Security Bulletin: Vulnerabilities in Java affect the IBM FlashSystem models 840 and 900 (CVE-2015-1931, CVE-2015-2601, CVE-2015-2613, and CVE-2015-2625)

2023-02-18T01:45:50

Description

## Summary There are unspecified vulnerabilities revealed in the July 2015 Java Critical Patch Update (CPU) which the IBM® FlashSystem™ 840 and IBM FlashSystem 900 are susceptible. An exploit of these vulnerabilities could allow a remote attacker to obtain sensitive information and which could allow a local attacker to obtain information to aid in further attacks against the system. ## Vulnerability Details This bulletin covers the subset of Java SE CVEs published by Oracle as part of their July 2015 Critical Patch Update to which FlashSystem 840 and 900 are susceptible. For more information please refer to [_Oracle's July 2015 CPU Advisory_](<http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html>) and the X-Force database entries referenced below. This bulletin also covers CVE-2015-1931, which describes a vulnerability in the IBM Java Security Components that are shipped as part of the IBM SDK, Java Technology Edition. **CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. CVSS Base Score: 5 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) **CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. CVSS Base Score: 5 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) **CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** DESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. CVSS Base Score: 2.6 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) **CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** DESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. CVSS Base Score: 2.1 CVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/102967_](<http://xforce.iss.net/xforce/xfdb/102967>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) ## Affected Products and Versions FlashSystem 840 including machine type and models (MTMs) for all available code levels. MTMs affected include 9840-AE1 and 9843-AE1. FlashSystem 900 including machine type and models (MTMs) for all available code levels. MTMs affected include 9840-AE2 and 9843-AE2. ## Remediation/Fixes _FS840 & FS900 MTMs_ | _VRMF_| _APAR_| _Remediation/First Fix_ ---|---|---|--- **FlashSystem ****840 MTM: ** 9840-AE1 9843-AE1 **FlashSystem 900 MTMs:** 9840-AE2 & 9843-AE2| _A code fix is now available, the VRMF of this code level is 1.3.0.3 (or later)_| _ __N/A_| _No workarounds or mitigations, other than applying this code fix, are known for this vulnerability_ **1.3.0.3** is available @ IBM’s Fix Central **: **[**_840 fixes, download 1.3.0.3 or later_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%2Bhigh%2Bavailability%2Bsystems&product=ibm/StorageSoftware/IBM+FlashSystem+840&release=All&platform=All&function=all>) **1.3.0.3** is available @ IBM’s Fix Central **: **[**_900 fixes, download 1.3.0.3 or later_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%2Bhigh%2Bavailability%2Bsystems&product=ibm/StorageSoftware/IBM+FlashSystem+900&release=All&platform=All&function=all>) ## Workarounds and Mitigations None ##

Affected Software

CPE Name	Name	Version
	ibm flashsystem 900	any
	ibm flashsystem 900	any

{"id": "6FB1AE3AE38A5D714BB5F5994D2BD157BB656C01F1A7D1FF054B8BDBB90C5728", "vendorId": null, "type": "ibm", "bulletinFamily": "software", "title": "Security Bulletin: Vulnerabilities in Java affect the IBM FlashSystem models 840 and 900 (CVE-2015-1931, CVE-2015-2601, CVE-2015-2613, and CVE-2015-2625)", "description": "## Summary\n\nThere are unspecified vulnerabilities revealed in the July 2015 Java Critical Patch Update (CPU) which the IBM\u00ae FlashSystem\u2122 840 and IBM FlashSystem 900 are susceptible. An exploit of these vulnerabilities could allow a remote attacker to obtain sensitive information and which could allow a local attacker to obtain information to aid in further attacks against the system.\n\n## Vulnerability Details\n\nThis bulletin covers the subset of Java SE CVEs published by Oracle as part of their July 2015 Critical Patch Update to which FlashSystem 840 and 900 are susceptible. For more information please refer to [_Oracle's July 2015 CPU Advisory_](<http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html>) and the X-Force database entries referenced below. This bulletin also covers CVE-2015-1931, which describes a vulnerability in the IBM Java Security Components that are shipped as part of the IBM SDK, Java Technology Edition. \n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/102967_](<http://xforce.iss.net/xforce/xfdb/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nFlashSystem 840 including machine type and models (MTMs) for all available code levels. MTMs affected include 9840-AE1 and 9843-AE1. \n \nFlashSystem 900 including machine type and models (MTMs) for all available code levels. MTMs affected include 9840-AE2 and 9843-AE2.\n\n## Remediation/Fixes\n\n_FS840 & FS900 MTMs_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n**FlashSystem ****840 MTM: ** \n9840-AE1 9843-AE1 \n \n**FlashSystem 900 MTMs:** \n9840-AE2 & \n9843-AE2| _A code fix is now available, the VRMF of this code level is 1.3.0.3 (or later)_| _ __N/A_| _No workarounds or mitigations, other than applying this code fix, are known for this vulnerability_ \n \n \n**1.3.0.3** is available @ IBM\u2019s Fix Central **: **[**_840 fixes, download 1.3.0.3 or later_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%2Bhigh%2Bavailability%2Bsystems&product=ibm/StorageSoftware/IBM+FlashSystem+840&release=All&platform=All&function=all>) \n**1.3.0.3** is available @ IBM\u2019s Fix Central **: **[**_900 fixes, download 1.3.0.3 or later_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%2Bhigh%2Bavailability%2Bsystems&product=ibm/StorageSoftware/IBM+FlashSystem+900&release=All&platform=All&function=all>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "published": "2023-02-18T01:45:50", "modified": "2023-02-18T01:45:50", "epss": [{"cve": "CVE-2015-1931", "epss": 0.00042, "percentile": 0.05786, "modified": "2023-12-06"}, {"cve": "CVE-2015-2601", "epss": 0.00789, "percentile": 0.79489, "modified": "2023-12-06"}, {"cve": "CVE-2015-2613", "epss": 0.00697, "percentile": 0.77947, "modified": "2023-12-06"}, {"cve": "CVE-2015-2625", "epss": 0.00789, "percentile": 0.79489, "modified": "2023-12-06"}], "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0}, "severity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.8, "impactScore": 3.6}, "href": "https://www.ibm.com/support/pages/node/690697", "reporter": "IBM", "references": [], "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625"], "immutableFields": [], "lastseen": "2023-12-06T18:22:06", "viewCount": 11, "enchantments": {"score": {"value": 5.7, "vector": "NONE"}, "dependencies": {"references": [{"type": "aix", "idList": ["JAVA_JULY2015_ADVISORY.ASC"]}, {"type": "amazon", "idList": ["ALAS-2015-570", "ALAS-2015-571", "ALAS-2015-586"]}, {"type": "archlinux", "idList": ["ASA-201507-16"]}, {"type": "centos", "idList": ["CESA-2015:1228", "CESA-2015:1229", "CESA-2015:1230", "CESA-2015:1526"]}, {"type": "cve", "idList": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2016-8217"]}, {"type": "debian", "idList": ["DEBIAN:DLA-303-1:590A1", "DEBIAN:DSA-3316-1:0E231", "DEBIAN:DSA-3339-1:3BF63"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2015-2601", "DEBIANCVE:CVE-2015-2613", "DEBIANCVE:CVE-2015-2625"]}, {"type": "f5", "idList": ["F5:K17169", "F5:K84947349", "SOL17169"]}, {"type": "gentoo", "idList": ["GLSA-201603-11", "GLSA-201603-14"]}, {"type": "ibm", "idList": ["035E31B21FA2842E5298751581BB08BF4D71E59074D3963F953E41666C138394", "03B2B306CF3D97AF8784830C083834129C31FF9B358DEAF5C19F1B57C7716D7F", "046BFDFDFEF57E40AEF5921AC2EAEE3EEA1453CC00EE02DF1AEFB9C2AC05178C", "05EA0613CCDE54EFA5261A92BB8AD85AC9483C1FF44BBFC007A754DD1DA033F1", "0BA3D00F2A4E161ACE7CE229FBCCA7601D73B67AF80161C317B48754F1EC9FB8", "0E05CCAA07089D5DAFFCD10AD6B9E596F441C902C37C1CB56A717E8D9344263D", "104BE807C8577FF816DF414B5A588FABB581711BB54758F6F49C7CAC17CD68BE", "119B5A3507435FD3473080875B6B7AF68221D32E82A66EED05FDD9930B10DCD8", "11D2941D2C8C3F09B99B7AD0F337748E31169A5FE52F793E615EFEA790066C89", "1A6ED5D827C9B7F2277B3D67DC5CF6E6E0140AD47BEA97E4D1117C4DB04282EC", "1BBF2A32FAD2400D9BC729236743DB5BA10E71E968751393DCCFA07C879D7E68", "1EFD60B117FB1476DA261B1115B8E0585DDEAAEEEF51E0B42B01CD05D8D98B6A", "1FD49578D53C0B28622BA402E5A53FB04A72241E6530B063CD1AAADE9E5BF317", "23F1F0AB4D1857515FE960B51E370FB7F21D8DE14D6A5C60A850469DBF492783", "25D2B9C0FA0BC7D57BDB77AFAA062F9B600D1BCD47833017C2B0950C9718A7EF", "2EBE18E6BFBAB729289EB191B100C4B2DB254A6249E2A51851B4C72069DDA2FF", "2FE25685E021FF1A9C831364B6F5965095F1E1B81C165A2C647499A7FF03D904", "32E92A6481805BA68ACC511BAB87E407FC3E1923CBFC0C98828FADD46A9C2827", "33F15FE0CFBF77A7171E2F0D7DA3388C60B0FC08F3BEB92A6FBAAE6443594569", "3403EBD13C171A5D7444399BA5A9F94E5CCA875C8E3E0629AEA983CD163BAD0D", "34CFE8125A8881CC719C7F836804991085EA547A7871860AB1BFE0DB8E83422D", "376881B708EE709A23D7CF26BB3E3EFE99A529E7B07BD86A464ECD42C2CA569D", "3ABCE5B97D3FBEF2653E542822B7E2A4916949E65B52DFB6C87BAF2D516FD1F4", "3E8CBD7664E23468E3388AAA8D38722322E48FB06767224AD7578A77FEF26330", "3FD11FED4FA21C029AEEACC6A3AAEBD94157C33C98BEC0C9163222130AA612B4", "418FB3B93A868C8ED89ADB32C7F0F86F1FFB5FF80A4383CEC58D35E30D807CD4", "4D31930803D2C479476478125462D5DBFB1429D04F74E21FE79B6C97E7168687", "4EA215B3645DDAC4FD37F8734C45AA03E711B96215D9E5BD79734DA548CB9D4D", "5097B9E0CB73DAB35E2A82A74BD89F9BF8CF80E46DEAEA11D40F4BE3688E1227", "5259AA5CACBCC342A208878B507D6FDE3F3A715EF67BB4F910C9ACC9CBBF706D", "52D87171CAF873218A829198184C1E0E46AE19CC3A04599D70F2BDFF5AA4D2BF", "554BA5FAFE48D11CC6936A7592937D777A2BB491B3B6E34A9D6502E15AAA7F9E", "5D0CC6456D2278646647F1A4FEFECEB673F2B5D1F99FBBC5755735CEF5AA6268", "5D9E23BAD0DEC7E3C9BE6EE3254C32064BFF6836711ECF93F299A394A3CEE442", "60CE35DF934D73BFA400DF2649EEEC2388306C311088649B9FF31932969DCD56", "62DC15D565D3AED15E95F60C1E162CD79C80C198042969F302EBA3BFD8AA5F09", "6306C96E0D0FE0166F8E0A01407C9DF11CC2812D121B155FBC919F0F579B40AE", "65B1496C73BCC56FAE14FB1E068BD6908EA0C48EF7C8CAD85A387FBF9F18C0DF", "6652670EF6E6EDBDD8B1BC971B1388AE4EAD3072A0556537B0DC7258BBDD9001", "66570208F5EE267DEA492B2E7CE7C2A1B5F4C0D935DA4A223B1B1CF1DEE9AD6C", "6C3276D773A29D1F10A39BA6B166184CEB01561E7FE5829CB3D29DBDA9328964", "7108C0EE39B28D96C52528E1823D34596C84083C2A2CAD5294302C93F75E123D", "725F53EDFF360661BC60EE0BBB3B2E26D83A4021F5C4A3337A70FC7DA6D27AFC", "733CC23A433749116E7579F282166A83D89C19FDF6F4DA9DE4664CEFFD8F8235", "764A153B521DEC38D87D7FE547BEDAAC8370C269EDE05B8A3D1189C33EF92D24", "76ED8A969B89E917406E6428B20653B4CA4683B94EF0C818185ED8F868517B34", "789F582CE21B28D7058FBE46F6D1A9AAA3817DFDAD8E3EF76DBC52A4F54577C6", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "800A2F8ECA31C99E0164F8028DC1794BC913502CA5A3550F4D0D762DC21B21F3", "86CF5B944698359DA4D538F7990FAE092AE2165F4F67E815E252A47DEDD41B68", "8A73AC94075E067E0D2956EB222BBF00ACEC293AF298E2B41F4893F9FB9B6259", "8B947D236A9EE7188BF963550863337D511A26D44C0D348CAB1E7D02E27B5D9D", "8D55AF808F4D835A74D5852E651EDDB90554321DD81A30095AABCC982F9C3EBC", "8D8EBB96102ED70014CA0DB0DA7106AFC6650D58DE6ADEA478C1B97C31176584", "936FB2EE9030DCE6970D63C2F1FACFD714A5CC9216C71CB8245A9C21B2CCE55A", "937053D178A403D90ADE669A574517EC3D828AFADB2ABAAF335EADA26FB2E061", "966BEAD90E79446B8744128993496F9D64DA8B378811559F1241DD3DB2BF54F2", "982439B1B2A55F3FC951BFDBFCE9F4936521B072473058F236673D99C1C8861C", "9A9D8E5C20DD91466612FF62A4BC7BFD968871BD0E04153578FAF37A6010E34A", "9AB5502A182187DE670E4A36623CE73D240AD6D48C76E29D270570CCA5494A55", "A0C4AD3CFBFCE151B5419A4CAB2FE62A2088629DFE37047C4ACED864D50B6136", "A503CDB7A18AC813B87DF34B0BC9324C0129ECD992270889D16D9A29AFB0B9C6", "A5370A122C5D79908DF3CF003449B027FBDD860CCB79270E2B3A98CCFC24F642", "A597FC2502CE93E35C812A73F9B40A7FB359E54479EB78A16E664A740F1B62E1", "A79AADC73330C4877A736E350B8B7AC684DD495A938F8988EAD9C56B0FB99EA0", "A8E25F179899636EEDE5DB4C058CFBD12CD3D86BBB997818FC67DC2C6EBEB885", "A8FCA8838CF049BF62AAB68408FB18EF0F19EB760464B7DCA7B268D4FDEBB1D1", "A911AF5A1D427E3C73869552B626178ECA9D7A2C4D751BD35DCB395C648FFF83", "AAE18CEA84D94F309513D180426FAF54CB6717E29FCFC0F49D01CBC77C002357", "B12649723FE3BE03431408E88916DBAC1978DE8ACF5D0E585C9C1BB9AC7B99ED", "B5ADCF6D69219ACACE818A443FD3EDF031CF92FEE48D35E7F2D1B7165382E648", "B9410A108CEB6D3C9DFE0C1617FB34D181E021D243C3FB7F5DB35969D7C4CE52", "BA4ED53D3BF345F5D067EA458E9C00169A222A7759D283882B8C2E806FEC9BE7", "BDFDB12EE4B5C4BCFFA9F0ECC2C1F998043665BB66572D44E03147ADE97B1C63", "C05606DDE0787CFD8AFD46D19B6A8662265DC74F7E3AFC3427692BA89186825A", "C4FDA20D2B40995B6107B668E5B27AEAD5EA51C42F7A035DC4761653D1B94A39", "C9B127D102B44D6D14EDA190EA91F8A24449619880F766B74375DF75AC7520DB", "C9B888781533B96383252E3A65356A2BF2FA754CD8284F56EE37C98E45EF6EBD", "CB1B87BF4874E8E4FDFF0C5D0245F1B8EA7AF72E1648F87D112407D83AC6BFA1", "CC751804DD5AF51B454989BC575924F772D2A5BCBD27C03FD1D5BE72EB25690A", "CCC2D4B1A3B4220DE1D629024042B8E0DADEB060E0C94801FC909E6317A73763", "CD1CEEEED74112878AE5AB1C531655B7FEBD8354CEA515F99B385E9D4BE62A00", "CD91438C4049C3E50681096441AB24E202AD967CD3D183FD5CC2C7A6D09E32F8", "CDDA128A0A45D4CA4ECD0735D8B10027814497D1D702CE3D1D8E1A772CEC1F54", "CEB27E785E600294CBB232BE2A4F87611DCB20D91D768C5E4A4B5C3B0D8D1D3A", "D09DEA3E3E7C2010B3644051810CABA5FBB96CA2095DD04ECE9D96E46F46F3B0", "D0BA42DADC453F8DEBC9090E60B30D016C450C1F08701752D15C3CE2088BA12B", "D173233F8673F62F52B6B2640C2820A132AFCE80B074B8596EF41B1E6B67938D", "D2E48469AB3A6F2B1FEAEFDF00F68B8BC2F210C7E3BBABA5556DFDE4C6DB7ECD", "D48D8B0F5BB77C84342594E22E2D168A587947CA8F126B068A1738B1CC98EEC7", "D6282117AB13EB25AE54CEF6988ADB83EC89FA814931738B384654ADE6C4A47A", "D82EBD1B2B4E451563D580F2F62E2D369C6453191D7884FD9A929F99ECF9C15B", "D897D60D6AEA2BE79C64FC9EE3E394FF2AFF6881EBD8B1A550AA35BFEEDF4F35", "D95EDF686012146F9A7732CD200C406F0E6F482FDC403311570CBF33C3E29E71", "E0633EE7ACE98817765D9897540C48F8ECE3E12C872BD61974C63425FBBC9716", "E1E3EF19495F88A7ACFAAF137C61A44B066AA02B00E7F007D106152AE52B5D0F", "E577807B67AD7099C631EACF64A14A478E2F82254623EB50964BD0ABC183A89A", "E613835736670FB1968C3C6B79998927CD473DD1455F2D9C369EB4D23D4A42FB", "E7B27D160CD8AD6CEE5EE17DF994C844B5EC3D6A8C4976FBBC5C2E758D5732CA", "EC178E8FDBBD28F910954EB01A63F8AC93B92A177253B621E53546B7FBE46E0D", "EE42DAE3440E861A31373F326B88BD0B596A1BF022DC104C863D03EA937F0882", "F43C795683B9F78C5CC3FE51A6FEB70AA8104D3A5F71BB174EFD86D894611AE7", "F7437D0AD9F530995E25E248E671C3F2C4BD740237FA6625D3979B04D752C108", "FA90064F3FABCD5CD6E50C627B3EEFFD46086A8E2B7D5B55053A4E47043DC8A7", "FC4C804F44282D78247FA90BC4C8C855819430A02725094AC97DBD89D0227589", "FCBE194563589DFF9606D62F884B470E8FE64EC32ECEF7BF7F3E11951F8D3E8F", "FE8DF87C57D3484949C7E11D37DE0287686A351A962B34668F63D303D9546FB1"]}, {"type": "kaspersky", "idList": ["KLA10629"]}, {"type": "mageia", "idList": ["MGASA-2015-0277", "MGASA-2015-0280"]}, {"type": "nessus", "idList": ["8918.PRM", "AIX_JAVA_JULY2015_ADVISORY.NASL", "ALA_ALAS-2015-570.NASL", "ALA_ALAS-2015-571.NASL", "ALA_ALAS-2015-586.NASL", "CENTOS_RHSA-2015-1228.NASL", "CENTOS_RHSA-2015-1229.NASL", "CENTOS_RHSA-2015-1230.NASL", "CENTOS_RHSA-2015-1526.NASL", "DEBIAN_DLA-303.NASL", "DEBIAN_DSA-3316.NASL", "DEBIAN_DSA-3339.NASL", "GENTOO_GLSA-201603-11.NASL", "GENTOO_GLSA-201603-14.NASL", "JUNIPER_SPACE_JSA10727.NASL", "OPENSUSE-2015-511.NASL", "OPENSUSE-2015-512.NASL", "ORACLELINUX_ELSA-2015-1228.NASL", "ORACLELINUX_ELSA-2015-1229.NASL", "ORACLELINUX_ELSA-2015-1230.NASL", "ORACLELINUX_ELSA-2015-1526.NASL", "ORACLE_JAVA_CPU_JUL_2015.NASL", "ORACLE_JAVA_CPU_JUL_2015_UNIX.NASL", "ORACLE_JROCKIT_CPU_JUL_2015.NASL", "REDHAT-RHSA-2015-1228.NASL", "REDHAT-RHSA-2015-1229.NASL", "REDHAT-RHSA-2015-1230.NASL", "REDHAT-RHSA-2015-1241.NASL", "REDHAT-RHSA-2015-1242.NASL", "REDHAT-RHSA-2015-1243.NASL", "REDHAT-RHSA-2015-1485.NASL", "REDHAT-RHSA-2015-1486.NASL", "REDHAT-RHSA-2015-1488.NASL", "REDHAT-RHSA-2015-1526.NASL", "REDHAT-RHSA-2015-1544.NASL", "REDHAT-RHSA-2015-1604.NASL", "SL_20150715_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL", "SL_20150715_JAVA_1_7_0_OPENJDK_ON_SL6_X.NASL", "SL_20150715_JAVA_1_8_0_OPENJDK_ON_SL6_X.NASL", "SL_20150730_JAVA_1_6_0_OPENJDK_ON_SL5_X.NASL", "SUSE_SU-2015-1319-1.NASL", "SUSE_SU-2015-1320-1.NASL", "SUSE_SU-2015-1329-1.NASL", "SUSE_SU-2015-1331-1.NASL", "SUSE_SU-2015-1345-1.NASL", "SUSE_SU-2015-1375-1.NASL", "SUSE_SU-2015-1509-1.NASL", "SUSE_SU-2015-2166-1.NASL", "SUSE_SU-2015-2192-1.NASL", "SUSE_SU-2016-0113-1.NASL", "UBUNTU_USN-2696-1.NASL", "UBUNTU_USN-2706-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310105608", "OPENVAS:1361412562310108395", "OPENVAS:1361412562310108398", "OPENVAS:1361412562310120041", "OPENVAS:1361412562310120044", "OPENVAS:1361412562310120507", "OPENVAS:1361412562310121453", "OPENVAS:1361412562310121456", "OPENVAS:1361412562310123044", "OPENVAS:1361412562310123077", "OPENVAS:1361412562310123080", "OPENVAS:1361412562310123081", "OPENVAS:1361412562310130098", "OPENVAS:1361412562310703316", "OPENVAS:1361412562310703339", "OPENVAS:1361412562310805722", "OPENVAS:1361412562310805727", "OPENVAS:1361412562310842398", "OPENVAS:1361412562310842404", "OPENVAS:1361412562310850666", "OPENVAS:1361412562310850672", "OPENVAS:1361412562310850898", "OPENVAS:1361412562310850995", "OPENVAS:1361412562310871390", "OPENVAS:1361412562310871391", "OPENVAS:1361412562310871392", "OPENVAS:1361412562310871422", "OPENVAS:1361412562310882220", "OPENVAS:1361412562310882221", "OPENVAS:1361412562310882222", "OPENVAS:1361412562310882224", "OPENVAS:1361412562310882225", "OPENVAS:1361412562310882236", "OPENVAS:1361412562310882237", "OPENVAS:703316", "OPENVAS:703339"]}, {"type": "oracle", "idList": ["ORACLE:CPUJUL2015"]}, {"type": "oraclelinux", "idList": ["ELSA-2015-1228", "ELSA-2015-1229", "ELSA-2015-1230", "ELSA-2015-1526"]}, {"type": "osv", "idList": ["OSV:DLA-303-1", "OSV:DSA-3316-1"]}, {"type": "prion", "idList": ["PRION:CVE-2015-1931", "PRION:CVE-2015-2601", "PRION:CVE-2015-2613", "PRION:CVE-2015-2625", "PRION:CVE-2016-8217"]}, {"type": "redhat", "idList": ["RHSA-2015:1228", "RHSA-2015:1229", "RHSA-2015:1230", "RHSA-2015:1241", "RHSA-2015:1242", "RHSA-2015:1243", "RHSA-2015:1485", "RHSA-2015:1486", "RHSA-2015:1488", "RHSA-2015:1526", "RHSA-2015:1544", "RHSA-2015:1604"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14601"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2015:1288-1", "OPENSUSE-SU-2015:1289-1", "SUSE-SU-2015:1319-1", "SUSE-SU-2015:1320-1", "SUSE-SU-2015:1329-1", "SUSE-SU-2015:1331-1", "SUSE-SU-2015:1345-1", "SUSE-SU-2015:1375-1", "SUSE-SU-2015:1509-1", "SUSE-SU-2015:2166-1", "SUSE-SU-2015:2192-1", "SUSE-SU-2016:0113-1"]}, {"type": "ubuntu", "idList": ["USN-2696-1", "USN-2706-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2015-2601", "UB:CVE-2015-2613", "UB:CVE-2015-2625"]}, {"type": "veracode", "idList": ["VERACODE:11734", "VERACODE:17326", "VERACODE:17327", "VERACODE:17328", "VERACODE:17329", "VERACODE:17330", "VERACODE:17331", "VERACODE:17333", "VERACODE:17334", "VERACODE:17335", "VERACODE:17336", "VERACODE:17337", "VERACODE:17338", "VERACODE:17339", "VERACODE:17408", "VERACODE:17409", "VERACODE:17410"]}]}, "affected_software": {"major_version": [{"name": "flashsystem 840 including machine type and models (mtms) for all available code levels. mtms affected include 9840-ae1 and 9843-ae1. flashsystem 900 including machine type and models (mtms) for all available code levels. mtms affected include 9840-ae2 and", "version": 9843}]}, "epss": [{"cve": "CVE-2015-1931", "epss": 0.00042, "percentile": 0.05657, "modified": "2023-05-01"}, {"cve": "CVE-2015-2601", "epss": 0.00789, "percentile": 0.79018, "modified": "2023-05-01"}, {"cve": "CVE-2015-2613", "epss": 0.00697, "percentile": 0.77344, "modified": "2023-05-01"}, {"cve": "CVE-2015-2625", "epss": 0.00789, "percentile": 0.79018, "modified": "2023-05-01"}], "vulnersScore": 5.7}, "_state": {"score": 1701886967, "dependencies": 1701890469, "affected_software_major_version": 0, "epss": 0}, "_internal": {"score_hash": "5e2c7c75dba7873ce9e43a540170c5b9"}, "affectedSoftware": [{"version": "any", "operator": "eq", "name": "ibm flashsystem 900"}, {"version": "any", "operator": "eq", "name": "ibm flashsystem 900"}]}

{"ibm": [{"lastseen": "2023-02-21T01:48:14", "description": "## Summary\n\nThere are multiple vulnerabilities in the IBM Runtime Environment Java Technology Edition used in the FileNet Content Manager, IBM Content Foundation and FileNet Business Process Manager products. These issues are addressed in Version 1.6.0 SR16 FP7, Version 1.7.0 SR9 FP10, and 1.8.0 SR1 FP10 which are part of the IBM Java SDK July 2015 update.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n \n \n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n** \nCVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nFileNet Content Manager 5.1.0, 5.2.0, 5.2.1 \nIBM Content Foundation 5.2.0, 5.2.1 \nFileNet Business Process Manager 4.5.1, 5.0.0 \nFileNet eProcess 5.2.0\n\n## Remediation/Fixes\n\nInstall IBM Java Runtime Environment (JRE) v1.6.0 SR16 FP7, v1.7.0 SR9 FP10, v1.8.0 SR1 FP10 or higher which is provided in the following releases in the table below. \n\n\n**Product**| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nFileNet Content Manager| 5.1.0 \n5.2.0 \n \n5.2.1| PJ43450 \nPJ43566 \nPJ43522 \nPJ43566 \nPJ43522| 5.1.0.0-P8CSS-IF014 - Jan 8, 2016 \n5.2.0.4-P8CPE-IF002 - Jan 8, 2016 \n5.2.0.4-P8CSS-IF001 - Jan 8, 2016 \n5.2.1.3-P8CPE-FP003 - Dec 4, 2015 \n5.2.1.3-P8CSS-FP003 - Dec 4, 2015 \nIBM Content Foundation| 5.2.0 \n \n5.2.1| PJ43566 \nPJ43522 \nPJ43566 \nPJ43522| 5.2.0.4-P8CPE-IF002 - Jan 8, 2016 \n5.2.0.4-P8CSS-IF001 - Jan 8, 2016 \n5.2.1.3-P8CPE-FP003 - Dec 4, 2015 \n5.2.1.3-P8CSS-FP003 - Dec 4, 2015 \nFileNet Business Process Manager| 4.5.1 \n5.0.0| PJ43555 \nPJ43565| 4.5.1.4-P8PE-IF009 - Jan 8, 2016 \n5.0.0.9-P8PE-IF002 - Jan 8, 2016 \nFileNet eProcess| 5.2.0| PJ43567| Contact L2 to request \n \nReleases available from Fix Central: <http://www.ibm.com/support/fixcentral/> \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T12:12:18", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect FileNet Content Manager, IBM Content Foundation and FileNet BPM (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625"], "modified": "2018-06-17T12:12:18", "id": "6306C96E0D0FE0166F8E0A01407C9DF11CC2812D121B155FBC919F0F579B40AE", "href": "https://www.ibm.com/support/pages/node/266957", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:48", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM Java Runtime Versions 6 and 7 that is used by WebSphere eXtreme Scale. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>) \n**DESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n \n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>) \n**DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>) \n**DESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n\n \n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>) \n**DESCRIPTION: **IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nWebSphere eXtreme Scale 7.1.0 \n\nWebSphere eXtreme Scale 7.1.1\n\nWebSphere eXtreme Scale 8.5\n\nWebSphere eXtreme Scale 8.6\n\n## Remediation/Fixes\n\n_<Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n_WebSphere eXtreme Scale_| 7.1.0| _PI47397_| [_http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&release=7.1.0.3&platform=All&function=all_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&release=7.1.0.3&platform=All&function=all>) \n_WebSphere eXtreme Scale_| 7.1.1| _PI47381_| [_http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&release=7.1.1.1&platform=All&function=all_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&release=7.1.1.1&platform=All&function=all>) \n_WebSphere eXtreme Scale_| 8.5.0| _PI47381_| [_http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&release=8.5.0.3&platform=All&function=all_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&release=8.5.0.3&platform=All&function=all>) \n_WebSphere eXtreme Scale_| 8.6| _PI47381_| [_http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&release=8.6.0.8&platform=All&function=all_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&release=8.6.0.8&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNo workaround exists. If you are running WebSphere eXtreme Scale standalone, apply the appropriate fix from the previous table. If you are running WebSphere eXtreme Scale clients or servers that are embedded in WebSphere Application Server, apply the appropriate fix for WebSphere Application Server, which is described here: **_<https://www-304.ibm.com/support/docview.wss?uid=swg21962931>_**\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:03:37", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere eXtreme Scale (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625"], "modified": "2018-06-15T07:03:37", "id": "C9B888781533B96383252E3A65356A2BF2FA754CD8284F56EE37C98E45EF6EBD", "href": "https://www.ibm.com/support/pages/node/266329", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:50:56", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, that is used by IBM Security Guardium. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2015-2613](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104734> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [CVE-2015-2601](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104733> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [CVE-2015-2625](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104743> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [CVE-2015-1931](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n8.2, 9x, 10\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n** IBM Security Guardium **| _ \n8.2 _| _ \nPSIRT 59380_| [http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Information+Management/InfoSphere+Guardium&release=All&platform=All&function=fixId&fixids=SqlGuard_8.2p6015_SecurityUpdate&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Information+Management/InfoSphere+Guardium&release=All&platform=All&function=fixId&fixids=SqlGuard_8.2p6015_SecurityUpdate&includeSupersedes=0&source=fc>) \n** IBM Security Guardium **| _ \n9.x_| _ \nPSIRT 59380_| \n[http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Information+Management/InfoSphere+Guardium&release=All&platform=All&function=fixId&fixids=SqlGuard_9.0p6015_SecurityUpdate&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Information+Management/InfoSphere+Guardium&release=All&platform=All&function=fixId&fixids=SqlGuard_9.0p6015_SecurityUpdate&includeSupersedes=0&source=fc>) \n** IBM Security Guardium **| _ 10_| _PSIRT 59380_| [http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Information+Management/InfoSphere+Guardium&release=All&platform=All&function=fixId&fixids=SqlGuard_10.0p6015_SecurityUpdate&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Information+Management/InfoSphere+Guardium&release=All&platform=All&function=fixId&fixids=SqlGuard_10.0p6015_SecurityUpdate&includeSupersedes=0&source=fc>) \n \n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-16T21:30:32", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625"], "modified": "2018-06-16T21:30:32", "id": "E577807B67AD7099C631EACF64A14A478E2F82254623EB50964BD0ABC183A89A", "href": "https://www.ibm.com/support/pages/node/265711", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-13T05:37:42", "description": "## Summary\n\nThere are unspecified vulnerabilities revealed in the July 2015 Java Critical Patch Update (CPU) which the IBM\u00ae FlashSystem\u2122 V840 are susceptible. An exploit of these vulnerabilities could allow a remote attacker to obtain sensitive information and which could allow a local attacker to obtain information to aid in further attacks against the system.\n\n## Vulnerability Details\n\nThis bulletin covers the subset of Java SE CVEs published by Oracle as part of their July 2015 Critical Patch Update to which FlashSystem V840 is susceptible. For more information please refer to [_Oracle's July 2015 CPU Advisory_](<http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html>) and the X-Force database entries referenced below. This bulletin also covers CVE-2015-1931, which describes a vulnerability in the IBM Java Security Components that are shipped as part of the IBM SDK, Java Technology Edition. \n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/102967_](<http://xforce.iss.net/xforce/xfdb/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n_FlashSystem V840 including machine type and models (MTMs) for all available code levels._ MTMs affected include 9846-AE1, 9848-AE1, 9846-AC0, 9848-AC0, 9846-AC1, and 9848-AC1.\n\n## Remediation/Fixes\n\n_V840 MTMs_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n**Storage nodes:** \n9846-AE1 & \n9848-AE1 \n \n**Control nodes:** 9846-AC0, \n9846-AC1, \n9848-AC0, \n9848-AC1| _A code fix is now available, the VRMF of this code level is 1.3.0.3 (or later) for the storage enclosure nodes and 7.5.0.3 (or later) for the controller nodes._| _ __N/A_| _No workarounds or mitigations, other than applying this code fix, are known for this vulnerability_ \n \n \n**1.3.0.3** is available @ IBM\u2019s Fix Central **: **[**_V840 fixes, download 1.3.0.3 or later_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash+high+availability+systems&product=ibm/StorageSoftware/IBM+FlashSystem+V840&release=All&platform=All&function=all>) \n**7.5.0.3** is available @ IBM\u2019s Fix Central**: **[**_V840 fixes, download 7.5.0.3 or later_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash+high+availability+systems&product=ibm/StorageSoftware/IBM+FlashSystem+V840&release=All&platform=All&function=all>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-18T00:10:01", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Java affect the IBM FlashSystem V840 (CVE-2015-1931, CVE-2015-2601, CVE-2015-2613, and CVE-2015-2625)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625"], "modified": "2018-06-18T00:10:01", "id": "733CC23A433749116E7579F282166A83D89C19FDF6F4DA9DE4664CEFFD8F8235", "href": "https://www.ibm.com/support/pages/node/690695", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-23T21:52:09", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 7.0.9.1 that is used by IBM Systems Director. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n## Summary\n\nThere are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 7.0.9.1 that is used by IBM Systems Director. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n**Vulnerability Details:**\n\n**CVE-ID:** [CVE-2015-2613](<https://vulners.com/cve/CVE-2015-2613>)\n\n**Description:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/104734> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVE-ID:** [CVE-2015-2601](<https://vulners.com/cve/CVE-2015-2601>)\n\n**Description:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/104733> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVE-ID:** [CVE-2015-2625](<https://vulners.com/cve/CVE-2015-2625>)\n\n**Description:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information.\n\nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/104743> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVE-ID:** [CVE-2015-1931](<https://vulners.com/cve/CVE-2015-1931>)\n\n**Description:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system.\n\nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/102967> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected products and versions\n\nFrom the IBM System Director command line enter **smcli lsver** to determine the level of IBM System Director installed.\n\nIBM Systems Director:\n\n * 5.2.x.x\n * 6.1.x.x\n * 6.2.0.x\n * 6.2.1.x\n * 6.3.0.0\n * 6.3.1.x\n * 6.3.2.x\n * 6.3.3.x\n * 6.3.5.0\n * 6.3.6.0\n\n## Remediation/Fixes:\n\nFor Releases 5.2.x.x, 6.1.x.x, 6.2.x.x, and 6.3.0.0 to 6.3.3.x IBM recommends upgrading to a fixed, supported version of the product.