Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM WebSphere Application Server Community Edition 3.0.0.4 related to Java Technology Edition Quarterly CPU - January 2015(CVE-2015-0383,CVE-2014-3566,CVE-2014-6593 and CVE-2015-0410)

Summary

Multiple security vulnerabilities exist in IBM SDK Java™ Technology Edition that is shipped with IBM WebSphere Application Server Community 3.0.0.4.

Vulnerability Details

CVE-ID: CVE-2015-0383

DESCRIPTION: An unspecified vulnerability in Oracle Java SE and JRockit related to the Hotspot component has no confidentiality impact, partial integrity impact, and complete availability impact.

CVSS Base Score: 5.4 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100148&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:C)

CVE-ID: CVE-2014-3566 **DESCRIPTION:**Multiple products could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and calculate the plaintext of secure connections. **CVSS Base Score:**4.3 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97013&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2014-6593 **DESCRIPTION:**An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. **CVSS Base Score:**4 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100153&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVEID: CVE-2015-0410 **DESCRIPTION:**An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. **CVSS Base Score:**5 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100151&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

WebSphere Application Server Community Edition 3.0.0.4

Workarounds and Mitigations

Upgrade your IBM SDK for Java to an interim fix level as determined below:
IBM SDK 6.0:
IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 3 and subsequent releases
IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 3 and subsequent releases

IBM SDK 7.0:
IBM SDK, Java Technology Edition, Version 7 Service Refresh 8 Fix Pack 10 and subsequent releases
IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 2 Fix Pack 10 and subsequent releases