The XML4J parser in IBM WebSphere Message Broker 6.1 before 6.1.0.12, 7.0 before 7.0.0.7, and 8.0 before 8.0.0.4 and IBM Integration Bus 9.0 before 9.0.0.1 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document that triggers expansion for many entities.

IBM Java 5 SR16-FP4 has been released which fixes lots of bugs and security issues.

More information can be found on :

http://www.ibm.com/developerworks/java/jdk/alerts/

CVEs fixed: CVE-2013-4041, CVE-2013-5375, CVE-2013-5372, CVE-2013-5843, CVE-2013-5830, CVE-2013-5829, CVE-2013-5842, CVE-2013-5782, CVE-2013-5817, CVE-2013-5809, CVE-2013-5814, CVE-2013-5802, CVE-2013-5804, CVE-2013-5783, CVE-2013-3829, CVE-2013-4002, CVE-2013-5774, CVE-2013-5825, CVE-2013-5840, CVE-2013-5801, CVE-2013-5778, CVE-2013-5849, CVE-2013-5790, CVE-2013-5780, CVE-2013-5797, CVE-2013-5803

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Network Satellite Server 5.4, 5.5 and 5.6.

The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

This update corrects several security vulnerabilities in the IBM Java Runtime Environment shipped as part of Red Hat Network Satellite Server 5.4, 5.5 and 5.6. In a typical operating environment, these are of low security risk as the runtime is not used on untrusted applets.

Several flaws were fixed in the IBM Java 2 Runtime Environment.
(CVE-2013-3829, CVE-2013-4041, CVE-2013-5372, CVE-2013-5375, CVE-2013-5457, CVE-2013-5772, CVE-2013-5774, CVE-2013-5776, CVE-2013-5778, CVE-2013-5780, CVE-2013-5782, CVE-2013-5783, CVE-2013-5784, CVE-2013-5787, CVE-2013-5789, CVE-2013-5797, CVE-2013-5801, CVE-2013-5802, CVE-2013-5803, CVE-2013-5804, CVE-2013-5809, CVE-2013-5812, CVE-2013-5814, CVE-2013-5817, CVE-2013-5818, CVE-2013-5819, CVE-2013-5820, CVE-2013-5823, CVE-2013-5824, CVE-2013-5825, CVE-2013-5829, CVE-2013-5830, CVE-2013-5831, CVE-2013-5832, CVE-2013-5840, CVE-2013-5842, CVE-2013-5843, CVE-2013-5848, CVE-2013-5849, CVE-2013-5850, CVE-2013-5851)

Users of Red Hat Network Satellite Server 5.4, 5.5 and 5.6 are advised to upgrade to these updated packages, which contain the IBM Java SE 6 SR15 release. For this update to take effect, Red Hat Network Satellite Server must be restarted ('/usr/sbin/rhn-satellite restart'), as well as all running instances of IBM Java.

IBM WebSphere Application Server 8.5 prior to Fix Pack 8.5.5.2 appears to be running on the remote host and is, therefore, potentially affected by the following vulnerabilities :

  - Numerous errors exist related to the included IBM SDK     for Java (based on the Oracle JDK) that could allow     denial of service attacks and information disclosure.
    (CVE-2013-5372, CVE-2013-5780, CVE-2013-5803)

  - User input validation errors exist related to the     Administrative console and the Oauth component that     could allow cross-site scripting attacks.
    (CVE-2013-6725 / PM98132, CVE-2013-6323 / PI04777,     CVE-2013-6738 / PI05661)

  - An error exists due to a failure to properly     handle by web services endpoint requests that     could allow denial of service attacks.
    (CVE-2013-6325 / PM99450, PI08267)

  - An error exists in the included IBM Global Security     Kit related to SSL handling that could allow denial     of service attacks. (CVE-2013-6329 / PI05309)

  - A flaw exists with the 'mod_dav' module that is caused     when tracking the length of CDATA that has leading     white space. A remote attacker with a specially crafted     DAV WRITE request can cause the service to stop     responding. (CVE-2013-6438 / PI09345)

  - An error exists in the included IBM Global Security     Kit related to malformed X.509 certificate chain     handling that could allow denial of service attacks.
    (CVE-2013-6747 / PI09443)

  - An error exists in the included Apache Tomcat version     related to handling 'Content-Type' HTTP headers and     multipart requests such as file uploads that could     allow denial of service attacks. (CVE-2014-0050 /     PI12648, PI12926)

  - An unspecified error exists that could allow file     disclosures to remote unauthenticated attackers.
    (CVE-2014-0823 / PI05324)

  - An unspecified error exists related to the     Administrative console that could allow a security     bypass. (CVE-2014-0857 / PI07808)

  - An error exists related to a web server plugin and     retrying failed POST requests that could allow denial     of service attacks. (CVE-2014-0859 / PI08892)

  - An error exists related to the Proxy and ODR components     that could allow information disclosure. (CVE-2014-0891     / PI09786)

  - An unspecified error exists related to the 'Liberty     Profile' that could allow information disclosure.
    (CVE-2014-0896 / PI10134)

The remote host has a version of IBM Notes (formerly Lotus Notes) 8.0.x / 8.5.x / 9.0.x that is bundled with an IBM Java version prior to 1.6 SR15 FP1. It is, therefore, affected by the vulnerabilities mentioned in the Oracle Java Critical Patch Update advisories for October 2013 and January 2014.