\n\nFollow the instructions mentioned under <http://www-947.ibm.com/support/entry/portal/support/> and search for Tech note **751406798** to apply the fix for releases:\n\n * 6.3.5.0\n * 6.3.6.0\n\n## Workarounds and Mitigations:\n\nNone\n\n## References:\n\n * [Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide.html>)\n * [On-line Calculator v2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n\n**Related Information:** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/PSIRT>) \n\n\n**Acknowledgement**\n\nNone\n\n**Change History** \n02 October 2015: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-01-31T02:10:01", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Systems Director (CVE-2015-2613 CVE-2015-2601 CVE-2015-2625 CVE-2015-1931)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625"], "modified": "2019-01-31T02:10:01", "id": "789F582CE21B28D7058FBE46F6D1A9AAA3817DFDAD8E3EF76DBC52A4F54577C6", "href": "https://www.ibm.com/support/pages/node/867956", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:46:59", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition that is used by IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware (IBM Spectrum Protect\u2122 for Virtual Environments) and IBM Tivoli Storage FlashCopy Manager for VMware (IBM Spectrum Protect\u2122 Snapshot). These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability in Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nThe following products and versions are affected: \n\n * Tivoli Storage Manager for Virtual Environments: Data Protection for VMware \n\\- 7.1.0.0 through 7.1.3.x \n\\- 6.4.0.0 through 6.4.3.0 \n\\- 6.3.0.0 through 6.3.2.4\n * Tivoli Storage FlashCopy Manager for VMware \n\\- 4.1.0.0 through 4.1.3.x \n\\- 3.2.0.0 through 3.2.0.5 \n\\- 3.1.0.0 through 3.1.1.2\n\n## Remediation/Fixes\n\n**_Tivoli Storage Manager for VE: Data Protection for VMware Release_**\n\n| **_First Fixing VRMF Level_**| **_ \n \nClient_** \n**_Platform_**| **_Link to Fix / Fix Availability Target_** \n---|---|---|--- \n7.1| 7.1.4| Linux \nWindows| <http://www.ibm.com/support/docview.wss?uid=swg24041094> \n6.4| 6.4.3.1| Linux \nWindows| <http://www.ibm.com/support/docview.wss?uid=swg24041370> \n6.3| 6.3.2.5| Linux \nWindows| [http://www.ibm.com/support/docview.wss?uid=swg24037601](<http://www-01.ibm.com/support/docview.wss?uid=swg24037601>) \n \n**_Tivoli Storage \nFlashCopy Manager for VMware Release_**| **_ \nFirst Fixing VRMF Level_**| **_ \nClient_** \n**_Platform_**| **_ \n \nLink to Fix / Fix Availability Target_** \n---|---|---|--- \n4.1| 4.1.4| Linux| <http://www.ibm.com/support/docview.wss?uid=swg24041139> \n3.2| 3.2.0.6| Linux| [Note that 3.2.0.6 is no longer available for download. You can download 3.2.0.9 to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/patches/v3r2/vmware/](<ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/patches/v3r2/vmware/>) \n3.1| 3.1.1.3| Linux| Fixes for release 3.1 are no longer available for download as this release is no longer supported. Customers requiring fixes should upgrade to the latest release which contains the most recent security fixes. Contact IBM Support with any questions. \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T15:14:21", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Tivoli Storage Manger for Virtual Environments: Data Protection for VMware and IBM Tivoli Storage FlashCopy Manager for VMware", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625"], "modified": "2018-06-17T15:14:21", "id": "E0633EE7ACE98817765D9897540C48F8ECE3E12C872BD61974C63425FBBC9716", "href": "https://www.ibm.com/support/pages/node/274807", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-13T05:37:42", "description": "## Summary\n\nThere are unspecified vulnerabilities revealed in the July 2015 Java Critical Patch Update (CPU) which the IBM\u00ae FlashSystem\u2122 V9000 are susceptible. An exploit of these vulnerabilities could allow a remote attacker to obtain sensitive information and which could allow a local attacker to obtain information to aid in further attacks against the system.\n\n## Vulnerability Details\n\nThis bulletin covers the subset of Java SE CVEs published by Oracle as part of their July 2015 Critical Patch Update to which FlashSystem V9000 is susceptible. For more information please refer to [_Oracle's July 2015 CPU Advisory_](<http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html>) and the X-Force database entries referenced below. This bulletin also covers CVE-2015-1931, which describes a vulnerability in the IBM Java Security Components that are shipped as part of the IBM SDK, Java Technology Edition. \n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/102967_](<http://xforce.iss.net/xforce/xfdb/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nFlashSystem V9000 including machine type and models (MTMs) for all available code levels. MTMs affected include 9846-AC2 and 9848-AC2. \n\n## Remediation/Fixes\n\nYou should verify that applying this fix does not cause any compatibility issues.\n\n_Product_| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n**V9000 MTMs:** \n9846-AE2, \n9848-AE2, \n9846-AC2, \n9848-AC2| _A code fix is now available, the VRMF of this code level is 7.5.1.1 (or later) for both the storage enclosure nodes (-AEx) and the control nodes (-ACx)_| _ __N/A_| _No workarounds or mitigations, other than applying this code fix, are known for this vulnerability_ \n \n \n**7.5.1.1** is available @ IBM\u2019s Fix Central**: **[**_V9000 fixes, download 7.5.1.1 or later_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%2Bhigh%2Bavailability%2Bsystems&product=ibm/StorageSoftware/IBM+FlashSystem+V9000&release=All&platform=All&function=all>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-18T00:10:00", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Java affect the IBM FlashSystem V9000 (CVE-2015-1931, CVE-2015-2601, CVE-2015-2613, and CVE-2015-2625)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625"], "modified": "2018-06-18T00:10:00", "id": "8D8EBB96102ED70014CA0DB0DA7106AFC6650D58DE6ADEA478C1B97C31176584", "href": "https://www.ibm.com/support/pages/node/690693", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:46", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Service Registry and Repository. Information about security vulnerabilities affecting WebSphere Application Server have been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [WebSphere Application Server](<http://www.ibm.com/support/docview.wss?uid=swg21962931>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrinciple Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nWebSphere Service Registry and Repository V8.5| WebSphere Application Server Network Deployment V8.5.5 \nWebSphere Service Registry and Repository V8.0| WebSphere Application Server Network Deployment V8.0 \nWebSphere Service Registry and Repository V7.5| WebSphere Application Server Network Deployment V7.0 \nWebSphere Service Registry and Repository V7.0| WebSphere Application Server Network Deployment V7.0 \n \n## ", "cvss3": {}, "published": "2018-06-15T07:03:43", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities have been identified in WebSphere Application Server shipped with WebSphere Service Registry and Repository (CVE-2015-2613 CVE-2015-2601 CVE-2015-2625 CVE-2015-1931)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625"], "modified": "2018-06-15T07:03:43", "id": "1EFD60B117FB1476DA261B1115B8E0585DDEAAEEEF51E0B42B01CD05D8D98B6A", "href": "https://www.ibm.com/support/pages/node/268663", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:54:46", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM Java Runtime Version 7 that is used by WebSphere DataPower XC10 Appliance Versions 2.1 and 2.5. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>) \n**DESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n \n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>) \n**DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>) \n**DESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n\n \n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>) \n**DESCRIPTION: **IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nWebSphere DataPower XC10 Appliance Version 2.1.0 \nWebSphere DataPower XC10 Appliance Version 2.5.0\n\n## Remediation/Fixes\n\nApply an interim fix, according to the table below.** **Interim fixes are associated with the original APAR that is documented in the table. Because these APAR references might be updated to more recent APARs, see the links in the table for the most recent interim fix information. \n \n\n\n_Product_| _Version_| _APAR_| _Link to interim fix_ \n---|---|---|--- \nWebSphere DataPower XC10 Appliance V2.1 on appliance 9235-92X| 2.1.0| IT10764| [_http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+DataPower+XC10+Appliance&release=2.1.0.3&platform=All&function=all_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+DataPower+XC10+Appliance&release=2.1.0.3&platform=All&function=all>) \nWebSphere DataPower XC10 Appliance V2.1 on appliance 7199-92X| 2.1.0| IT10764| [_http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+DataPower+XC10+Appliance&release=2.1.0.3&platform=All&function=all_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+DataPower+XC10+Appliance&release=2.1.0.3&platform=All&function=all>) \nWebSphere DataPower XC10 Appliance V2.5 on appliance 7199-92X \n| Version 2.5.0 with SSD drivers ** \nImportant**: See More Information link and follow instructions to determine if you have an old or newer SSD driver on your appliance using the show ssd-version command.| IT10764| [http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+DataPower+XC10+Appliance&release=2.5.0.4&platform=All&function=all](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+DataPower+XC10+Appliance&release=2.5.0.4&platform=All&function=all>) \nWebSphere DataPower XC10 Appliance V2.5 virtual image| 2.5.0| IT10764| [http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+DataPower+XC10+Appliance&release=2.5.0.4&platform=All&function=all](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+DataPower+XC10+Appliance&release=2.5.0.4&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nThere is no workaround. The interim fix must be applied to correct the problem.\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:03:37", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities exist in the IBM SDK, Java Technology Edition provided with WebSphere DataPower XC10 Appliance", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625"], "modified": "2018-06-15T07:03:37", "id": "A503CDB7A18AC813B87DF34B0BC9324C0129ECD992270889D16D9A29AFB0B9C6", "href": "https://www.ibm.com/support/pages/node/266331", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:31", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 7R1 Service Refresh 3 Fix Pack 1 and earlier releases that is used by IBM MQ Light. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nThe vulnerabilities affect users of IBM MQ Light V1.0 and V1.0.1 on all platforms.\n\n## Remediation/Fixes\n\nDownload and install the latest MQ Light Server appropriate for your platform from [_https://developer.ibm.com/messaging/mq-light/_](<https://developer.ibm.com/messaging/mq-light/>). \n \nThe following link describes how to re-use the data from your existing installation: _ \n_[_http://www.ibm.com/support/knowledgecenter/SSBJCR_1.0.0/com.ibm.mq.koa.doc/tmql_data.htm _](<http://www.ibm.com/support/knowledgecenter/SSBJCR_1.0.0/com.ibm.mq.koa.doc/tmql_data.htm>).\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:04:21", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MQ Light (CVE-2015-1931, CVE-2015-2601, CVE-2015-2613, CVE-2015-2625)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625"], "modified": "2018-06-15T07:04:21", "id": "CCC2D4B1A3B4220DE1D629024042B8E0DADEB060E0C94801FC909E6317A73763", "href": "https://www.ibm.com/support/pages/node/273317", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:47:58", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition that is used by eDiscovery Analyzer. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n** \nCVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>) \n**DESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>) \n**DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>) \n**DESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>) \n**DESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n \nIBM eDiscovery Analyzer Version 2.2 \nIBM eDiscovery Analyzer Version 2.2.1 \nIBM eDiscovery Analyzer Version 2.2.2\n\n## Remediation/Fixes\n\n \nFor version 2.2.2.2, apply the available fix as soon as practical. Contact IBM Support if you are using versions 2.2 or 2.2.1. \n\nGo to Fix Central for [eDiscovery Analyzer](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise%2BContent%2BManagement&product=ibm/Information+Management/InfoSphere+eDiscovery+Analyzer&release=All&platform=All&function=all>), and install the fix applicable to the version that you have installed and your platform.\n\n \n2.2.2.2 Interim Fix 2 \n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T12:12:00", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect eDiscovery Analyzer (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625"], "modified": "2018-06-17T12:12:00", "id": "E613835736670FB1968C3C6B79998927CD473DD1455F2D9C369EB4D23D4A42FB", "href": "https://www.ibm.com/support/pages/node/534989", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:49:11", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition that is shipped with IBM WebSphere Application Server, which is needed for the RequisiteWeb component of Rational RequisitePro. These issues were disclosed as part of the IBM Java SDK updates in July 2015. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n \n\n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n \n \n \n\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n \n \n \n\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nRational RequisitePro versions: \n\n\n**Version**\n\n| \n\n**Status** \n \n---|--- \n \n7.1.4.x (all versions)\n\n| \n\nAffected \n \n7.1.3.x (all versions)\n\n| \n\nAffected \n \n7.1.2.x (all versions)\n\n| \n\nAffected \n \n7.1.1.x (all versions)\n\n| \n\nAffected \n \n## Remediation/Fixes\n\nReview [Security Bulletin 1962931](<http://www-01.ibm.com/support/docview.wss?uid=swg21962931>) from WebSphere Application Server for instructions on upgrading your corresponding WebSphere Application Server installation with the IBM Java SDK fix. \n\nFor 7.1.1.x and 7.1.2.x, review [Document 1390803](<http://www-01.ibm.com/support/docview.wss?uid=swg21390803>) for instructions on how to apply updates for WebSphere Application Server.\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T05:04:59", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect Rational RequisitePro", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625"], "modified": "2018-06-17T05:04:59", "id": "D897D60D6AEA2BE79C64FC9EE3E394FF2AFF6881EBD8B1A550AA35BFEEDF4F35", "href": "https://www.ibm.com/support/pages/node/535519", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:50:48", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 5.0 , Version 6.0 and Version 7.0 that is used by Security Directory Integrator. Some of these issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Tivoli Directory Integrator 6.1.1 \nIBM Tivoli Directory Integrator 7.0.0 \nIBM Tivoli Directory Integrator 7.1.0 \nIBM Tivoli Directory Integrator 7.1.1 \nIBM Security Directory Integrator 7.2.0\n\n## Remediation/Fixes\n\nAffected Products and Versions\n\n| Fix availability \n---|--- \nTDI 6.1.1| [7.0.0-TIV-TDI-LA0025](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Directory+Integrator&fixids=7.0.0-TIV-TDI-LA0025_50SR16FP13&source=SAR>) \nTDI 7.0| [7.0.0-TIV-TDI-LA0025](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Directory+Integrator&fixids=7.0.0-TIV-TDI-LA0025_50SR16FP13&source=SAR>) \nTDI 7.1| [7.1.1-TIV-TDI-LA0028](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Directory+Integrator&fixids=7.1.1-TIV-TDI-LA0028_60SR16FP7&source=SAR>) \nTDI 7.1.1| [7.1.1-TIV-TDI-LA0028](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Directory+Integrator&fixids=7.1.1-TIV-TDI-LA0028_60SR16FP7&source=SAR>) \nSDI 7.2| [7.2.0-ISS-SDI-LA0009](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FSecurity+Directory+Integrator&fixids=7.2.0-ISS-SDI-LA0009-70SR9FP10&source=SAR>) \n \n \nYou should verify applying this configuration change does not cause any compatibility issues. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the Diffie-Hellman key-exchange protocol used in TLS and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-16T21:31:52", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Security Directory Integrator", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625"], "modified": "2018-06-16T21:31:52", "id": "D95EDF686012146F9A7732CD200C406F0E6F482FDC403311570CBF33C3E29E71", "href": "https://www.ibm.com/support/pages/node/270317", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:47:58", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Versions 6 and 7 that is used by IBM Content Collector for SAP Applications. