Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM PureApplication System (CVE-2015-0410 and CVE-2014-6593)

Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition Version 6 and 7 that are used by IBM PureApplication System. These issues were disclosed as part of the IBM Java SDK updates in January 2015.

Vulnerability Details

CVEID: CVE-2015-0410**
DESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100151 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2014-6593**
DESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100153 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

Affected Products and Versions

IBM PureApplication System V1.1
IBM PureApplication System V2.0
IBM PureApplication System V2.1

Remediation/Fixes

The solution is to upgrade the IBM PureApplication System to the following fix level:

IBM PureApplication System V2.1
Upgrade to IBM PureApplication System V2.1.0.1

IBM PureApplication System V2.0
Upgrade to IBM PureApplication System V2.0.0.1 Interim Fix 4

IBM PureApplication System V1.1 and earlier:

Contact IBM customer support for upgrade options.

Workarounds and Mitigations

None