The remote host has a version of IBM Domino (formerly Lotus Domino) 8.0.x / 8.5.x / 9.0.x that is bundled with an IBM Java version prior to 1.6 SR15 FP1. It is, therefore, affected by the vulnerabilities mentioned in the Oracle Java Critical Patch Update advisories for October 2013 and January 2014.

According to its version, the IBM Domino (formerly IBM Lotus Domino) on the remote host is 9.x prior to 9.0.1 Fix Pack 1 (FP1). It is, therefore, affected by the following vulnerabilities :

  - A stack overflow issue exists due to the insecure     '-z execstack' flag being used during compilation, which     could aid remote attackers in executing arbitrary code.
    Note that this issue only affects installs on 32-bit     hosts running Linux. (CVE-2014-0892)

  - Note that the fixes in the Oracle Java CPUs for     October 2013 and January 2014 are included in the fixed     IBM Java release, which is included in the fixed IBM     Domino release. (CVE-2013-0408, CVE-2013-3829,     CVE-2013-4002, CVE-2013-4041, CVE-2013-5372,     CVE-2013-5375, CVE-2013-5456, CVE-2013-5457,     CVE-2013-5458, CVE-2013-5772, CVE-2013-5774,     CVE-2013-5776, CVE-2013-5778, CVE-2013-5780,     CVE-2013-5782, CVE-2013-5783, CVE-2013-5784,     CVE-2013-5787, CVE-2013-5788, CVE-2013-5789,     CVE-2013-5790, CVE-2013-5797, CVE-2013-5800,     CVE-2013-5801, CVE-2013-5802, CVE-2013-5803,     CVE-2013-5804, CVE-2013-5805, CVE-2013-5806,     CVE-2013-5809, CVE-2013-5812, CVE-2013-5814,     CVE-2013-5817, CVE-2013-5818, CVE-2013-5819,     CVE-2013-5820, CVE-2013-5823, CVE-2013-5824,     CVE-2013-5825, CVE-2013-5829, CVE-2013-5830,     CVE-2013-5831, CVE-2013-5832, CVE-2013-5838,     CVE-2013-5840, CVE-2013-5842, CVE-2013-5843,     CVE-2013-5848, CVE-2013-5849, CVE-2013-5850,     CVE-2013-5851, CVE-2013-5878, CVE-2013-5884,     CVE-2013-5887, CVE-2013-5888, CVE-2013-5889,     CVE-2013-5893, CVE-2013-5896, CVE-2013-5898,     CVE-2013-5899, CVE-2013-5902, CVE-2013-5904,     CVE-2013-5907, CVE-2013-5910, CVE-2014-0368,     CVE-2014-0373, CVE-2014-0375, CVE-2014-0376,     CVE-2014-0387, CVE-2014-0403, CVE-2014-0410,     CVE-2014-0411, CVE-2014-0415, CVE-2014-0416,     CVE-2014-0417, CVE-2014-0418, CVE-2014-0422,     CVE-2014-0423, CVE-2014-0424, CVE-2014-0428,     CVE-2014-0892)

IBM WebSphere Application Server 8.0 before Fix Pack 8 appears to be running on the remote host.  It is, therefore, potentially affected by the following vulnerabilities :

  - A CSRF vulnerability exists in IBM WebSphere Application     Server due to improper validation of portlets in the     Administrative console. (CVE-2013-0460, PM72275)

  - A privilege escalation vulnerability exists on IBM     WebSphere Application Servers using WS-Security that are     configured for XML Digital Signature using trust store.
    (CVE-2013-4053, PM90949, PM91521)

  - An XSS vulnerability exists in IBM WebSphere Application     Server caused by a failure to sanitize user-supplied     input in the UDDI Administrative console.
    (CVE-2013-4052, PM91892)

  - A privilege escalation vulnerability exists in IBM     WebSphere Application Servers that have been migrated     from version 6.1 or later. (CVE-2013-5414, PM92313)

  - An XSS vulnerability exists in IBM WebSphere Application     Server due to a failure to sanitize application HTTP     response data. (CVE-2013-5417, PM93323, PM93944)