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n \n\n\n**CVEID:** [_CVE-2015-2601 \n_](<https://vulners.com/cve/CVE-2015-2601>)**DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n \n \n \n\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n \n \n \n\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Content Collector for SAP Applications V4.0 \nIBM Content Collector for SAP Applications V3.0 \nIBM Content Collector for SAP Applications V2.2\n\n## Remediation/Fixes\n\nIBM provides patches for the affected version. Follow the installation instructions in the README files that is included in the patch. \n \n\n\n**_Product_**| **_VRMF_**| **_APAR_**| **_Remediation/First Fix_** \n---|---|---|--- \nIBM Content Collector for SAP Applications| 2.2.0| HE12378| Apply JRE update 2.2.0.2-ICCSAP-Server-JRE-6.0.16.7, and 2.2.0.2-ICCSAP-Client-JRE-6.0.16.7, which are available from Fix Central \nIBM Content Collector for SAP Applications| 3.0.0| HE12379| Apply JRE update 3.0.0.2-ICCSAP-Server-JRE-7.0.9.10, and 3.0.0.2-ICCSAP-Client-JRE-7.0.9.10, which are available from Fix Central \nFor the download details, see <http://www.ibm.com/support/docview.wss?uid=swg24040524>. \nIBM Content Collector for SAP Applications| 4.0.0| HE12380| Apply JRE update 4.0.0.0-ICCSAP-Base-JRE-7.0.9.10, which is available from Fix Central \nFor the download details, see <http://www.ibm.com/support/docview.wss?uid=swg24040525>. \n \n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T12:12:02", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Versions 6 and 7 affect IBM Content Collector for SAP Applications (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625"], "modified": "2018-06-17T12:12:02", "id": "D09DEA3E3E7C2010B3644051810CABA5FBB96CA2095DD04ECE9D96E46F46F3B0", "href": "https://www.ibm.com/support/pages/node/535239", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:53:50", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version Version 6 Service Refresh 16 Fix Pack 5, IBM SDK, Java Technology Edition, Version 7 Service Refresh 9 Fix Pack 1, IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 3 Fix Pack 1 that are used by IBM SPSS Modeler. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>) \n**DESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>) \n**DESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>) \n**DESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>) \n**DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM SPSS Modeler 14.2 FP3 IF025 and earlier \n\nIBM SPSS Modeler 15 FP3 IF013 and earlier\n\nIBM SPSS Modeler 16 FP2 IF006 and earlier\n\nIBM SPSS Modeler 17 FP1 IF006 and earlier\n\n## Remediation/Fixes\n\nProduct\n\n| VRMF| APAR| Remediation/First Fix \n---|---|---|--- \nIBM SPSS Modeler| 14.2.0.3| PI49015| [SPSS Modeler 14.2 Fix Pack 3 Interim Fix 026](<http://www-01.ibm.com/support/docview.wss?uid=swg24040636>) \nIBM SPSS Modeler| 15.0.0.3| PI49015| [SPSS Modeler 15.0 Fix Pack 3 Interim Fix 014](<http://www-01.ibm.com/support/docview.wss?uid=swg24040637>) \nIBM SPSS Modeler| 16.0.0.2| PI49015| [SPSS Modeler 16.0 Fix Pack 2 Interim Fix 007](<http://www-01.ibm.com/support/docview.wss?uid=swg24040638>) \nIBM SPSS Modeler| 17.0.0.1| PI49015| [SPSS Modeler 17.0 Fix Pack 1 Interim Fix 007](<http://www-01.ibm.com/support/docview.wss?uid=swg24040639>) \n \n## Workarounds and Mitigations\n\nNone \n \n**Important note: **IBM strongly suggests that all System z customers subscribe to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [_System z Security web site_](<http://www-03.ibm.com/systems/hu/z/solutions/enterprise-security.html>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-16T13:36:20", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM SPSS Modeler (CVE-2015-2625, CVE-2015-1931, CVE-2015-2613, CVE-2015-2601)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625"], "modified": "2018-06-16T13:36:20", "id": "66570208F5EE267DEA492B2E7CE7C2A1B5F4C0D935DA4A223B1B1CF1DEE9AD6C", "href": "https://www.ibm.com/support/pages/node/537221", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:53:14", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Versions 6 and 7 that are used by IBM InfoSphere Information Server. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nThe following product, running on all supported platforms, is affected: \nIBM InfoSphere Information Server: versions 8.5, 8.7, 9.1, 11.3 and 11.5\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nInfoSphere Information Server| 11.5| JR53962 \n| \\--Follow instructions in the [_README_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is115_JR53962_ISF_services_engine_*>) \nInfoSphere Information Server| 11.3| JR53962 \n| \\--Follow instructions in the [_README_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is113_JR53962_ISF_services_engine_*>) \nInfoSphere Information Server| 9.1| JR53962 | \\--Apply [_JR53962_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is91_JR53962_ISF_services_engine*>) on all tiers \nInfoSphere Information Server| 8.7| JR53962 | \\--Apply IBM InfoSphere Information Server version [_8.7 Fix Pack 2_](<http://www-01.ibm.com/support/docview.wss?uid=swg24034359>) \n\\--Apply [_JR53962_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is8702_JR53962_ISF_services_engine*>) on all tiers \nInfoSphere Information Server| 8.5| JR53962 | \\--Apply IBM InfoSphere Information Server version [_8.5 Fix Pack 3_](<http://www-01.ibm.com/support/docview.wss?uid=swg24033513>) \n\\--Apply [_JR53962_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is8503_JR53962_ISF_services_engine*>) on all tiers \n \nFor IBM InfoSphere Information Server version 8.1, IBM recommends upgrading to a fixed, supported version/release/platform of the product. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-16T14:07:55", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM InfoSphere Information Server (CVE-2015-1931 CVE-2015-2601 CVE-2015-2613 CVE-2015-2625)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625"], "modified": "2018-06-16T14:07:55", "id": "D82EBD1B2B4E451563D580F2F62E2D369C6453191D7884FD9A929F99ECF9C15B", "href": "https://www.ibm.com/support/pages/node/535805", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-13T05:37:41", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDKs Java\u2122 Technology Edition, Versions 5, 6 and 7, that are used by IBM Virtualization Engine TS7700. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/102967_](<http://xforce.iss.net/xforce/xfdb/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nAll versions of microcode for the IBM Virtualization Engine TS7700 (3957-V06, 3957-V07, 3957-VEA, 3957-VEB) prior to release R2.1 are affected. All versions of R3.0 and R3.1 are also affected. In addition, microcode versions of releases R2.1, R3.2, and R3.3 prior to and including the following are also affected: \n\nRelease\n\n| Version \n---|--- \nR3.3| 8.33.0.45 \nR3.2| 8.32.2.1 \nR2.1| 8.21.0.178 \n \n## Remediation/Fixes\n\nContact IBM Service at 1-800-IBM-SERV to arrange an upgrade to the latest microcode level followed by the installation of vtd_exec.213, vtd_exec.214, vtd_exec.215, and vtd_exec.235 as needed. Minimum microcode levels are shown below: \n\nRelease\n\n| Fix \n---|--- \nR3.3| Upgrade to 8.33.0.45 or later + vtd_exec.213 + vtd_exec.214 + vtd_exec.215 + vtd_exec.235 \nR3.0, R3.1, or R3.2| Upgrade to 8.32.2.1 or later + vtd_exec.213 + vtd_exec.214 + vtd_exec.215 + vtd_exec.235 \nR2.1| Upgrade to 8.21.0.178 or later + vtd_exec.213 + vtd_exec.214 + vtd_exec.215 + vtd_exec.235 \nOlder Releases| Upgrade to 8.21.0.178 or later + vtd_exec.213 + vtd_exec.214 + vtd_exec.215 + vtd_exec.235 \n \nPlease note that vtd_exec packages carry their own internal version numbers. For the vulnerabilities reported in this Security Bulletin, the minimum required vtd_exec versions are as follows: Package| Version \n---|--- \nvtd_exec.213| 1.08 \nvtd_exec.214| 1.08 \nvtd_exec.215| 1.08 \nvtd_exec.235| 1.08 \n \n## Workarounds and Mitigations\n\nAlthough IBM recommends that you upgrade to the fixes identified above, you can mitigate, but not eliminate the risk of these vulnerabilities by restricting physical and network access to the TS7700 to authorized users and IBM Service Personnel only.\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-18T00:10:08", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDKs affect IBM Virtualization Engine TS7700 - July 2015", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625"], "modified": "2018-06-18T00:10:08", "id": "1FD49578D53C0B28622BA402E5A53FB04A72241E6530B063CD1AAADE9E5BF317", "href": "https://www.ibm.com/support/pages/node/690717", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:41:56", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Versions 5 and 6 that are used by IBM Rational ClearQuest. These issues were disclosed as part of the IBM Java SDK updates in April 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n \n \n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Rational ClearQuest, versions 7.1.0.x, 7.1.1.x, 7.1.2.x, 8.0.0.x, 8.0.1.x, in the following components: \n\n\n * ClearQuest Server components, when configured to use SSL, such as the Web Server, FTS server and Reporting server.\n * ClearQuest Eclipse clients that use Report Designer, run remote reports on servers using secure connections, or use the embedded browser to connect to secure web sites.\n\n**ClearQuest version**\n\n| \n\n**Status** \n \n---|--- \n \n8.0.1 through 8.0.1.9\n\n| \n\nAffected \n \n8.0 through 8.0.0.16\n\n| \n\nAffected \n \n7.1.0.x, 7.1.1.x, 7.1.2.x (all versions and fix packs)\n\n| \n\nAffected \n \n## Remediation/Fixes\n\nThe solution is to install a fix that includes an updated Java\u2122 Virtual Machine with fixes for the issues, and to apply fixes for WebSphere Application Server (WAS). \n \n**ClearQuest Eclipse client**** fixes**\n\nThe solution is to update to the latest fix pack. \n \n\n\n**Affected Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n \n8.0.1 through 8.0.1.9\n\n| Install [Rational ClearQuest Fix Pack 10 (8.0.1.10) for 8.0.1](<http://www.ibm.com/support/docview.wss?uid=swg24041281>). \n \n8.0 through 8.0.0.16\n\n| Install [Rational ClearQuest Fix Pack 17 (8.0.0.17) for 8.0](<http://www.ibm.com/support/docview.wss?uid=swg24041279>). \n \n7.1.2.x (all fix packs) \n7.1.1.x (all fix packs) \n7.1.0.x (all fix packs)\n\n| Customers on extended support contracts should contact Rational Customer Support \n**ClearQuest Server components**\n\n 1. Determine the WAS version used by your ClearQuest server. Navigate to the ClearQuest profile directory (either the profile you specified when installing ClearQuest, or `<SDLC-home>/ClearQuest/cqweb/cqwebprofile`), then execute the script: `bin/versionInfo.sh `(UNIX) or `bin\\versionInfo.bat `(Windows). The output includes a section \"IBM WebSphere Application Server\". Make note of the version listed in this section.\n 2. Review the following WAS security bulletin:\n[Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server July 2015 CPU](<http://www.ibm.com/support/docview.wss?uid=swg21962931>)\n\nand apply the fixes for the version of WAS used for ClearQuest Web.\n\n \n \n\n\n**Affected Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n8.0.0.x \n8.0.1.x| Apply the appropriate WebSphere Application Server fix directly to your CQ server host. No ClearQuest-specific steps are necessary. \n7.1.2.x (all fix packs) \n7.1.1.x (all fix packs) \n7.1.0.x (all fix packs)| Customers on extended support contracts should contact customer support. \n_For 7.1.x, 7.0.x and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-07-10T08:34:12", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Rational ClearQuest (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625"], "modified": "2018-07-10T08:34:12", "id": "CC751804DD5AF51B454989BC575924F772D2A5BCBD27C03FD1D5BE72EB25690A", "href": "https://www.ibm.com/support/pages/node/274171", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:44", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition that is shipped with IBM WebSphere Service Registry and Repository Studio. These issues were disclosed as part of the IBM Java SDK updates in July 2015. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Remediation/Fixes\n\nFor all releases of WebSphere Service Registry and Repository Studio, upgrade to WebSphere Service Registry and Repository Studio V8.5.6.0. \n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:03:44", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities identified in IBM\u00ae Java SDK affect WebSphere Service Registry and Repository Studio (CVE-2015-2613 CVE-2015-2601 CVE-2015-2625 CVE-2015-1931)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625"], "modified": "2018-06-15T07:03:44", "id": "EE42DAE3440E861A31373F326B88BD0B596A1BF022DC104C863D03EA937F0882", "href": "https://www.ibm.com/support/pages/node/270333", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T18:17:27", "description": "## Summary\n\nThere are vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6 that is used by IBM SAN Volume Controller and Storwize Family. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/102967_](<http://xforce.iss.net/xforce/xfdb/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM SAN Volume Controller \nIBM Storwize V7000 \nIBM Storwize V5000 \nIBM Storwize V3700 \nIBM Storwize V3500 \n \nAll products are affected when running supported releases 1.1 to 7.5 except for versions 7.3.0.12, 7.4.0.6 and 7.5.0.3 and above.\n\n## Remediation/Fixes\n\nIBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500 to the following code level or higher: \n \n7.3.0.12 \n7.4.0.6 \n7.5.0.3 \n \n[_Latest SAN Volume Controller Code_](<http://www-01.ibm.com/support/docview.wss?rs=591&uid=ssg1S1001707>) \n[_Latest Storwize V7000 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1003705>) \n[_Latest Storwize V5000 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004336>) \n[_Latest Storwize V3700 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004172>) \n[_Latest Storwize V3500 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004171>)\n\n## Workarounds and Mitigations\n\nAlthough IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall.\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-03-29T01:48:02", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in IBM Java SDK affects IBM SAN Volume Controller and Storwize Family (CVE-2015-2613 CVE-2015-2601 CVE-2015-2625 CVE-2015-1931)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625"], "modified": "2023-03-29T01:48:02", "id": "FE8DF87C57D3484949C7E11D37DE0287686A351A962B34668F63D303D9546FB1", "href": "https://www.ibm.com/support/pages/node/690731", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:52:06", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 7 that is used by IBM Security SiteProtector System. These issues were disclosed as part of the IBM Java SDK updates in July 2015. \n\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>) \n** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n \n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>) \n** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n \n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>) \n** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \n \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n\n\n## Affected Products and Versions\n\nIBM Security SiteProtector System 3.0 and 3.1.1\n\n## Remediation/Fixes\n\nApply the appropriate eXPress Updates (XPUs) as identified in the SiteProtector Console Agent view: \n \n**For SiteProtector 3.0:** \n \nSiteProtector Core Component: ServicePack3_0_0_8a.xpu \nEvent Collector Component: RSEvntCol_WINNT_ST_3_0_0_7.xpu \nAgent Manager Component: AgentManager_WINNT_XXX_ST_3_0_0_48.xpu \n \n \n**For SiteProtector 3.1.1:** \n \nSiteProtector Core Component: ServicePack3_1_1_3a.xpu \nEvent Collector Component: RSEvntCol_WINNT_ST_3_1_1_3.xpu \nAgent Manager Component: AgentManager_WINNT_XXX_ST_3_1_1_18.xpu \nUpdate Server Component: UpdateServer_3_1_1_3.pkg \nEvent Archiver Component: EventArchiver_3_1_1_3.pkg \nEvent Archiver Importer Component: EventArchiverImporter_3_1_1_3.zip \nManual Upgrader Component: MU_3_1_1_4.xpu \n \nThese updates are also available to be manualy downloaded from the IBM Security License Key and Download Center at [_https://ibmss.flexnetoperations.com/service/ibms/login_](<https://ibmss.flexnetoperations.com/service/ibms/login>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-16T21:30:24", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security SiteProtector System (CVE-2015-2601, CVE-2015-2613 and CVE-2015-1931)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613"], "modified": "2018-06-16T21:30:24", "id": "CDDA128A0A45D4CA4ECD0735D8B10027814497D1D702CE3D1D8E1A772CEC1F54", "href": "https://www.ibm.com/support/pages/node/537213", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:37:58", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6.0 SR16 FP5 that is used by Rational Synergy. These issues were disclosed as part of the IBM Java SDK updates in July and October 2015. \n\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4872_](<https://vulners.com/cve/CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n\n\n## Affected Products and Versions\n\n\u00b7 Rational Synergy release 7.2.1.4 ifix01 or earlier. \n\u00b7 Rational Synergy release 7.2.0.7 ifix01 or earlier.