The SOAP Gateway component of IMS™ Enterprise Suite versions 1.1, 2.1, and 2.2 is affected by multiple vulnerabilities in IBM® Java™ and could allow remote, arbitrary command execution.
VULNERABILITY DETAILS:
**CVE ID:**CVE-2013-0440
DESCRIPTION:
An unspecified vulnerability could allow remote attackers to affect availability via vectors that are related to JSSE.
CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81799
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
**CVE ID:**CVE-2013-0443
DESCRIPTION:
An unspecified vulnerability could allow remote attackers to affect confidentiality and integrity via vectors related to JSSE.
CVSS:
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81801
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
**CVE ID:**CVE-2013-0169
DESCRIPTION:
The TLS protocol does not properly consider timing side-channel attacks, which could allow remote attackers to conduct distinguishing attacks and plain-text recovery attacks via statistical analysis of timing data for crafted packets, also known as the “Lucky Thirteen” issue.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81902
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
**CVE ID:**CVE-2013-3003
DESCRIPTION:
The SOAP Gateway component of IMS Enterprise Suite could allow a remote attacker to execute arbitrary commands. SOAP Gateway users are authenticated with OS credentials and a successful exploit requires the user to be authenticated. Any commands executed will be limited by the privileges of the authenticated user.
CVSS:
CVSS Base Score: 6.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/84129>
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:S/C:C/I:C/A:C)
AFFECTED PRODUCTS:
The SOAP Gateway component of IMS Enterprise Suite versions 1.1, 2.1, and 2.2.
REMEDIATION:
FIX(ES):
_Fix_* | VRMF | Download URL |
---|---|---|
IMS Enterprise Suite SOAP Gateway 1.1 | 1.1.0.6 | |
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite | ||
IMS Enterprise Suite SOAP Gateway 2.1 | 2.1.0.5 | |
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite | ||
IMS Enterprise Suite SOAP Gateway 2.2 | 2.2.0.2 | |
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite |
**Important note:**IBM strongly recommends that all System z® customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
WORKAROUNDS: None.
MITIGATIONS: None.
REFERENCES:
CVE-2013-0440, CVE-2013-0443, CVE-2013-0169, CVE-2013-3003
Complete CVSS Guide (<http://www.first.org/cvss/v2/guide>)
On-line Calculator V2 (http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2)
X-Force® Vulnerability Database (https://exchange.xforce.ibmcloud.com/vulnerabilities/81799)
CVE-2013-0440 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0440)
X-Force Vulnerability Database (https://exchange.xforce.ibmcloud.com/vulnerabilities/81801)
CVE-2013-0443 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0443)
X-Force Vulnerability Database (https://exchange.xforce.ibmcloud.com/vulnerabilities/81902)
CVE-2013-0169 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169)
X-Force Vulnerability Database (_<https://exchange.xforce.ibmcloud.com/vulnerabilities/84129>_)
CVE-2013-3003 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3003)
RELATED INFORMATION:
· IBM Secure Engineering Web Portal
· IBM Product Security Incident Response Blog** **
CHANGE HISTORY:
June 4, 2013: Initial version.
_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _
_Note: _According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
[{“Product”:{“code”:“SSGMWY”,“label”:“IBM IMS Enterprise Suite for z/OS”},“Business Unit”:{“code”:“BU058”,“label”:“IBM Infrastructure w/TPS”},“Component”:“SOAP Gateway”,“Platform”:[{“code”:“PF035”,“label”:“z/OS”},{“code”:“PF033”,“label”:“Windows”}],“Version”:“1.1;2.1;2.2”,“Edition”:“”,“Line of Business”:{“code”:“LOB35”,“label”:“Mainframe SW”}}]