Security Bulletin: Vulnerability in IBM Java SDKs and IBM Java Runtime Technology Edition affecting Rational Functional Tester (CVE-2014-3086)

2019-05-0713:26:07

www.ibm.com

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

Summary

Multiple vulnerabilities exist in IBM SDKs Java Technology Edition and IBM Runtime Environment Java Technology Edition that are used by Rational Functional Tester (RFT). These issues were disclosed as part of the IBM Java SDK updates in July 2014.

Vulnerability Details

| Subscribe to My Notifications to be notified of important product support alerts like this.

Follow this link for more information (requires login with your IBM ID)
—|—

CVEID: CVE-2014-3086

Description: A vulnerability in the IBM implementation of the Java Virtual Machine may, under very limited circumstances, allow untrusted code running under a security manager to escalate its privileges.

CVSS Base Score: 9.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/94097>
for the current score
CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Affected Products and Versions

Rational Functional Tester version 8.2.2 and later

Remediation/Fixes

Vendor Fixes:

Product	Version	APAR	Remediation/First fix
RFT	8.6.0	None	Apply the iFix on RFT 8.6 which ships with IBM SDK, Java Technology Edition, Version 7 Service Refresh 7 Fix Pack 1 iFix.
RFT	8.5.1 - 8.5.1.x	None	Upgrade to RFT 8.5.1.3 (the last fixpack vesion on 8.5.1) which ships with IBM SDK, Java Technology Edition, Version 7 Service Refresh 7 Fix Pack 1 iFix and apply the iFix.
RFT	8.5.0 - 8.5.0.x	None	Upgrade to RFT 8.5.0.1 (the last fixpack vesion on 8.5.0) which ships with IBM SDK, Java Technology Edition, Version 7 Service Refresh 7 Fix Pack 1 iFix and apply the iFix.
RFT	8.3 - 8.3.0.x	None	Upgrade to RFT 8.3.0.2 (the last fixpack vesion on 8.3.0) which ships with IBM SDK, Java Technology Edition, Version 7 Service Refresh 7 Fix Pack 1 iFix and apply the iFix.
RFT	8.2.2 - 8.2.2.x	None	Upgrade to RFT 8.2.2.1 (the last fixpack vesion on 8.2.2) which ships with IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 1 iFix and apply the iFix.

Workarounds and Mitigations

Until fixes are applied, ensure RFT is not accessible from the Internet.

CPENameOperatorVersion
ibm rational functional testereq8.2.2
ibm rational functional testereq8.2.2.1
ibm rational functional testereq8.3
ibm rational functional testereq8.3.0.1
ibm rational functional testereq8.3.0.2
ibm rational functional testereq8.5
ibm rational functional testereq8.5.0.1
ibm rational functional testereq8.5.1
ibm rational functional testereq8.5.1.1
ibm rational functional testereq8.5.1.2

Name	Operator	Version
ibm rational functional tester	eq	8.2.2
ibm rational functional tester	eq	8.2.2.1
ibm rational functional tester	eq	8.3
ibm rational functional tester	eq	8.3.0.1
ibm rational functional tester	eq	8.3.0.2
ibm rational functional tester	eq	8.5
ibm rational functional tester	eq	8.5.0.1
ibm rational functional tester	eq	8.5.1
ibm rational functional tester	eq	8.5.1.1
ibm rational functional tester	eq	8.5.1.2