\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _Remediation/First Fix_ \n---|---|--- \nRational Synergy| 7.2.0.x and 7.2.1.x| Replace the JRE used in Rational Synergy. \n \n**Steps to download and replace JRE in Rational Synergy:** \n1\\. Open the list of [_Synergy downloads on Fix Central_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Synergy&release=All&platform=All&function=all&source=fc>) \n2\\. Select the SDK and Readme for Rational Synergy which applied to your release as follows: \n \n**Note:** The fix will use the following naming convention: \n**_<V.R.M.F>_** _-Rational-RATISYNE-JavaSE-SDK-6.0.16.15-_ **_<platform>_** ** \n \n**Where **<V.R.M.F> = release **& **<platform> = operating system** \n \no Rational Synergy 7.2.1 (uses 7.2.1.4 release designation) \nExample: **7.2.1.4-Rational-RATISYNE-JavaSE-SDK-6.0.16.15-Linux** \n \no Rational Synergy 7.2.0 (uses 7.2.0.7 release designation) \nExample: **7.2.0.7-Rational-RATISYNE-JavaSE-SDK-6.0.16.15-Windows** \n \n3\\. Follow the steps in the [_Install instructions_](<http://www.ibm.com/support/docview.wss?uid=swg27042896>) to replace the JRE. \n \n_For Rational Synergy 7.1.0.x IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n \n \n**To verify if Synergy has JRE version to address these security vulnerabilities**:- \nOpen a command prompt ** \nUnix**:- \nGo to $CCM_HOME/jre/bin folder \nExecute ./java -version \n** \nWindows**:- \nGo to %CCM_HOME%\\jre\\bin folder \nExecute java -version \n \nIf in the output version is greater than SR16 FP15 or if it is SR16 FP15, It implies the run area has jre version that addresses these security vulnerabilities. \n \n**Example**:- \nJava(TM) SE Runtime Environment (build pwi3260sr16fp15-20151106_01(SR16 FP15)) \nIBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 Windows 7 x86-32 jvmwi3260sr16fp15-20 \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-22T16:37:26", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Synergy (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931 and CVE-2015-4872)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4872"], "modified": "2020-12-22T16:37:26", "id": "6C3276D773A29D1F10A39BA6B166184CEB01561E7FE5829CB3D29DBDA9328964", "href": "https://www.ibm.com/support/pages/node/275265", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:57:32", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed as part of the IBM Java SDK updates in July 2015. These may affect some configurations of IBM WebSphere Application Server Full Profile, IBM WebSphere Application Server Liberty Profile, and IBM WebSphere Application Server Hypervisor Edition. \n\n\n## Vulnerability Details\n\n**DESCRIPTION:** This bulletin covers all applicable Java SE CVEs published by Oracle as part of their July 2015 Critical Patch Update and additional vulnerabilities which affect IBM SDK, Java Technology Edition. There are other advisories included in the IBM Java SDK but WebSphere Application Server is not vulnerable to them. You will need to evaluate your own code to determine if you are vulnerable. Please refer to the Reference section for more information on the advisories not applicable to WebSphere Application Server. \n\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n \n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n\n \n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n\n\n## Affected Products and Versions\n\nIBM Java SDK shipped with IBM WebSphere Application Server Version 8.5.0.0 through 8.5.5.6, Version 8.0.0.0 through 8.0.0.11, Version 7.0.0.0 through 7.0.0.37, Version 6.1.0.0 through 6.1.0.47 \n\n * This _does not occur_ on IBM Java SDK shipped with WebSphere Application Servers Fix Packs 8.5.5.7, 8.0.0.12 and 7.0.0.39 or later. \n\n## Remediation/Fixes\n\nDownload and apply the interim fix APARs below, for your appropriate release \n\n**For V8.5.0.0 through 8.5.5.6 Liberty Profile:**\n\nUpgrade to WebSphere Application Server Liberty Profile Fix Packs as noted below or later fix pack level and apply one of the interim fixes below: \n\n * Upgrade to WebSphere Application Server Liberty Profile Fix Pack 8.5.5.1 or later then apply Interim Fix [PI45818](<http://www-01.ibm.com/support/docview.wss?uid=swg24040429>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24040396>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039956>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039668>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039304>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038812>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038093>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037708>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036967>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036505>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035398>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034998>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034447>): Will upgrade you to IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 7 \n * Upgrade to WebSphere Application Server Liberty Profile Fix Pack 8.5.5.1 or later then apply Interim Fix [PI45305](<http://www-01.ibm.com/support/docview.wss?uid=swg24040406>):[](<http://www-01.ibm.com/support/docview.wss?uid=swg24040156>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24039958>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039665>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039312>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038810>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038089>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036966>)[](<http://www.ibm.com/support/docview.wss?uid=swg24036508>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035400>)[](<http://www.ibm.com/support/docview.wss?uid=swg24035008>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034806>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034592>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037534>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037709>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036966>)[](<http://www.ibm.com/support/docview.wss?uid=swg24036508>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035400>)[](<http://www.ibm.com/support/docview.wss?uid=swg24035008>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034806>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034592>)Will upgrade you to IBM SDK, Java Technology Edition, Version 7 Service Refresh 9 Fix Pack 10 \n * Upgrade to WebSphere Application server Liberty Profile Fix Pack 8.5.5.2 or later then apply Interim Fix [PI45303](<http://www-01.ibm.com/support/docview.wss?uid=swg24040407>): [](<http://www-01.ibm.com/support/docview.wss?uid=swg24040157>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039961>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039687>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039311>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038809>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038165>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036966>)[](<http://www.ibm.com/support/docview.wss?uid=swg24036508>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035400>)[](<http://www.ibm.com/support/docview.wss?uid=swg24035008>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034806>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034592>) Will upgrade you to IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 3[](<http://www-01.ibm.com/support/docview.wss?uid=swg24033359>) Fix Pack 10 \n * Upgrade to WebSphere Application Server Liberty Profile Fix Pack 8.5.5.1 or later then apply Interim Fix [PI45300](<http://www-01.ibm.com/support/docview.wss?uid=swg24040415>):[](<http://www-01.ibm.com/support/docview.wss?uid=swg24040158>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039956>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039668>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039304>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038812>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038093>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037708>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24036967>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036505>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035398>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034998>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034447>)Will upgrade you to IBM SDK, Java Technology Edition, Version 8 Service Refresh 1 Fix Pack 10 \n**\\--OR--**\n\n * Apply IBM Java SDK shipped with WebSphere Application Server Fix pack 7 (8.5.5.7) or later. \n** \nFor V8.5.0.0 through 8.5.5.6 Full Profile:**\n\nUpgrade to WebSphere Application Server Full Profile Fix Pack 8.5.5.1 or later then apply one of the interim fixes below: \n\n * Apply Interim Fix [PI45306](<http://www-01.ibm.com/support/docview.wss?uid=swg24040396>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24040154>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039957>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039651>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039294>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038811>): [](<http://www-01.ibm.com/support/docview.wss?uid=swg24038091>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036966>)[](<http://www.ibm.com/support/docview.wss?uid=swg24036508>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035400>)[](<http://www.ibm.com/support/docview.wss?uid=swg24035008>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034806>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036965>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036506>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035399>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034999>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034798>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034589>)Will upgrade you to IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 7 (required) \n * Apply Interim Fix [PI45305](<http://www-01.ibm.com/support/docview.wss?uid=swg24040406>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24040156>): [](<http://www-01.ibm.com/support/docview.wss?uid=swg24039958>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039665>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039312>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038810>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038089>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036966>)[](<http://www.ibm.com/support/docview.wss?uid=swg24036508>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035400>)[](<http://www.ibm.com/support/docview.wss?uid=swg24035008>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034806>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034592>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037534>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037709>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036966>)[](<http://www.ibm.com/support/docview.wss?uid=swg24036508>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035400>)[](<http://www.ibm.com/support/docview.wss?uid=swg24035008>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034806>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034592>)Will upgrade you to IBM SDK, Java Technology Edition, Version 7 Service Refresh 9 Fix Pack 10 (optional) \n * Apply Interim Fix [PI45303](<http://www-01.ibm.com/support/docview.wss?uid=swg24040407>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24040157>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039961>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039687>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039311>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038809>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038165>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036966>)[](<http://www.ibm.com/support/docview.wss?uid=swg24036508>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035400>)[](<http://www.ibm.com/support/docview.wss?uid=swg24035008>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034806>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034592>): Will upgrade you to IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 3 Fix Pack 10[](<http://www-01.ibm.com/support/docview.wss?uid=swg24033359>) (optional)\n**\\--OR--**\n\n * Apply IBM Java SDK shipped with the WebSphere Application Server Fix pack 7 (8.5.5.7) or later.\n \n** \nFor V8.0.0.0 through 8.0.0.11:**\n\nUpgrade to WebSphere Application Server Fix Pack 8.0.0.7 or later then apply the interim fix below: \n\n * Apply Interim Fix [PI45308](<http://www-01.ibm.com/support/docview.wss?uid=swg24040409>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24040159>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039956>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039668>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039304>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038812>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038093>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037708>): [](<http://www-01.ibm.com/support/docview.wss?uid=swg24036967>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036505>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035398>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034998>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034447>)Will upgrade you to IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 [](<http://www-01.ibm.com/support/docview.wss?uid=swg24033359>)Fix Pack 7\n**\\--OR--**\n\n * Apply IBM Java SDK shipped with WebSphere Application Server Fix pack 12 (8.0.0.12) or later.\n** \nFor V7.0.0.0 through 7.0.0.37:**\n\nUpgrade to WebSphere Application Server Fix Pack 7.0.0.31 or later then apply the interim fix below: \n\n * Apply Interim Fix [PI45309](<http://www-01.ibm.com/support/docview.wss?uid=swg24040395>):[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038816>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038094>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037515>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036968>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24036504>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035397>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034997>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034443>) Will upgrade you to IBM SDK, Java Technology Edition, Version 6 Service Refresh 16[](<http://www-01.ibm.com/support/docview.wss?uid=swg24033359>) Fix Pack 7\n**\\--OR--**\n\n * Apply IBM Java SDK shipped with WebSphere Application Server Fix pack 39 (7.0.0.39) or later.