Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM53FF19D3C50F65D65C12C687E475BA589D39093B084C8AC4A00AAB1B499E7E8D
HistoryJan 29, 2024 - 7:30 p.m.

Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Content Manager Enterprise Edition (CVE-2014-3566, CVE-2014-6457, CVE-2014-6468)

2024-01-2919:30:27
www.ibm.com
10
ibm java runtime
content manager enterprise
poodle sslv3
jsse
hotspot
vulnerabilities
fix
affected versions
sslv3 protocol

3.3 Low

AI Score

Confidence

High

0.975 High

EPSS

Percentile

100.0%

JSON

Summary

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition, Version 5 and 7 that is used by Content Manager Enterprise Edition. This also includes a fix for the Padding Oracle On Downgraded Legacy Encryption (POODLE) SSLv3 vulnerability (CVE-2014-3566). These were disclosed as part of the IBM Java SDK updates in October 2014.

Vulnerability Details

CVE-ID:CVE-2014-3566

**DESCRIPTION:**Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2014-6457

DESCRIPTION: An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact.

CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97148 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVE-ID:CVE-2014-6468

**DESCRIPTION:**An unspecified vulnerability related to the Hotspot component has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 6.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97138 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)

Affected Products and Versions

Content Manager Enterprise Edition v8.4.3 - 8.5.x

Remediation/Fixes

<Product

| VRMF | APAR | Remediation/First Fix
—|—|—|—
Content Manager Enterprise Edition | 8.4.3.x | none | Call Level 2 support to request the following fix numbers: __
006_84304tf****c for Windows Platform__ 006_84304tf****b__ for all other platforms (Non-Windows)__
Content Manager Enterprise Edition | 8.5…x.x | none | Call Level 2 support to request fix. the following fix numbers: __
002_850002atf for all platforms__

Workarounds and Mitigations

IBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling SSLv3. You should verify disabling SSLv3 does not cause any compatibility issues.

Related

ibm 106
prion 3
cvelist 3
cve 2
debiancve 2
ubuntucve 2
veracode 2
fedora 17
nessus 35
centos 1
redhat 2
openvas 12
cisco 1
suse 1
osv 1
hackerone 2
seebug 1
cert 1
amazon 1
citrix 1
f5 1
checkpoint_security 1
securityvulns 1
ibm
ibm
Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Tivoli Netcool/OMNIbus (Multiple CVEs)
2019-12-19 16:53:24
Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM DB2 Recovery Expert for Linux, UNIX and Windows (CVE-2014-3566, CVE-2014-6457, CVE-2014-6468)
2018-06-16 13:08:06
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Insight (CVE-2014-3566, CVE-2014-6457, CVE-2014-6468)
2018-06-17 05:00:33
prion
prion
Buffer overflow
2014-10-15 15:55:00
Design/Logic Flaw
2014-10-15 15:55:00
Code injection
2014-10-15 00:55:00
cvelist
cvelist
CVE-2014-6468
2014-10-15 15:15:00
CVE-2014-6457
2014-10-15 15:15:00
CVE-2014-3566
2014-10-15 00:00:00
cve
cve
CVE-2014-6468
2014-10-15 15:55:00
CVE-2014-6457
2014-10-15 15:55:00
debiancve
debiancve
CVE-2014-6468
2014-10-15 15:55:00
CVE-2014-6457
2014-10-15 15:55:00
ubuntucve
ubuntucve
CVE-2014-6468
2014-10-15 00:00:00
CVE-2014-6457
2014-10-15 00:00:00
veracode
veracode
Man-in-the-Middle (MitM)
2019-01-15 09:02:24
Information Disclosure
2017-02-07 00:05:45
fedora
fedora
[SECURITY] Fedora 19 Update: claws-mail-plugins-3.11.1-1.fc19
2015-01-05 07:36:19
[SECURITY] Fedora 21 Update: subscription-manager-1.13.6-1.fc21
2014-11-10 06:34:40
[SECURITY] Fedora 20 Update: nodejs-0.10.33-1.fc20
2014-12-15 04:34:00
nessus
nessus
FreeBSD : asterisk -- Asterisk Susceptibility to POODLE Vulnerability (76c7a0f5-5928-11e4-adc7-001999f8d30b) (POODLE)
2014-10-22 00:00:00
Cisco Unified Communications Manager SSLv3 Information Disclosure (cisco-sa-20141015-poodle) (POODLE)
2014-11-12 00:00:00
Fedora 20 : openssl-1.0.1e-40.fc20 (2014-13069) (POODLE)
2014-10-20 00:00:00
centos
centos
openssl security update
2014-10-16 15:21:39
redhat
redhat
(RHSA-2014:1653) Moderate: openssl security update
2014-10-16 00:00:00
(RHSA-2015:1546) Important: node.js security update
2015-08-04 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2015:0010-1)
2021-06-09 00:00:00
Fedora Update for asterisk FEDORA-2014-15621
2015-01-05 00:00:00
Fedora Update for nodejs FEDORA-2014-15411
2015-01-05 00:00:00
cisco
cisco
SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
2014-10-15 18:30:00
suse
suse
Security update for suseRegister (important)
2015-01-05 21:04:43
osv
osv
lighttpd - security update
2015-07-25 00:00:00
hackerone
hackerone
New Relic: SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
2017-03-26 19:08:23
MariaDB: smtp service vulnerable to POODLE SSLv3
2019-03-24 06:26:55
seebug
seebug
SSL 3.0 POODLE(CVE-2014-3566)
2017-02-17 00:00:00
cert
cert
POODLE vulnerability in SSL 3.0
2014-10-17 00:00:00
amazon
amazon
Important: openssl
2014-10-14 22:32:00
citrix
citrix
CVE-2014-3566 - Citrix Security Advisory for SSLv3 Protocol Flaw
2014-10-14 04:00:00
f5
f5
K15702 : SSLv3 vulnerability CVE-2014-3566
2015-09-18 00:00:00
checkpoint_security
checkpoint_security
Check Point response to the POODLE Bites vulnerability (CVE-2014-3566)
2014-10-13 21:00:00
securityvulns
securityvulns
TA14-290A: SSL 3.0 Protocol Vulnerability and POODLE Attack
2014-10-18 00:00:00

3.3 Low

AI Score

Confidence

High

0.975 High

EPSS

Percentile

100.0%

JSON
Related for 53FF19D3C50F65D65C12C687E475BA589D39093B084C8AC4A00AAB1B499E7E8D
ibm106prion3cvelist3cve2debiancve2ubuntucve2veracode2fedora17nessus35centos1redhat2openvas12cisco1suse1osv1hackerone2seebug1cert1amazon1citrix1f51checkpoint_security1securityvulns1