Security Bulletin: Multiple vulnerabilities exist in the SOAP Gateway component of IMS Enterprise Suite (CVE-2013-0440, CVE-2013-0443, CVE-2013-0169, CVE-2013-3003)

Main / Security Bulletin: Multiple vulnerabilities exist in the SOAP Gateway component of IMS Enterprise Suite (CVE-2013-0440, CVE-2013-0443, CVE-2013-0169, CVE-2013-3003)

Discription

## Abstract

The SOAP Gateway component of IMS Enterprise Suite versions 1.1, 2.1, and 2.2 is affected by multiple vulnerabilities in IBM® Java and could allow remote, arbitrary command execution.

## Content

**VULNERABILITY DETAILS:**

**CVE ID:** **CVE-2013-0440**

**DESCRIPTION: **
An unspecified vulnerability could allow remote attackers to affect availability via vectors that are related to JSSE.

**CVSS:**
CVSS Base Score: 5
CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/81799_]()
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

**CVE ID:** **CVE-2013-0443**

**DESCRIPTION: **
An unspecified vulnerability could allow remote attackers to affect confidentiality and integrity via vectors related to JSSE.

**CVSS:**
CVSS Base Score: 4
CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/81801_]()
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

**CVE ID:** **CVE-2013-0169**

**DESCRIPTION: **
The TLS protocol does not properly consider timing side-channel attacks, which could allow remote attackers to conduct distinguishing attacks and plain-text recovery attacks via statistical analysis of timing data for crafted packets, also known as the “Lucky Thirteen” issue.

**CVSS:**
CVSS Base Score: 4.3
CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/81902_]()
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

**CVE ID:** **CVE-2013-3003**

**DESCRIPTION: **
The SOAP Gateway component of IMS Enterprise Suite could allow a remote attacker to execute arbitrary commands. SOAP Gateway users are authenticated with OS credentials and a successful exploit requires the user to be authenticated. Any commands executed will be limited by the privileges of the authenticated user.

**CVSS:**
CVSS Base Score: 6.8
CVSS Temporal Score: See
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:S/C:C/I:C/A:C)

**AFFECTED PRODUCTS:**
The SOAP Gateway component of IMS Enterprise Suite versions 1.1, 2.1, and 2.2.

**REMEDIATION**:

**FIX(ES)**:

**_Fix*_**| **_VRMF_**| **_Download URL_**
—|—|—
_IMS Enterprise Suite SOAP Gateway 1.1_| _1.1.0.6_
| [__https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite__]()
_IMS Enterprise Suite SOAP Gateway 2.1_| _2.1.0.5_
| [__https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite__]()
_IMS Enterprise Suite SOAP Gateway 2.2_| _2.2.0.2_
| [__https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite__]()

**Important note: **IBM strongly recommends that all System z® customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [_System z Security web site_](). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

**WORKAROUNDS**: None.

**MITIGATIONS**: None.

**REFERENCES: **

**CVE-2013-0440, CVE-2013-0443, CVE-2013-0169, CVE-2013-3003**

Complete CVSS Guide ()
On-line Calculator V2 ([__https://nvd.nist.gov/cvss.cfm?calculator&adv&version=2__]())
X-Force® Vulnerability Database ([_https://exchange.xforce.ibmcloud.com/vulnerabilities/81799_]())
CVE-2013-0440 ([__https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0440__]())
X-Force Vulnerability Database ([_https://exchange.xforce.ibmcloud.com/vulnerabilities/81801_]())
CVE-2013-0443 ([__https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0443__]())
X-Force Vulnerability Database ([_https://exchange.xforce.ibmcloud.com/vulnerabilities/81902_]())
CVE-2013-0169 ([__https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169__]())
X-Force Vulnerability Database (__)
CVE-2013-3003 ([__https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3003__]())

**RELATED INFORMATION: **
· [_IBM Secure Engineering Web Portal_]()
· [_IBM Product Security Incident Response Blog_]()** **

**CHANGE HISTORY: **
June 4, 2013: Initial version.

_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _

**_Note: _**_According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY._

[{“Product”:{“code”:”SSGMWY”,”label”:”IBM IMS Enterprise Suite for z/OS”},”Business Unit”:{“code”:”BU058″,”label”:”IBM Infrastructure w/TPS”},”Component”:”SOAP Gateway”,”Platform”:[{“code”:”PF035″,”label”:”z/OS”},{“code”:”PF033″,”label”:”Windows”}],”Version”:”1.1;2.1;2.2″,”Edition”:””,”Line of Business”:{“code”:”LOB35″,”label”:”Mainframe SW”}}]Read More

References

Back to Main

Subscribe for the latest news: