Lucene search

K
aixCentOS ProjectJAVA_OCT2014_ADVISORY.ASC
HistoryNov 14, 2014 - 3:40 p.m.

Multiple vulnerabilities in current releases of the IBM SDK Java Technology Edition; issues in the Oracle October 2014 Critical Patch Update plus the POODLE SSLv3 vulnerability and

2014-11-1415:40:48
CentOS Project
aix.software.ibm.com
41

3.4 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

10 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

100.0%

IBM SECURITY ADVISORY

First Issued: Fri Nov 14 15:40:48 CST 2014

The most recent version of this document is available here:

http://aix.software.ibm.com/aix/efixes/security/java_oct2014_advisory.asc
https://aix.software.ibm.com/aix/efixes/security/java_oct2014_advisory.asc
ftp://aix.software.ibm.com/aix/efixes/security/java_oct2014_advisory.asc

                       VULNERABILITY SUMMARY

VULNERABILITY: Multiple vulnerabilities in current releases of the IBM� SDK,
Java Technology Edition; issues disclosed in the Oracle October
2014 Critical Patch Update, plus the POODLE SSLv3 vulnerability
and one additional vulnerability.

PLATFORMS: AIX 5.3, 6.1 and 7.1.
VIOS 2.2.x

SOLUTION: Apply the fix as described below.

THREAT: Varies threats described below.

CVE Numbers: CVE-2014-6513 CVSS=10, CVE-2014-6503 CVSS=9.3, CVE-2014-6532 CVSS=9.3,
CVE-2014-4288 CVSS=7.6, CVE-2014-6493 CVSS=7.6, CVE-2014-6492 CVSS=7.6,
CVE-2014-6458 CVSS=6.9, CVE-2014-6466 CVSS=6.9, CVE-2014-6506 CVSS=6.8,
CVE-2014-6476 CVSS=5, CVE-2014-6515 CVSS=5, CVE-2014-6511 CVSS=5,
CVE-2014-6531 CVSS=4.3, CVE-2014-6512 CVSS=4.3, CVE-2014-6457 CVSS=4,
CVE-2014-6527 CVSS=2.6, CVE-2014-6502 CVSS=2.6, CVE-2014-6558 CVSS=2.6,
CVE-2014-3065 CVSS=6, CVE-2014-3566 CVSS=4.3

Reboot required? NO
Workarounds? NO

===============================================================================
DETAILED INFORMATION

I. DESCRIPTION

This bulletin covers all applicable IBM� Java SDK CVEs published by Oracle as part
of their October 2014 Critical Patch Update. For more information please refer to 
Oracles's October 2014 CPU Advisory and the X-Force database entries referenced 
below. In addition, issues also disclosed here are the POODLE SSLv3 vulnerability
and one additional vulnerability.

II. CVSS

CVEID: CVE-2014-6513
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97127 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-6503
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97129 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-6532
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97128 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-4288
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97135 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-6493
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97134 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-6492
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97133 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-6458
CVSS Base Score: 6.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97137 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-6466
CVSS Base Score: 6.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97136 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-6506
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97139 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVEID: CVE-2014-6476
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97141 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-6515
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97142 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-6511
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97140 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2014-6531
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97146 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) 

CVEID: CVE-2014-6512
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97147 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) 

CVEID: CVE-2014-6457
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97148 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) 

CVEID: CVE-2014-6527
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97149 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) 

CVEID: CVE-2014-6502
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97150 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) 

CVEID: CVE-2014-6558
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97151 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

Specific to IBM Java CVE(s):

CVE-ID: CVE-2014-3065
CVSS Base Score: 6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93629 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:S/C:C/I:C/A:C)

CVE-ID: CVE-2014-3566
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

III. PLATFORM VULNERABILITY ASSESSMENT

The following fileset levels (VRMF) are vulnerable, if the respective Java version is installed:
For Java5: Less than 5.0.0.580
For Java6: Less than 6.0.0.460
For Java7: Less than 7.0.0.135
For Java7 Release 1: Less than 7.1.0.15

Note: To find out whether the affected filesets are installed on your
systems, refer to the lslpp command found in AIX user's guide.