  - An XSS vulnerability exists in IBM WebSphere Application     Server due to a failure to sanitize user-supplied input     in the Administrative console. (CVE-2013-5418, PM96477)

  - An XSS vulnerability exists in IBM WebSphere Application     Server due to a failure to sanitize user-supplied input     in the Administrative console. (CVE-2013-6725, PM98132)

  - A denial of service vulnerability exists in IBM     WebSphere Application Server due to a failure to     properly handle requests by a web services endpoint.
    (CVE-2013-6325, PM99450)

  - An information disclosure vulnerability exists in the     IBM SDK for Java that ships with IBM WebSphere     Application Server related to JSSE. (CVE-2013-5780)

  - A denial of service vulnerability exists in the IBM SDK     for Java that ships with IBM WebSphere Application     Server related to XML. (CVE-2013-5372)

  - A denial of service vulnerability exists in the IBM SDK     for Java that ships with IBM WebSphere Application     Server related to JSSE. (CVE-2013-5803)

IBM WebSphere Application Server 7.0 before Fix Pack 31 appears to be running on the remote host.  It is, therefore, potentially affected by the following vulnerabilities :

  - A flaw in the mod_rewrite module of Apache HTTP Server     potentially allows a remote attacker to execute     arbitrary code via HTTP. (CVE-2013-1862, PM87808)

  - An XSS vulnerability exists in IBM WebSphere Application     Server due to a failure to sanitize user-supplied input     in the Administrative console. (CVE-2013-4005, PM88208)

  - A denial of service vulnerability exists when using the     optional mod_dav module. (CVE-2013-1896, PM89996)

  - A denial of service vulnerability exists due the use of     Apache Ant to compress files. (CVE-2012-2098, PM90088)

  - A privilege escalation vulnerability exists on IBM     WebSphere Application Servers using WS-Security that are     configured for XML Digital Signature using trust store.
    (CVE-2013-4053, PM90949, PM91521)

  - An XSS vulnerability exists in IBM WebSphere Application     Server caused by a failure to sanitize user-supplied     input in the UDDI Administrative console.
    (CVE-2013-4052, PM91892)

  - A privilege escalation vulnerability exists in IBM     WebSphere Application Servers that have been migrated     from version 6.1 or later. (CVE-2013-5414, PM92313)

  - An XSS vulnerability exists in IBM WebSphere Application     Server due to a failure to sanitize application HTTP     response data. (CVE-2013-5417, PM93323, PM93944)

  - An XSS vulnerability exists in IBM WebSphere Application     Server due to a failure to sanitize user-supplied input     in the Administrative console. (CVE-2013-5418, PM96477)

  - An XSS vulnerability exists in IBM WebSphere Application     Server due to a failure to sanitize user-supplied input     in the Administrative console. (CVE-2013-6725, PM98132)

  - An information disclosure vulnerability exists in IBM     WebSphere Application Servers configured to use static     file caching using the simpleFileServlet.
    (CVE-2013-6330, PM98624)

  - A denial of service vulnerability exists in IBM     WebSphere Application Server due to a failure to     properly handle requests by a web services endpoint.
    (CVE-2013-6325, PM99450)

  - An information disclosure vulnerability exists in the     IBM SDK for Java that ships with IBM WebSphere     Application Server related to JSSE. (CVE-2013-5780)

  - A denial of service vulnerability exists in the IBM SDK     for Java that ships with IBM WebSphere Application     Server related to XML. (CVE-2013-5372)

  - A denial of service vulnerability exists in the IBM SDK     for Java that ships with IBM WebSphere Application     Server related to JSSE. (CVE-2013-5803)

IBM Java 7 SR6 has been released and fixes lots of bugs and security issues.

More information can be found on:
http://www.ibm.com/developerworks/java/jdk/alerts/

IBM Java 6 SR15 has been released and fixes lots of bugs and security issues.

More information can be found on:
http://www.ibm.com/developerworks/java/jdk/alerts/

Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2013-3829, CVE-2013-4041, CVE-2013-5372, CVE-2013-5375, CVE-2013-5774, CVE-2013-5778, CVE-2013-5780, CVE-2013-5782, CVE-2013-5783, CVE-2013-5790, CVE-2013-5797, CVE-2013-5801, CVE-2013-5802, CVE-2013-5803, CVE-2013-5804, CVE-2013-5809, CVE-2013-5814, CVE-2013-5817, CVE-2013-5825, CVE-2013-5829, CVE-2013-5830, CVE-2013-5840, CVE-2013-5842, CVE-2013-5843, CVE-2013-5849)

All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM J2SE 5.0 SR16-FP4 release. All running instances of IBM Java must be restarted for this update to take effect.

Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.

