Security Bulletin: Potential security vulnerabilities in current IBM SDK Java Technology Edition for IBM Tivoli Network Manager January 2014 CPU

Summary

Potential security exposure when using JavaTM based applications due to vulnerabilities in Java Software Developer Kits. See Vulnerability Details for CVE IDs.

Vulnerability Details

Tivoli Network Manager is shipped with an IBM SDK Java Technology Edition that is based on the Oracle JDK. Oracle has released January 2014 critical patch updates (CPU) which contain security vulnerability fixes. The IBM SDK Java Technology Edition has been updated to incorporate these fixes.

Unspecified vulnerability in Java SE allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.
CVEID: CVE-2014-0411
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90357&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)** **

Affected Products and Versions

• The 3.8.x versions of Tivoli Network Manager bundled the TIP version 1.1.1.x, IBM WebSphere version 6.1.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6.
• The 3.9.x and 4.1 versions of Tivoli Network Manager bundled the TIP version 2.1.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 7.

Remediation/Fixes

Upgrade your SDK to an interim fix level as determined below:

1. Update Tivoli Integration Portal to latest Tivoli Network Manager supported fixpack level.
2. Download and apply the interim fix APARs below for IBM WebSphere Application server
   <https://www-304.ibm.com/support/docview.wss?uid=swg21663938&gt;

• For 3.8.x, IBM WebSphere Application server version** **6.1.0.0 through 6.1.0.47:
• Contact IBM Support and apply Interim Fix PI08999: Will upgrade you to SDK 5 SR16 FP1
• For 3.9.x and 4.1, IBM WebSphere Application server version 7.0.0.0 through 7.0.0.31, download and apply the interim fix APARs below: ** **
• Apply Interim Fix PI08996: Will upgrade you to SDK 6 SR15 FP1
• --OR–
• Apply the IBM SDK Java Technology Edition shipped with WebSphere Application Server Fix pack 33 (7.0.0.33) or later (targeted to be available 23 June 2014).

Workarounds and Mitigations

None