<http://seclists.org/bugtraq/2012/Sep/38&gt;

ACKNOWLEDGEMENT:
The vulnerability was reported to IBM by Adam Gowdiak of Security Explorations.

CHANGE HISTORY:
November 13, 2012: Document created.

_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _

Note:_ According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY._

[{“Product”:{“code”:“SSKT3D”,“label”:“IBM Smart Analytics System”},“Business Unit”:{“code”:“BU050”,“label”:“BU NOT IDENTIFIED”},“Component”:“IBM Smart Analytics System 5600”,“Platform”:[{“code”:“PF016”,“label”:“Linux”}],“Version”:“9.7”,“Edition”:“Enterprise”,“Line of Business”:{“code”:“”,“label”:“”}}]