Security Bulletin: Multiple vulnerabilities exist in the current IBM SDK for Java used in IBM System Networking Switch Center (CVE-2014-0411 & CVE-2014-0460)

Summary

IBM System Networking Switch Center ships with IBM Java 7 JRE. Two vulnerabilities are fixed in the April 2014 Critical Patch Update. 1) CVE-2014-0460: JNDI DNS service provider has several implementation flaws that make spoofing DNS responses much easier; 2) CVE-2014-0411: Vulnerability in Java Secure Socket Extension (JSSE).

Vulnerability Details

CVEID: CVE-2014-0460
DESCRIPTION: An unspecified vulnerability related to the JNDI component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92482 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVEID: CVE-2014-0411
DESCRIPTION: A vulnerability allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90357 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N:AC:H:Au:N:C:P/I:P/A:N)

Affected Products and Versions

IBM System Networking Switch Center 7.1 (7.1.3.1), and 7.2 (7.2.1.10).

Remediation/Fixes

IBM recommends upgrading all 7.1 and 7.2 versions of IBM Systems Networking Switch Center to one of the following releases:

• 7.1.3.2
• 7.2.1.11
• 7.3.1.1

The install packages for these releases can be found on IBM’s Passport Advantage website: <http://www-01.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm&gt;

Workarounds and Mitigations

None