\n** \nFor V6.1.0.0 through 6.1.0.47:**\n\nUpgrade to WebSphere Application Server Fix Pack 6.1.0.47 \n\n * Then apply Interim Fix [PI45311](<http://www-01.ibm.com/support/docview.wss?uid=swg24040400>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24040182>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037458>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035396>)[](<http://www.ibm.com/support/docview.wss?uid=swg24034996>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24034418>): Will upgrade you to IBM SDK, Java 2 Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 13\n\n## Workarounds and Mitigations\n\nnone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:03:26", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server July 2015 CPU", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4749"], "modified": "2018-06-15T07:03:26", "id": "9A9D8E5C20DD91466612FF62A4BC7BFD968871BD0E04153578FAF37A6010E34A", "href": "https://www.ibm.com/support/pages/node/533271", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:46:15", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6 that is used by the Enterprise Common Collector (a component of IBM Tivoli zEnterprise Monitoring Agent, a component of IBM Tivoli Monitoring). These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2015-4760_](<https://vulners.com/cve/CVE-2015-4760>) \n**DESCRIPTION:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104721_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104721>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>) \n**DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>) \n**DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>) \n**DESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>) \n**DESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nEnterprise Common Collector 1.1.0 (a component of IBM Tivoli zEnterprise Monitoring Agent, a component of IBM Tivoli Monitoring v6.2.3 and v6.3.0)\n\n## Remediation/Fixes\n\n_Product_\n\n| \n\n_VRMF_\n\n| \n\n_Operating System_\n\n| \n\n_Remediation/First Fix_ \n \n---|---|---|--- \n \nIBM Tivoli zEnterprise Monitoring Agent (Enterprise Common Collector v1.1.0 component) \n\n| \n\nv6.2.3\n\n| AIX\u00ae| \n\n[_Fix Central link_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Tivoli%2BComposite%2BApplication%2BManager&product=ibm/Tivoli/IBM+Tivoli+Monitoring&release=All&platform=All&function=fixId&fixids=1.1.0.5-TIV-ITM-ECC-JRE-AIX-IF0007&includeSupersedes=0>) \n \nLinux\u00ae on System z\u00ae| \n\n[_Fix Central link_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Tivoli%2BComposite%2BApplication%2BManager&product=ibm/Tivoli/IBM+Tivoli+Monitoring&release=All&platform=All&function=fixId&fixids=1.1.0.5-TIV-ITM-ECC-JRE-Linuxz-IF0007&includeSupersedes=0>) \n \nLinux\u00ae on Intel\u00ae 32-bit| \n\n[_Fix Central link_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Tivoli%2BComposite%2BApplication%2BManager&product=ibm/Tivoli/IBM+Tivoli+Monitoring&release=All&platform=All&function=fixId&fixids=1.1.0.5-TIV-ITM-ECC-JRE-Linuxx32-IF0007&includeSupersedes=0>) \n \nLinux\u00ae on Intel\u00ae 64-bit| \n\n[_Fix Central link_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Tivoli%2BComposite%2BApplication%2BManager&product=ibm/Tivoli/IBM+Tivoli+Monitoring&release=All&platform=All&function=fixId&fixids=1.1.0.5-TIV-ITM-ECC-JRE-Linuxx64-IF0007&includeSupersedes=0>) \n \n32-bit Windows\u00ae| \n\n[_Fix Central link_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Tivoli%2BComposite%2BApplication%2BManager&product=ibm/Tivoli/IBM+Tivoli+Monitoring&release=All&platform=All&function=fixId&fixids=1.1.0.5-TIV-ITM-ECC-JRE-Windows32-IF0007&includeSupersedes=0>) \n \n64-bit Windows\u00ae| \n\n[_Fix Central link_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Tivoli%2BComposite%2BApplication%2BManager&product=ibm/Tivoli/IBM+Tivoli+Monitoring&release=All&platform=All&function=fixId&fixids=1.1.0.5-TIV-ITM-ECC-JRE-Windows64-IF0007&includeSupersedes=0>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T15:07:56", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect the Enterprise Common Collector component of the IBM Tivoli zEnterprise Monitoring Agent (CVE-2015-4760, CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931 )", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4760"], "modified": "2018-06-17T15:07:56", "id": "D0BA42DADC453F8DEBC9090E60B30D016C450C1F08701752D15C3CE2088BA12B", "href": "https://www.ibm.com/support/pages/node/534739", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:38:34", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Versions 1.6 and 1.7 that are used by IBM SPSS Statistics. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n** \nCVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n** \nCVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n** \nCVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n\n\n## Affected Products and Versions\n\nIBM SPSS Statistics 19.0.0.2 \nIBM SPSS Statistics 20.0.0.2 \nIBM SPSS Statistics 21.0.0.2 \nIBM SPSS Statistics 22.0.0.2 \nIBM SPSS Statistics 23.0.0.0\n\n## Remediation/Fixes\n\nProduct\n\n| VRMF| APAR| Remediation/First Fix \n---|---|---|--- \nIBM SPSS Statistics| 19.0.0.2| [_PI48627_](<https://www.ibm.com/support/entdocview.wss?uid=swg1PI48627>)| Install [_Statistics 19 FP002-IF004_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=19.0.0.2&platform=All&function=aparId&apars=PI48627>) \nIBM SPSS Statistics| 20.0.0.2| [_PI48627_](<https://www.ibm.com/support/entdocview.wss?uid=swg1PI48627>)| Install [_Statistics 20 FP002 IF006_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=20.0.0.2&platform=All&function=aparId&apars=PI48627>) \nIBM SPSS Statistics| 21.0.0.2| [_PI48627_](<https://www.ibm.com/support/entdocview.wss?uid=swg1PI48627>)| Install [_Statistics 21 FP002 IF008_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=21.0.0.2&platform=All&function=aparId&apars=PI48627>) \nIBM SPSS Statistics| 22.0.0.2| [_PI48627_](<https://www.ibm.com/support/entdocview.wss?uid=swg1PI48627>)| Install [_Statistics 22 FP002 IF006_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=22.0.0.2&platform=All&function=aparId&apars=PI48627>) \nIBM SPSS Statistics| 23.0.0.0| [_PI48627_](<https://www.ibm.com/support/entdocview.wss?uid=swg1PI48627>)| Install [_Statistics 23 FP002_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=23.0.0.0&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-04-16T07:59:29", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM SPSS Statistics: CVE-2015-1932, CVE-2015-2601, CVE-2015-2613, CVE-2015-2625", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-1932", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625"], "modified": "2020-04-16T07:59:29", "id": "8B947D236A9EE7188BF963550863337D511A26D44C0D348CAB1E7D02E27B5D9D", "href": "https://www.ibm.com/support/pages/node/265863", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:46:19", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Tivoli Network Manager IP Edition . Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin\n\n## Vulnerability Details\n\n[ Please consult the security bulletin http://www-01.ibm.com/support/docview.wss?uid=swg21962931](<http://www-01.ibm.com/support/docview.wss?uid=swg21962931>) for vulnerability details and information about fixes \n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Tivoli Network Manager 3.8| Bundled the TIP version 1.1.1.x, which bundles IBM WebSphere version 6.1.0.x. \nIBM Tivoli Network Manager 3.9| Bundled the TIP version 2.1.0.x, which bundles IBM WebSphere version 7.0.0.x. \nIBM Tivoli Network Manager 4.1 and 4.1.1| Bundled the TIP version 2.2.0.x, which bundles IBM WebSphere version 7.0.0.x. \n \n## ", "cvss3": {}, "published": "2018-06-17T15:07:29", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Network Manager IP Edition (CVE-2015-2613,\nCVE-2015-2601,CVE-2015-4749,CVE-2015-2625 and CVE-2015-1931)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4749"], "modified": "2018-06-17T15:07:29", "id": "0E05CCAA07089D5DAFFCD10AD6B9E596F441C902C37C1CB56A717E8D9344263D", "href": "https://www.ibm.com/support/pages/node/534007", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:54:35", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM SDK Java\u2122 Technology Edition that is used by IBM Integration Designer and WebSphere Integration Developer. These issues were disclosed as part of the IBM Java SDK updates for October 2015 and in the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n \n \n**CVEID:** [_CVE-2015-4872_](<https://vulners.com/cve/CVE-2015-4872>)** \n** \n**DESCRIPTION:** An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nThis vulnerability affects IBM Integration Designer and WebSphere Integration Developer.\n\n## Remediation/Fixes\n\nTo fully mitigate these vulnerabilities, an additional fix (JR54736) is required for the following product versions: \n\n\n * [WebSphere Integration Developer V7.0.0.x](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FWebSphere+Integration+Developer&fixids=7.0.0.5-WS-IID-IFJR54736>)\n * [IBM Integration Designer V7.5.1.2](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Integration+Designer&fixids=7.5.1.2-WS-IID-IFJR54736>)\n * [IBM Integration Designer V8.0.1.3](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Integration+Designer&fixids=8.0.1.3-WS-IID-IFJR54736>)\n * [IBM Integration Designer V8.5.0.1](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Integration+Designer&fixids=8.5.0.1-WS-IID-IFJR54736>)\n * [IBM Integration Designer V8.5.5.0](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Integration+Designer&fixids=8.5.5.0-WS-IID-IFJR54736>)\n * [IBM Integration Designer V8.5.6.0](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Integration+Designer&fixids=8.5.6.0-WS-IID-IFJR54736>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:04:24", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM Integration Designer and WebSphere Integration Developer (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-4872)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4872"], "modified": "2018-06-15T07:04:24", "id": "936FB2EE9030DCE6970D63C2F1FACFD714A5CC9216C71CB8245A9C21B2CCE55A", "href": "https://www.ibm.com/support/pages/node/273425", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:27", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version JAVA 7 and JAVA 6 that is used by WebSphere Cast Iron. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nWebSphere Cast Iron v 7.5.0.x, \nWebSphere Cast Iron v 7.0.0.x, \nWebSphere Cast Iron v 6.4.0.x \nWebSphere Cast Iron v 6.3.0.x \nWebSphere Cast Iron v 6.1.0.x\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nCast Iron Appliance| 7.5.*| LI78725| [iFix 7.5.0.1-CUMUIFIX-001](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Cast+Iron+Cloud+integration&release=7.5.0.1&platform=All&function=fixId&fixids=7.5.0.1-WS-WCI-20151203-0654_H7_64-CUMUIFIX-001.scrypt2,7.5.0.1-WS-WCI-20151203-0654_H7_64-CUMUIFIX-001.vcrypt2,7.5.0.1-WS-WCI-20151203-0654_H7_64-CUMUIFIX-001.32bit.sc-linux,7.5.0.1-WS-WCI-20151203-0654_H7_64-CUMUIFIX-001.32bit.sc-win,7.5.0.1-WS-WCI-20151203-0654_H7_64-CUMUIFIX-001.sc-linux,7.5.0.1-WS-WCI-20151203-0654_H7_64-CUMUIFIX-001.sc-win,7.5.0.1-WS-WCI-20151203-0715_H8_64-CUMUIFIX-001.32bit.studio,7.5.0.1-WS-WCI-20151203-0715_H8_64-CUMUIFIX-001.studio&includeSupersedes=0>) \nCast Iron Appliance| 7.0*| LI78725| [iFix 7.0.0.2-CUMUIFIX-021](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Cast+Iron+Cloud+integration&release=7.0.0.2&platform=All&function=fixId&fixids=7.0.0.2-WS-WCI-20151119-0626_H7_64-CUMUIFIX-021.scrypt2,7.0.0.2-WS-WCI-20151119-0626_H7_64-CUMUIFIX-021.vcrypt2,7.0.0.2-WS-WCI-20151119-0626_H7_64-CUMUIFIX-021.32bit.sc-linux,7.0.0.2-WS-WCI-20151119-0626_H7_64-CUMUIFIX-021.32bit.sc-win,7.0.0.2-WS-WCI-20151119-0626_H7_64-CUMUIFIX-021.sc-linux,7.0.0.2-WS-WCI-20151119-0626_H7_64-CUMUIFIX-021.sc-win,7.0.0.2-WS-WCI-20151119-0724_H12_64-CUMUIFIX-021.32bit.studio,7.0.0.2-WS-WCI-20151119-0724_H12_64-CUMUIFIX-021.studio&includeSupersedes=0>) \nCast Iron Appliance| 6.4.0.x| LI78725| [iFix 6.4.0.1-CUMUIFIX-033](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Cast+Iron+Cloud+integration&release=6.4.0.1&platform=All&function=fixId&fixids=6.4.0.1-WS-WCI-20151124-1557_H4-CUMUIFIX-033.scrypt2,6.4.0.1-WS-WCI-20151124-1557_H4-CUMUIFIX-033.vcrypt2,6.4.0.1-WS-WCI-20151124-1557_H3-CUMUIFIX-033.studio&includeSupersedes=0>) \nCast Iron Appliance| 6.3.0.x| LI78725| [iFix 6.3.0.2-CUMUIFIX-018](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Cast+Iron+Cloud+integration&release=6.3.0.2&platform=All&function=fixId&fixids=6.3.0.2-WS-WCI-20151204-0447_H4-CUMUIFIX-018.scrypt2,6.3.0.2-WS-WCI-20151204-0447_H4-CUMUIFIX-018.vcrypt2,6.3.0.2-WS-WCI-20151204-0447_H3-CUMUIFIX-018.studio&includeSupersedes=0>) \nCast Iron Appliance| 6.1.0.x| LI78725| [iFix 6.1.0.15-CUMUIFIX-024](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Cast+Iron+Cloud+integration&release=6.1.0.15&platform=All&function=fixId&fixids=6.1.0.15-WS-WCI-20151210-0949_H5-CUMUIFIX-024.scrypt2,6.1.0.15-WS-WCI-20151210-0949_H5-CUMUIFIX-024.vcrypt2,6.1.0.15-WS-WCI-20151210-0949_H4-CUMUIFIX-024.studio&includeSupersedes=0>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:04:27", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect WebSphere Cast Iron(CVE-2015-2613, CVE-2015-2601, CVE-2015-4749, CVE-2015-2625, CVE-2015-1931)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4749"], "modified": "2018-06-15T07:04:27", "id": "F7437D0AD9F530995E25E248E671C3F2C4BD740237FA6625D3979B04D752C108", "href": "https://www.ibm.com/support/pages/node/274013", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:30", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 6 and 7, that is used by IBM Image Construction and Composition Tool. These issues were disclosed as part of the IBM Java SDK updates in July 2015. \n \nThis bulletin also addresses the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol affects.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>)** \nDESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103294_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103294>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Image Construction and Composition Tool v2.3.2.0 \nIBM Image Construction and Composition Tool v2.3.1.0 \nIBM Image Construction and Composition Tool v2.2.1.3 \n\n## Remediation/Fixes\n\nThe solution is to apply the following IBM Image Construction and Composition Tool version fixes. \n \n \n\u00b7 For IBM Image Construction and Composition Tool v2.3.2.0 \nIBM Image Construction and Composition Tool v2.3.2.0 Build 21 \n \n[\u00b7 __http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=All&platform=All&function=fixId&fixids=ICCT_IM_Repository_2.3.2.0-21&includeRequisites=1&includeSupersedes=0__](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=All&platform=All&function=fixId&fixids=ICCT_IM_Repository_2.3.2.0-21&includeRequisites=1&includeSupersedes=0>) \n \n[\u00b7 __http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=All&platform=All&function=fixId&fixids=ICCT_efix_Repository_2.3.2.0-21&includeRequisites=1&includeSupersedes=0__](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=All&platform=All&function=fixId&fixids=ICCT_efix_Repository_2.3.2.0-21&includeRequisites=1&includeSupersedes=0>) \n \n\u00b7 For IBM Image Construction and Composition Tool v2.3.1.0 \nIBM Image Construction and Composition Tool v2.3.1.0 Build 44 \n \n[\u00b7 __http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=All&platform=All&function=fixId&fixids=ICCT_IM_Repository_2.3.1.0-44&includeRequisites=1&includeSupersedes=0__](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=All&platform=All&function=fixId&fixids=ICCT_IM_Repository_2.3.1.0-44&includeRequisites=1&includeSupersedes=0>)_ _ \n_ _ \n[\u00b7 __http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=All&platform=All&function=fixId&fixids=ICCT_efix_Repository_2.3.1.0-44&includeRequisites=1&includeSupersedes=0__](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=All&platform=All&function=fixId&fixids=ICCT_efix_Repository_2.3.1.0-44&includeRequisites=1&includeSupersedes=0>) \n \n\u00b7 For IBM Image Construction and Composition Tool v2.2.1.3 \nContact IBM support for upgrade options. \n \n \nYou should verify applying this configuration change does not cause any compatibility issues. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the Diffie-Hellman key-exchange protocol used in TLS and take appropriate mitigation and remediation actions.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:04:19", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK including Logjam affect IBM Image Construction and Composition Tool. (CVE-2015-4000, CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, and CVE-2015-1931)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4000"], "modified": "2018-06-15T07:04:19", "id": "32E92A6481805BA68ACC511BAB87E407FC3E1923CBFC0C98828FADD46A9C2827", "href": "https://www.ibm.com/support/pages/node/273159", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:36:54", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of Global Name Management. A security vulnerability affecting WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [Multiple vulnerabilities in IBM Java SDK affect WebSphere Application Server July 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21962931>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nIBM InfoSphere Global Name Management 5.0, bundling WebSphere Application Server 8.0\n\n## Remediation/Fixes\n\nSee WebSphere Application Server Security Bulletin for more information.