Example: lslpp -L | grep -i java

IV. FIXES

AFFECTED PRODUCTS AND VERSIONS:
AIX 5.3
AIX 6.1
AIX 7.1
VIOS 2.2.x

REMEDIATION:
IBM SDK, Java Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 8 and later
32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j5b&S_TACT=105AGX05&S_CMP=JDK
64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j5b&S_TACT=105AGX05&S_CMP=JDK

IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 2 and later
32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j6b&S_TACT=105AGX05&S_CMP=JDK
64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j6b&S_TACT=105AGX05&S_CMP=JDK

IBM SDK, Java Technology Edition, Version 7, Service Refresh 8 and later
32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j7b&S_TACT=105AGX05&S_CMP=JDK
64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j7b&S_TACT=105AGX05&S_CMP=JDK

IBM SDK, Java Technology Edition, Version 7 Release 1 Fix Pack 2 and later
32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j7r1&S_TACT=105AGX05&S_CMP=JDK
64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j7r1&S_TACT=105AGX05&S_CMP=JDK

To learn more about AIX support levels and Java service releases, see the following:
http://www.ibm.com/developerworks/java/jdk/aix/service.html#levels

Published advisory OpenSSL signature file location:

http://aix.software.ibm.com/aix/efixes/security/java_oct2014_advisory.asc.sig
https://aix.software.ibm.com/aix/efixes/security/java_oct2014_advisory.asc.sig
ftp://aix.software.ibm.com/aix/efixes/security/java_oct2014_advisory.asc.sig

openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>

V. WORKAROUNDS

None

VI. CONTACT US

If you would like to receive AIX Security Advisories via email,
please visit "My Notifications":

    http://www.ibm.com/support/mynotifications

To view previously issued advisories, please visit:

    http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq

Comments regarding the content of this announcement can be
directed to:

    [email protected]

To obtain the OpenSSL public key that can be used to verify the
signed advisories and ifixes:

    Download the key from our web page:

    http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt

To obtain the PGP public key that can be used to communicate
securely with the AIX Security Team via [email protected] you
can either:

    A. Download the key from our web page:

        http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt

    B. Download the key from a PGP Public Key Server. The key ID is:

        0x28BFAA12

Please contact your local IBM AIX support center for any
assistance.

VII. REFERENCES:

Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html
On-line Calculator V2: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
CVE-2014-6513: https://vulners.com/cve/CVE-2014-6513
CVE-2014-6503: https://vulners.com/cve/CVE-2014-6503
CVE-2014-6532: https://vulners.com/cve/CVE-2014-6532
CVE-2014-4288: https://vulners.com/cve/CVE-2014-4288
CVE-2014-6493: https://vulners.com/cve/CVE-2014-6493
CVE-2014-6492: https://vulners.com/cve/CVE-2014-6492
CVE-2014-6458: https://vulners.com/cve/CVE-2014-6458
CVE-2014-6466: https://vulners.com/cve/CVE-2014-6466
CVE-2014-6506: https://vulners.com/cve/CVE-2014-6506
CVE-2014-6476: https://vulners.com/cve/CVE-2014-6476
CVE-2014-6515: https://vulners.com/cve/CVE-2014-6515
CVE-2014-6511: https://vulners.com/cve/CVE-2014-6511
CVE-2014-6531: https://vulners.com/cve/CVE-2014-6531
CVE-2014-6512: https://vulners.com/cve/CVE-2014-6512
CVE-2014-6457: https://vulners.com/cve/CVE-2014-6457
CVE-2014-6527: https://vulners.com/cve/CVE-2014-6527
CVE-2014-6502: https://vulners.com/cve/CVE-2014-6502
CVE-2014-6558: https://vulners.com/cve/CVE-2014-6558
CVE-2014-3065: https://vulners.com/cve/CVE-2014-3065
CVE-2014-3566: https://vulners.com/cve/CVE-2014-3566

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the
impact of this vulnerability in their environments by accessing the links
in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams
(FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry
open standard designed to convey vulnerability severity and help to
determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES
"AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE
RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY
VULNERABILITY.

3.4 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

10 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

100.0%