3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
100.0%
IBM SECURITY ADVISORY
First Issued: Fri Nov 14 15:40:48 CST 2014
The most recent version of this document is available here:
VULNERABILITY SUMMARY
VULNERABILITY: Multiple vulnerabilities in current releases of the IBM� SDK,
Java Technology Edition; issues disclosed in the Oracle October
2014 Critical Patch Update, plus the POODLE SSLv3 vulnerability
and one additional vulnerability.
PLATFORMS: AIX 5.3, 6.1 and 7.1.
VIOS 2.2.x
SOLUTION: Apply the fix as described below.
THREAT: Varies threats described below.
CVE Numbers: CVE-2014-6513 CVSS=10, CVE-2014-6503 CVSS=9.3, CVE-2014-6532 CVSS=9.3,
CVE-2014-4288 CVSS=7.6, CVE-2014-6493 CVSS=7.6, CVE-2014-6492 CVSS=7.6,
CVE-2014-6458 CVSS=6.9, CVE-2014-6466 CVSS=6.9, CVE-2014-6506 CVSS=6.8,
CVE-2014-6476 CVSS=5, CVE-2014-6515 CVSS=5, CVE-2014-6511 CVSS=5,
CVE-2014-6531 CVSS=4.3, CVE-2014-6512 CVSS=4.3, CVE-2014-6457 CVSS=4,
CVE-2014-6527 CVSS=2.6, CVE-2014-6502 CVSS=2.6, CVE-2014-6558 CVSS=2.6,
CVE-2014-3065 CVSS=6, CVE-2014-3566 CVSS=4.3
Reboot required? NO
Workarounds? NO
===============================================================================
DETAILED INFORMATION
I. DESCRIPTION
This bulletin covers all applicable IBM� Java SDK CVEs published by Oracle as part
of their October 2014 Critical Patch Update. For more information please refer to
Oracles's October 2014 CPU Advisory and the X-Force database entries referenced
below. In addition, issues also disclosed here are the POODLE SSLv3 vulnerability
and one additional vulnerability.
II. CVSS
CVEID: CVE-2014-6513
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97127 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2014-6503
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97129 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2014-6532
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97128 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2014-4288
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97135 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CVEID: CVE-2014-6493
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97134 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CVEID: CVE-2014-6492
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97133 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CVEID: CVE-2014-6458
CVSS Base Score: 6.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97137 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2014-6466
CVSS Base Score: 6.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97136 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2014-6506
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97139 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVEID: CVE-2014-6476
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97141 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2014-6515
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97142 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2014-6511
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97140 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2014-6531
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97146 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVEID: CVE-2014-6512
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97147 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2014-6457
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97148 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVEID: CVE-2014-6527
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97149 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CVEID: CVE-2014-6502
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97150 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CVEID: CVE-2014-6558
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97151 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Specific to IBM Java CVE(s):
CVE-ID: CVE-2014-3065
CVSS Base Score: 6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93629 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:S/C:C/I:C/A:C)
CVE-ID: CVE-2014-3566
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
III. PLATFORM VULNERABILITY ASSESSMENT
The following fileset levels (VRMF) are vulnerable, if the respective Java version is installed:
For Java5: Less than 5.0.0.580
For Java6: Less than 6.0.0.460
For Java7: Less than 7.0.0.135
For Java7 Release 1: Less than 7.1.0.15
Note: To find out whether the affected filesets are installed on your
systems, refer to the lslpp command found in AIX user's guide.
Example: lslpp -L | grep -i java
IV. FIXES
AFFECTED PRODUCTS AND VERSIONS:
AIX 5.3
AIX 6.1
AIX 7.1
VIOS 2.2.x
REMEDIATION:
IBM SDK, Java Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 8 and later
32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j5b&S_TACT=105AGX05&S_CMP=JDK
64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j5b&S_TACT=105AGX05&S_CMP=JDK
IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 2 and later
32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j6b&S_TACT=105AGX05&S_CMP=JDK
64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j6b&S_TACT=105AGX05&S_CMP=JDK
IBM SDK, Java Technology Edition, Version 7, Service Refresh 8 and later
32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j7b&S_TACT=105AGX05&S_CMP=JDK
64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j7b&S_TACT=105AGX05&S_CMP=JDK
IBM SDK, Java Technology Edition, Version 7 Release 1 Fix Pack 2 and later
32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j7r1&S_TACT=105AGX05&S_CMP=JDK
64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j7r1&S_TACT=105AGX05&S_CMP=JDK
To learn more about AIX support levels and Java service releases, see the following:
http://www.ibm.com/developerworks/java/jdk/aix/service.html#levels
Published advisory OpenSSL signature file location:
http://aix.software.ibm.com/aix/efixes/security/java_oct2014_advisory.asc.sig
https://aix.software.ibm.com/aix/efixes/security/java_oct2014_advisory.asc.sig
ftp://aix.software.ibm.com/aix/efixes/security/java_oct2014_advisory.asc.sig
openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>
V. WORKAROUNDS
None
VI. CONTACT US
If you would like to receive AIX Security Advisories via email,
please visit "My Notifications":
http://www.ibm.com/support/mynotifications
To view previously issued advisories, please visit:
http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq
Comments regarding the content of this announcement can be
directed to:
[email protected]
To obtain the OpenSSL public key that can be used to verify the
signed advisories and ifixes:
Download the key from our web page:
http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt
To obtain the PGP public key that can be used to communicate
securely with the AIX Security Team via [email protected] you
can either:
A. Download the key from our web page:
http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt
B. Download the key from a PGP Public Key Server. The key ID is:
0x28BFAA12
Please contact your local IBM AIX support center for any
assistance.
VII. REFERENCES:
Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html
On-line Calculator V2: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
CVE-2014-6513: https://vulners.com/cve/CVE-2014-6513
CVE-2014-6503: https://vulners.com/cve/CVE-2014-6503
CVE-2014-6532: https://vulners.com/cve/CVE-2014-6532
CVE-2014-4288: https://vulners.com/cve/CVE-2014-4288
CVE-2014-6493: https://vulners.com/cve/CVE-2014-6493
CVE-2014-6492: https://vulners.com/cve/CVE-2014-6492
CVE-2014-6458: https://vulners.com/cve/CVE-2014-6458
CVE-2014-6466: https://vulners.com/cve/CVE-2014-6466
CVE-2014-6506: https://vulners.com/cve/CVE-2014-6506
CVE-2014-6476: https://vulners.com/cve/CVE-2014-6476
CVE-2014-6515: https://vulners.com/cve/CVE-2014-6515
CVE-2014-6511: https://vulners.com/cve/CVE-2014-6511
CVE-2014-6531: https://vulners.com/cve/CVE-2014-6531
CVE-2014-6512: https://vulners.com/cve/CVE-2014-6512
CVE-2014-6457: https://vulners.com/cve/CVE-2014-6457
CVE-2014-6527: https://vulners.com/cve/CVE-2014-6527
CVE-2014-6502: https://vulners.com/cve/CVE-2014-6502
CVE-2014-6558: https://vulners.com/cve/CVE-2014-6558
CVE-2014-3065: https://vulners.com/cve/CVE-2014-3065
CVE-2014-3566: https://vulners.com/cve/CVE-2014-3566
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the
impact of this vulnerability in their environments by accessing the links
in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams
(FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry
open standard designed to convey vulnerability severity and help to
determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES
"AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE
RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY
VULNERABILITY.
3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
100.0%