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2022-04-20T17:04:55", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM InfoSphere Global Name Management 5.0 ( CVE-2015-2613 CVE-2015-2601 CVE-2015-4749 CVE-2015-2625 CVE-2015-1931)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4749"], "modified": "2022-04-20T17:04:55", "id": "A8E25F179899636EEDE5DB4C058CFBD12CD3D86BBB997818FC67DC2C6EBEB885", "href": "https://www.ibm.com/support/pages/node/533997", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:38:18", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDKs Java\u2122 Technology Edition, Versions 7 and 8 that is used by IBM Rational Software Architect, IBM Rational Software Architect for WebSphere Software and IBM Rational Software Architect RealTime. These issues were disclosed as part of the IBM Java SDK updates in July and Oct 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-4872_](<https://vulners.com/cve/CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nRational Software Architect, Rational Software Architect for WebSphere Software and Rational Software Architect RealTime: Ver 8.5 through 9.5\n\n## Remediation/Fixes\n\n**_Product_**\n\n| \n\n**_VRMF_** | \n\n**_Remediation/First Fix_** \n---|---|--- \nRational Software Architect (RSA) \n| 9.5| [IBM Java SDK/JRE 8 SR2 IFixes](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect&release=9.5.0&platform=All&function=fixId&fixids=Rational-RSA-Java8SR2-ifix&includeSupersedes=0&source=fc>) \nRational Software Architect for WebSphere Software (RSA4WS)| 9.5| [IBM Java SDK/JRE 8 SR2 IFixes](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect+for+WebSphere+Software&release=9.5.0&platform=All&function=fixId&fixids=Rational-RSA4WS-Java8SR2-ifix&includeSupersedes=0&source=fc>) \nRational Software Architect RealTime (RSART)| 9.5| [IBM Java SDK/JRE 8 SR2 IFixes](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect+RealTime+Edition&release=9.5.0&platform=All&function=fixId&fixids=Rational-RSART-Java8SR2-ifix&includeSupersedes=0&source=fc>) \nRational Software Architect (RSA) \n| 8.5 to 8.5.5.4, \n9.0 to 9.0.0.1 \n9.1 to 9.1.2| [IBM Java SDK/JRE 7 SR9 FP 20 IFixes](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect&release=8.5.0&platform=All&function=fixId&fixids=Rational-RSA-Java7SR9FP20-ifix&includeSupersedes=0&source=fc>) \nRational Software Architect for WebSphere Software (RSA4WS)| 8.5 to 8.5.5.4, \n9.0 to 9.0.0.1 \n9.1 to 9.1.2| [IBM Java SDK/JRE 7 SR9 FP 20 IFixes](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect+for+WebSphere+Software&release=8.5.0&platform=All&function=fixId&fixids=Rational-RSA4WS-Java7SR9FP20-ifix&includeSupersedes=0&source=fc>) \nRational Software Architect RealTime (RSART)| 8.5 to 8.5.1 \n9.0 to 9.0.0.1 \n9.1 to 9.1.2| [IBM Java SDK/JRE 7 SR9 FP 20 IFixes](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect+RealTime+Edition&release=8.5.0&platform=All&function=fixId&fixids=Rational-RSART-Java7SR9FP20-ifix&includeSupersedes=0&source=fc>) \n \n**Installation Instructions:** \n \nFor instructions on installing this update using Installation Manager, review the topic [Updating Installed Product Packages](<http://www.ibm.com/support/knowledgecenter/SS8PJ7_9.1.0/com.ibm.xtools.installation.rsaws.doc/topics/t_update.html>) in the IBM Knowledge Center. \n \n**Instructions to download and install the update from the compressed files:** \n\n\n 1. Download the update files from Fix Central by following the link listed in the download table above \n \n\n 2. Extract the compressed files in an appropriate directory. \n \nFor example, choose to extract to `C:\\temp\\update \n \n`\n 3. Add the update repository location in IBM Installation Manager: \n \n\n 4. Start IBM Installation Manager. \n \n\n 5. On the Start page of Installation Manager, click **File > Preferences**, and then click **Repositories**. The Repositories page opens. \n \n\n 6. On the Repositories page, click **Add Repository**. \n \n\n 7. In the Add repository window, browse to or enter the file path to the repository.config file, which is located in the directory where you extracted the compressed files and then click OK. \n \nFor example, enter `C:\\temp\\updates\\repository.config`. \n \n\n 8. Click **OK** to close the Preference page. \n \n\n 9. Install the update as described in the the topic **Updating Installed Product Packages** in the [IBM Knowledge Center](<http://www.ibm.com/support/knowledgecenter/>) for your product and version.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-09-10T15:49:00", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects Rational Software Architect, Software Architect for WebSphere Software & Rational Software Architect RealTime (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-4872)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4872"], "modified": "2020-09-10T15:49:00", "id": "FCBE194563589DFF9606D62F884B470E8FE64EC32ECEF7BF7F3E11951F8D3E8F", "href": "https://www.ibm.com/support/pages/node/275349", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:52:07", "description": "## Summary\n\nIBM Websphere Application Server is shipped as a component of IBM Security Key Lifecycle Manager. Information about a security vulnerability affecting IBM Websphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server July 2015 CPU ](<http://www-01.ibm.com/support/docview.wss?uid=swg21962931>)for vulnerability details and information about fixes. \n\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Security Key Lifecycle Manager v2.5 \n \nIBM Tivoli Key Lifecycle Manager v2.0.1 \n \nIBM Tivoli Key Lifecycle Manager v2.0.0 \n \nIBM Tivoli Key Lifecycle Manager v1.0.0| IBM Websphere Application Server v8.5 \n \nIBM Websphere Application Server v6.1 \n \nIBM Websphere Application Server v6.1 \n \nIBM Websphere Application Server v6.1 \n \n## ", "cvss3": {}, "published": "2018-06-16T21:26:07", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM Websphere Application Server shipped with IBM Security Key Lifecycle Manager ( CVE-2015-2613, CVE-2015-2601, CVE-2015-4749, CVE-2015-2625, CVE-2015-1931).", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4749"], "modified": "2018-06-16T21:26:07", "id": "7108C0EE39B28D96C52528E1823D34596C84083C2A2CAD5294302C93F75E123D", "href": "https://www.ibm.com/support/pages/node/533767", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:51:30", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Versions 5, 6, 7 that are used by WebSphere Transformation Extender. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected products: \n\n * WebSphere Transformation Extender Design Studio\n * WebSphere Transformation Extender with Command Server\n * WebSphere Transformation Extender for Integration Servers\n * WebSphere Transformation Extender for Application Programming\n * WebSphere Transformation Extender with Launcher\nAffected versions: \n * 8.2.0.0 - 8.2.0.6\n * 8.3.0.0 - 8.3.0.6\n * 8.4.0.0 - 8.4.0.5\n * 8.4.1.0 - 8.4.1.3\n\n## Remediation/Fixes\n\nDownload and install the [interim fix for APAR PI53631](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Transformation+Extender&release=All&platform=All&function=aparId&apars=PI53631>) from IBM Fix Central.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-16T19:50:09", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Transformation Extender (CVE-2015-2613, CVE-2015-2601, CVE-2015-4749, CVE-2015-2625, CVE-2015-1931)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4749"], "modified": "2018-06-16T19:50:09", "id": "65B1496C73BCC56FAE14FB1E068BD6908EA0C48EF7C8CAD85A387FBF9F18C0DF", "href": "https://www.ibm.com/support/pages/node/274207", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:26", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM SDK Java Technology Edition, Version7.0 that is used by IBM API Management. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM API Management V3.0 and V4.0\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nIBM API Management| 3.0.0| LI78795 | [http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+API+Management&release=3.0.4.0&platform=All&function=fixId&fixids=3.0.4.2-APIManagement-ManagementAppliance-20151209-1511.vcrypt2,3.0.4.2-APIManagement-ManagementAppliance-20151209-1511.ova&includeSupersedes=0](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+API+Management&release=3.0.4.0&platform=All&function=fixId&fixids=3.0.4.2-APIManagement-ManagementAppliance-20151209-1511.vcrypt2,3.0.4.2-APIManagement-ManagementAppliance-20151209-1511.ova&includeSupersedes=0>) \nIBM API Management| 4.0.0| LI78795 | <http://www-01.ibm.com/support/docview.wss?uid=swg21969793> \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:04:27", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK\u00a0affect\u00a0IBM API Management", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4749"], "modified": "2018-06-15T07:04:27", "id": "86CF5B944698359DA4D538F7990FAE092AE2165F4F67E815E252A47DEDD41B68", "href": "https://www.ibm.com/support/pages/node/274429", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:57:11", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 6 and 7, that is used by IBM PureApplication System. These issues were disclosed as part of the IBM Java SDK updates in July 2015. \n \nThis bulletin also addresses the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol affects.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>)** \nDESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103294_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103294>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM PureApplication System V2.1 \nIBM PureApplication System V2.0\n\n## Remediation/Fixes\n\nThe PureSystems Manager on IBM PureApplication System is affected. The solution is to upgrade the IBM PureApplication System to the following fix level: \n \nIBM PureApplication System V2.1 \nUpgrade to IBM PureApplication System V2.1.2 \n \nIBM PureApplication System V2.0 \nUpgrade to IBM PureApplication System V2.0.0.1 Interim Fix 6 \n \n \nYou should verify applying this configuration change does not cause any compatibility issues. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the Diffie-Hellman key-exchange protocol used in TLS and take appropriate mitigation and remediation actions.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:04:29", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK including Logjam affect IBM PureApplication System. (CVE-2015-4000, CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, and CVE-2015-1931)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4000"], "modified": "2018-06-15T07:04:29", "id": "8D55AF808F4D835A74D5852E651EDDB90554321DD81A30095AABCC982F9C3EBC", "href": "https://www.ibm.com/support/pages/node/537461", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-13T05:37:52", "description": "## Summary\n\nThere are vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6 that is used by IBM Storwize V7000 Unified. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n \n**CVEID:** [CVE-2015-2613](<https://vulners.com/cve/CVE-2015-2613>) \n \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the JCE component could allow a remote attacker to obtain sensitive information. The Java Cryptography Extension (JCE) is a Standard Extension to the Java Platform. JCE is used for implementating encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>[](<http://xforce.iss.net/xforce/xfdb/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n \n**CVEID:** [CVE-2015-2601](<https://vulners.com/cve/CVE-2015-2601>) \n \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Jrockit related to the JCE component could allow a remote attacker to obtain sensitive information. The Java Cryptography Extension (JCE) is a Standard Extension to the Java Platform. JCE is used for implementating encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>)[](<http://xforce.iss.net/xforce/xfdb/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n \n**CVEID:** [CVE-2015-4000](<https://vulners.com/cve/CVE-2015-4000>) \n \n**DESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[](<http://xforce.iss.net/xforce/xfdb/101851>) <https://exchange.xforce.ibmcloud.com/vulnerabilities/103294> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n \n**CVEID:** [CVE-2015-2625](<https://vulners.com/cve/CVE-2015-2625>) \n \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Jrockit related to the JSSE component could allow a remote attacker to obtain sensitive information. The Java Cryptography Extension (JCE) is a Standard Extension to the Java Platform. JCE is used for implementating encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104743> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \n \n**CVEID:** [CVE-2015-1931](<https://vulners.com/cve/CVE-2015-1931>) \n \n**DESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Storwize V7000 Unified \nThe product is affected when running a code releases 1.5.0.0 to 1.5.2.1\n\n## Remediation/Fixes\n\nIBM recommends that you fix these vulnerabilities by upgrading affected versions of IBM Storwize V7000 Unified to the following code level or higher: \n \n1.5.2.2 \n \n[_Latest Storwize V7000 Unified Software_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1003918&myns=s028&mynp=OCST5Q4U&mync=E>)\n\n## Workarounds and Mitigations\n\nWorkaround(s): None \n \nMitigation(s) : Although IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall.\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-18T00:09:55", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in IBM Java SDK affect IBM Storwize V7000 Unified (CVE-2015-2613, CVE-2015-2601, CVE-2015-4000, CVE-2015-2625, and CVE-2015-1931)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4000"], "modified": "2018-06-18T00:09:55", "id": "A597FC2502CE93E35C812A73F9B40A7FB359E54479EB78A16E664A740F1B62E1", "href": "https://www.ibm.com/support/pages/node/690609", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T21:42:47", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6 Service Refresh 16 Fix Pack 4 and subsequent releases, as used by ITNCM. These issues were disclosed as part of the IBM Java SDK updates in July 2015. \n \nThis bulletin also addresses the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol affects.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>) \n \n\n\n**DESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information.\n\n \n \n\n\nCVSS Base Score: 5\n\n \n \n\n\nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score\n\n \n \n\n\nCVSS Environmental Score*: Undefined\n\n \n \n\n\nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n \n \n\n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)\n\n \n \n\n\n**DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.\n\n \n \n\n\nCVSS Base Score: 5\n\n \n \n\n\nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score\n\n \n \n\n\nCVSS Environmental Score*: Undefined\n\n \n \n\n\nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n \n \n\n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)\n\n \n \n\n\n**DESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service.\n\n \n \n\n\nCVSS Base Score: 4.3\n\n \n \n\n\nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score\n\n \n \n\n\nCVSS Environmental Score*: Undefined\n\n \n \n\n\nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)\n\n \n \n\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)\n\n \n \n\n\n**DESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information.\n\n \n \n\n\nCVSS Base Score: 2.6\n\n \n \n\n\nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score\n\n \n \n\n\nCVSS Environmental Score*: Undefined\n\n \n \n\n\nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n \n \n\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)\n\n \n \n\n\n**DESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system.\n\n \n \n\n\nCVSS Base Score: 2.1\n\n \n \n\n\nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>_ for the current score\n\n \n \n\n\nCVSS Environmental Score*: Undefined\n\n \n \n\n\nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nProduct version \n \n--- \nITNCM 6.4.1.3 and earlier \nITNCM 6.3.0.6 and earlier \n \n## Remediation/Fixes\n\n_<Product_\n\n| _VRMF_ | _APAR_ | _Remediation/First Fix_ \n---|---|---|--- \n_ITNCM_ | _6.4.1.3 IF001_ | _None_ | [_http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm~Tivoli&product=ibm/Tivoli/TivoliNetcoolConfigurationManager&release=6.4.1.3&platform=All&function=fixId&fixids=ITNCM_6.4.1.3_IF001&includeRequisites=1&includeSupersedes=0&downloadMethod=http_](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/TivoliNetcoolConfigurationManager&release=6.4.1.3&platform=All&function=fixId&fixids=ITNCM_6.4.1.3_IF001&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \n_ITNCM_ | _6.3.0.6 IF004_ | _None_ | [_http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+Netcool+Configuration+Manager&release=6.3.0.6&platform=All&function=fixId&fixids=ITNCM_6.3.0.6-IF004&includeRequisites=1&includeSupersedes=0&downloadMethod=http_](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/Tivoli+Netcool+Configuration+Manager&release=6.3.0.6&platform=All&function=fixId&fixids=ITNCM_6.3.0.6-IF004&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \n \n## Workarounds and Mitigations\n\nApply the interim fix linked to under Remediation/Fixes\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-12-20T16:08:45", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Versions 6 that is used by IBM Tivoli Netcool Configuration Manager (ITNCM).", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4749"], "modified": "2019-12-20T16:08:45", "id": "3FD11FED4FA21C029AEEACC6A3AAEBD94157C33C98BEC0C9163222130AA612B4", "href": "https://www.ibm.com/support/pages/node/714551", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:41:00", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 7 that is used by TPF Toolkit. These issues were disclosed as part of the IBM Java Runtime updates in July 2015 and October 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4872_](<https://vulners.com/cve/CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nTPF Toolkit 4.0.x, and 4.2.x\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nTPF Toolkit| 4.2.x| JR54906| \n\n 1. Install the latest version of IBM Installation Manager.