The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2013-3829, CVE-2013-4041, CVE-2013-5372, CVE-2013-5375, CVE-2013-5457, CVE-2013-5772, CVE-2013-5774, CVE-2013-5776, CVE-2013-5778, CVE-2013-5780, CVE-2013-5782, CVE-2013-5783, CVE-2013-5784, CVE-2013-5787, CVE-2013-5789, CVE-2013-5797, CVE-2013-5801, CVE-2013-5802, CVE-2013-5803, CVE-2013-5804, CVE-2013-5809, CVE-2013-5812, CVE-2013-5814, CVE-2013-5817, CVE-2013-5818, CVE-2013-5819, CVE-2013-5820, CVE-2013-5823, CVE-2013-5824, CVE-2013-5825, CVE-2013-5829, CVE-2013-5830, CVE-2013-5831, CVE-2013-5832, CVE-2013-5840, CVE-2013-5842, CVE-2013-5843, CVE-2013-5848, CVE-2013-5849, CVE-2013-5850, CVE-2013-5851)

All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 6 SR15 release. All running instances of IBM Java must be restarted for the update to take effect.

Updated java-1.7.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.

The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2013-3829, CVE-2013-4041, CVE-2013-5372, CVE-2013-5375, CVE-2013-5456, CVE-2013-5457, CVE-2013-5458, CVE-2013-5772, CVE-2013-5774, CVE-2013-5776, CVE-2013-5778, CVE-2013-5780, CVE-2013-5782, CVE-2013-5783, CVE-2013-5784, CVE-2013-5787, CVE-2013-5788, CVE-2013-5789, CVE-2013-5790, CVE-2013-5797, CVE-2013-5800, CVE-2013-5801, CVE-2013-5802, CVE-2013-5803, CVE-2013-5804, CVE-2013-5809, CVE-2013-5812, CVE-2013-5814, CVE-2013-5817, CVE-2013-5818, CVE-2013-5819, CVE-2013-5820, CVE-2013-5823, CVE-2013-5824, CVE-2013-5825, CVE-2013-5829, CVE-2013-5830, CVE-2013-5831, CVE-2013-5832, CVE-2013-5838, CVE-2013-5840, CVE-2013-5842, CVE-2013-5843, CVE-2013-5848, CVE-2013-5849, CVE-2013-5850, CVE-2013-5851)

All users of java-1.7.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7 SR6 release. All running instances of IBM Java must be restarted for the update to take effect.

ID	Name	Product	Family	Severity
83601	SUSE SLES10 Security Update : IBM Java 5 (SUSE-SU-2013:1669-1)	Nessus	SuSE Local Security Checks	critical
78984	RHEL 5 / 6 : IBM Java Runtime in Satellite Server (RHSA-2013:1793)	Nessus	Red Hat Local Security Checks	critical
74235	IBM WebSphere Application Server 8.5 < Fix Pack 8.5.5.2 Multiple Vulnerabilities	Nessus	Web Servers	high
73970	IBM Notes 8.0.x / 8.5.x / 9.0.x with IBM Java < 1.6 SR15 FP1 Multiple Vulnerabilities	Nessus	Windows	critical
73969	IBM Domino 8.0.x / 8.5.x / 9.0.x with IBM Java < 1.6 SR15 FP1 Multiple Vulnerabilities (credentialed check)	Nessus	Windows	critical
73968	IBM Domino 9.x < 9.0.1 Fix Pack 1 Multiple Vulnerabilities (uncredentialed check)	Nessus	Misc.	critical
72062	IBM WebSphere Application Server 8.0 < Fix Pack 8 Multiple Vulnerabilities	Nessus	Web Servers	medium
72061	IBM WebSphere Application Server 7.0 < Fix Pack 31 Multiple Vulnerabilities	Nessus	Web Servers	medium
71020	SuSE 11.2 / 11.3 Security Update : IBM Java 7 (SAT Patch Numbers 8565 / 8566)	Nessus	SuSE Local Security Checks	critical
70960	SuSE 11.2 / 11.3 Security Update : IBM Java 6 (SAT Patch Numbers 8549 / 8550)	Nessus	SuSE Local Security Checks	critical
70793	RHEL 5 / 6 : java-1.5.0-ibm (RHSA-2013:1509)	Nessus	Red Hat Local Security Checks	critical
70792	RHEL 5 / 6 : java-1.6.0-ibm (RHSA-2013:1508)	Nessus	Red Hat Local Security Checks	critical
70791	RHEL 5 / 6 : java-1.7.0-ibm (RHSA-2013:1507)	Nessus	Red Hat Local Security Checks	critical

Detections

Analytics

CVE-2013-5372

high

Tenable Plugins

critical

critical

high

critical

critical

critical

medium

medium

critical

critical

critical

critical

critical