IBM58F07DDEC0EEB2C735228EBCD6909244D05E40C46AE2971D336051E1CD818847Security Bulletin: Security vulnerabilities in IBM SDK, Java™ Technology Edition (CVE-2014-0878, CVE-2014-0460, CVE-2014-0453, CVE-2014-2420) affect SmartCloud Provisioning
EPSS
Percentile
75.2%
Summary
Multiple security vulnerabilities exist in the IBM SDK, Java™ Technology Edition shipped with IBM SmartCloud Provisioning (CVE-2014-0878, CVE-2014-0460, CVE-2014-0453, CVE-2014-2420).
IBM SDK, Java™ Technology Edition has released patch updates with security vulnerabilities fixes. SmartCloud Provisioning IBM SDK, Java™ Technology Edition has been updated to IBM SDK, Java™ Technology Edition to Version 6 Fix Pack 16.
Notice product software support discontinuance as per IBM Withdrawal Announcement 916-016
Contact IBM Support for latest updates about IBM Cloud Orchestrator.
Vulnerability Details
CVE ID: CVE-2014-0878
DESCRIPTION: Product applicability to say: vulnerability in the IBMSecureRandom implementation of the IBMJCE and IBMSecureRandom cryptographic providers. This flaw potentially allows an attacker to predict the output of the random number generator under certain circumstances.
CVSS Base Score: 5.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/91084>
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVE ID: CVE-2014-0460
DESCRIPTION: Product applicability to say: the JNDI DNS service provider has several implementation flaws that make spoofing DNS responses much easier.
CVSS Base Score: 5.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/92482>
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVE ID: CVE-2014-0453
DESCRIPTION: Product applicability to say: an Exception thrown by the Security component reveals information that an attacker could use to break RSA keys via a Bleichenbacher attack.
CVSS Base Score: 4
CVSS Temporal Score:See <https://exchange.xforce.ibmcloud.com/vulnerabilities/92490>
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVE ID: CVE-2014-2420
DESCRIPTION: Product applicability to say: Security decisions about applets are cached based on a non-cryptographic hash of the URL. An attacker can exploit collisions in these hashes to apply a user’s previous security decision to a malicious site.
CVSS Base Score: 2.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/92493>
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Affected Products and Versions
SmartCloud Provisioning 1.2
SmartCloud Provisioning 2.1
SmartCloud Provisioning 2.1 including all fix packs up to FP4
Remediation/Fixes
The recommended solution is to apply the appropriate Interim Fix or Fix Pack from Fix Central (What is Fix Central?) as soon as practical.
SmartCloud Provisioning 2.1, 2.1 including all fix packs up to FP4
Fix:
Upgrade to IBM SmartCloud Provisioning 2.1 FixPack 5
SmartCloud Provisioning 1.2
Contact IBM Support
Notice product reached software support discontinuance as per IBM Withdrawal Announcement 916-016. See Reference section for information and Replacement Program.
Contact IBM Support for latest updates about IBM Cloud Orchestrator.
Workarounds and Mitigations
None.
Related
EPSS
Percentile
75.2%