\n 2. Apply Interim Fix 4.2.5 by using IBM Installation Manager.\n 3. Update the Java installation on your z/OS or Linux on z Systems (or both) systems that the TPF Toolkit connects to. Download the latest version of Java from [_http://www.ibm.com/developerworks/java/jdk/_](<http://www.ibm.com/developerworks/java/jdk/>) \nTPF Toolkit| 4.0.x| JR54907| \n\n 1. Install the latest version of IBM Installation Manager.\n 2. Apply Interim Fix 4.0.8 by using IBM Installation Manager.\n 3. Update the Java installation on your z/OS or Linux on z Systems (or both) systems that the TPF Toolkit connects to. Download the latest version of Java from [_http://www.ibm.com/developerworks/java/jdk/_](<http://www.ibm.com/developerworks/java/jdk/>) \n \n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-08-03T04:23:43", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect TPF Toolkit (CVE-2015-1931, CVE-2015-2601, CVE-2015-2613, CVE-2015-2625, CVE-2015-4872)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4872"], "modified": "2018-08-03T04:23:43", "id": "764A153B521DEC38D87D7FE547BEDAAC8370C269EDE05B8A3D1189C33EF92D24", "href": "https://www.ibm.com/support/pages/node/273735", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T18:55:50", "description": "## Summary\n\nMultiple vulnerabilities exisit in the IBM JRE used by System Storage DS8000. These were disclosed as part of the IBM Java SDK updates - July 2015 \n \nThis release also enforces the removal of RC4 in IBM JAVA (CVE-2015-2808) also known as BarMitzva to ensure that no present or future releases can enable ciphers which use RC4. This is an additional safeguard.\n\n## Vulnerability Details\n\n \n \n \n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/102967_](<http://xforce.iss.net/xforce/xfdb/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n \n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nDS8870, DS8800, DS87000 are all impacted by these vulnerabilities.\n\n## Remediation/Fixes\n\nThe patch release can be applied to the following minimum versions:\n\n * DS8870 - 87.31.23.0 ( R7.3)\n * DS8870 - 87.41.17.0 (R7.4)\n * DS8870 - 87.51.14.0 (R7.5)\n * DS8800 - 86.31.167.0 (R6.3)\n * DS8700 - 76.31.143.0 (R6.3)\n \nCustomers with versions at levels below the the above minimum levels are advised to upgrade. \n\nThe following releases contain the remediation for the vulnerabilities.\n\n \n \n**Product**| **VRMF**| **APAR**| **Remediation/Fix** \n---|---|---|--- \nDS8870| 87.51.23.0 (R7.5 SP2)| \n| 11/9/2015 \nDS8870| 87.41.42.0 (R7.4 SP4)| \n| 11/9/2015 \nDS8800| 86.31.184.0| \n| 11/9/2015 \nDS8700| 76.31.159.0| \n| 11/9/2015 \nDS8700/8800/8870| See above| CVE_4Q2015_v1.0| 11/9/2015 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-05-24T17:06:20", "type": "ibm", "title": "Security Bulletin:Multiple vulnerabilities in IBM Java SDK affect System Storage DS8000", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2808"], "modified": "2022-05-24T17:06:20", "id": "5259AA5CACBCC342A208878B507D6FDE3F3A715EF67BB4F910C9ACC9CBBF706D", "href": "https://www.ibm.com/support/pages/node/690741", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:47:10", "description": "## Summary\n\nJava SE issues disclosed in the Oracle July 2015 Critical Patch Update, plus CVE-2015-1931 \n\n## Vulnerability Details\n\n**CVE IDs:** CVE-2015-2613 CVE-2015-2601 CVE-2015-4749 CVE-2015-2625 CVE-2015-1931 \n\n**DESCRIPTION:** This bulletin covers all applicable Java SE CVEs published by Oracle as part of their July 2015 Critical Patch Update. For more information please refer to [_Oracle's July 2015 CPU Advisory_](<http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA>) and the X-Force database entries referenced below. \n\nThis bulletin also covers CVE-2015-1931, which describes a vulnerability in the IBM Java Security Components that are shipped as part of the IBM SDK, Java Technology Edition. \n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n** \nCVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nThese vulnerabilities affect IBM SDK, Java 2 Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 11 and earlier releases \nThese vulnerabilities affect IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 5 and earlier releases \nThese vulnerabilities affect IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 5 and earlier releases \nThese vulnerabilities affect IBM SDK, Java Technology Edition, Version 7 Service Refresh 9 Fix Pack 1 and earlier releases \nThese vulnerabilities affect IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 3 Fix Pack 1 and earlier releases \nThese vulnerabilities affect IBM SDK, Java Technology Edition, Version 8 Service Refresh 1 Fix Pack 1 and earlier releases \n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nOMNIbus | 7.3.0.16| IV73279| [](<http://www-01.ibm.com/support/docview.wss?uid=swg24039351>)<http://www-01.ibm.com/support/docview.wss?uid=swg24039351> \nOMNIbus| 7.3.1.14| IV73279| <http://www-01.ibm.com/support/docview.wss?uid=swg24040714> \nOMNIbus| 7.4.0.8| IV73279| <http://www-01.ibm.com/support/docview.wss?uid=swg24039349> \nOMNIbus | 8.1.0.4| IV73279| <http://www-01.ibm.com/support/docview.wss?uid=swg24039347> \n \nThe fixes for these vulnerabilities are included in IBM SDK, Java 2 Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 13 and subsequent releases \nThe fixes for these vulnerabilities are included in IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 7 and subsequent releases \nThe fixes for these vulnerabilities are included in IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 7 and subsequent releases \nThe fixes for these vulnerabilities are included in IBM SDK, Java Technology Edition, Version 7 Service Refresh 9 Fix Pack 10 and subsequent releases \nThe fixes for these vulnerabilities are included in IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 3 Fix Pack 10 and subsequent releases \nThe fixes for these vulnerabilities are included in IBM SDK, Java Technology Edition, Version 8 Service Refresh 1 Fix Pack 10 and subsequent releases \n \nFor detailed information on which CVEs affect which releases, please refer to the [_IBM SDK, Java Technology Edition Security Alerts page_](<http://www.ibm.com/developerworks/java/jdk/alerts/>). \n \nIBM SDK, Java Technology Edition releases can be downloaded, subject to the terms of the developerWorks license, from [_here_](<http://www.ibm.com/developerworks/java/jdk/index.html>) \n \nIBM customers requiring an update for an SDK shipped with an IBM product should contact [_IBM support_](<http://www.ibm.com/support/>), and/or refer to the appropriate product security bulletin. \n\n## Workarounds and Mitigations\n\n**APAR numbers are as follows:** \n[_IV75160_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75160>) (CVE-2015-2613)_ \n_[_IV75161_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75161>) (CVE-2015-2601)_ \n_[_IV75163_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75163>) (CVE-2015-4749)_ \n_[_IV75166_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75166>) (CVE-2015-2625)_ \n_[_IV75182_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75182>) (CVE-2015-1931)\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T15:09:27", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in current releases of the IBM\u00ae SDK, Java\u2122 Technology Edition", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4749"], "modified": "2018-06-17T15:09:27", "id": "982439B1B2A55F3FC951BFDBFCE9F4936521B072473058F236673D99C1C8861C", "href": "https://www.ibm.com/support/pages/node/266039", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:53:55", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Versions 6 and 8 that are used by IBM DB2 QMF for Workstation. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>) \n**DESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>) \n**DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>) \n**DESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n * DB2 QMF for z/OS Version 11 Release 1, Fix Pack 4 (and lower) \n * DB2 QMF Enterprise Edition Version 11 Release 1, Fix Pack 4 (and lower) \n * DB2 QMF Enterprise Edition Version 10 Release 1, Fix Pack 11 (and lower)\n\n## Remediation/Fixes\n\n**_Product_**\n\n| **_VR_**| **_Remediation/First Fix_** \n---|---|--- \n_DB2 QMF for Workstation for z/OS_| _11.1 _| [_Java JRE 8.0 SR1 FP10 from IBM Fix Central_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2+Query+Management+Facility+for+zOS&release=11.1&platform=All&function=all>) \n_DB2 QMF for Workstation Enterprise Edition_| _11.1_| [_Java JRE 8.0 SR1 FP10 from IBM Fix Central_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2+Query+Management+Facility&release=11.1&platform=All&function=all>) \n_DB2 QMF for Workstation Enterprise Edition_| _10.1_| [_Java JRE 6.0 SR16 FP7 from IBM Fix Central_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2+Query+Management+Facility&release=10.1&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-16T13:12:24", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM DB2 QMF for Workstation (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625"], "modified": "2018-06-16T13:12:24", "id": "554BA5FAFE48D11CC6936A7592937D777A2BB491B3B6E34A9D6502E15AAA7F9E", "href": "https://www.ibm.com/support/pages/node/534419", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:48:57", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 7SR8 that is used by Rational Automation Framework. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nRational Automation Framework 3.0.1, 3.0.1.1, 3.0.1.2.x, 3.0.1.3.x on all supported platforms.\n\n## Remediation/Fixes\n\nUpgrade to [RAF 3.0.1.3 ifix6](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/Rational+Automation+Framework&release=3.0.1.3i6&platform=All&function=all>) or later.\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T05:08:41", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Automation Framework (CVE-2015-1931, CVE-2015-2601, CVE-2015-2625)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2625"], "modified": "2018-06-17T05:08:41", "id": "725F53EDFF360661BC60EE0BBB3B2E26D83A4021F5C4A3337A70FC7DA6D27AFC", "href": "https://www.ibm.com/support/pages/node/538453", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:48:50", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 1.7 that is used by Rational Performance Tester. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nRational Performance Tester versions 8.2.*, 8.3.*, 8.5.*, 8.6.*, 8.7.0.*.\n\n## Remediation/Fixes\n\nIt is strongly recommended to upgrade to Rational Performance Tester version 8.7.1. \n \n\n\n**_Product_**| **_VRMF_**| **_APAR_**| **_Remediation/First Fix_** \n---|---|---|--- \nRPT| 8.7| None| Download `[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%2FRational&product=ibm/Rational/Rational+Performance+Tester&release=All&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP10&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%2FRational&product=ibm/Rational/Rational+Performance+Tester&release=All&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP10&includeSupersedes=0&source=fc>)` \nRPT| 8.6 - 8.6.x| None| Download `[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%2FRational&product=ibm/Rational/Rational+Performance+Tester&release=All&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP10&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%2FRational&product=ibm/Rational/Rational+Performance+Tester&release=All&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP10&includeSupersedes=0&source=fc>)` \nRPT| 8.5 - 8.5.x| None| Download `[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%2FRational&product=ibm/Rational/Rational+Performance+Tester&release=All&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP10&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%2FRational&product=ibm/Rational/Rational+Performance+Tester&release=All&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP10&includeSupersedes=0&source=fc>)` \nRPT| 8.3 -8.3.x| None| Download[ ](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.0.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR8FP10&includeSupersedes=0&source=fc>)`[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%2FRational&product=ibm/Rational/Rational+Performance+Tester&release=All&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP10&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%2FRational&product=ibm/Rational/Rational+Performance+Tester&release=All&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP10&includeSupersedes=0&source=fc>)` \nRPT| 8.2 - 821.x| None| Download `[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%2FRational&product=ibm/Rational/Rational+Performance+Tester&release=All&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP10&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%2FRational&product=ibm/Rational/Rational+Performance+Tester&release=All&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP10&includeSupersedes=0&source=fc>)` \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T05:06:45", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Performance Tester (CVE-2015-2601, CVE-2015-2625, CVE-2015-1931)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2625"], "modified": "2018-06-17T05:06:45", "id": "EC178E8FDBBD28F910954EB01A63F8AC93B92A177253B621E53546B7FBE46E0D", "href": "https://www.ibm.com/support/pages/node/267767", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:48:50", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 1.7 that is used by Rational Service Tester. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nRational Service Tester versions 8.2.*, 8.3.*, 8.5.*, 8.6.*. 8.7.0.*.\n\n## Remediation/Fixes\n\nIt is strongly recommended to upgrade to Rational Service Tester versio 8.7.1. \n \n\n\n**_Product_**| **_VRMF_**| **_APAR_**| **_Remediation/First Fix_** \n---|---|---|--- \nRST| 8.7| None| Download `[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%2FRational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=All&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP10&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%2FRational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=All&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP10&includeSupersedes=0&source=fc>)` \nRST| 8.6 - 8.6.x| None| Download `[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%2FRational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=All&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP10&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%2FRational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=All&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP10&includeSupersedes=0&source=fc>)` \nRST| 8.5 - 8.5.x| None| Download `[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%2FRational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=All&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP10&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%2FRational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=All&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP10&includeSupersedes=0&source=fc>)` \nRST| 8.3 -8.3.x| None| Download[ ](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.0.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR8FP10&includeSupersedes=0&source=fc>)`[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%2FRational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=All&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP10&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%2FRational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=All&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP10&includeSupersedes=0&source=fc>)` \nRST| 8.2 - 821.x| None| Download `[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%2FRational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=All&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP10&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%2FRational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=All&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP10&includeSupersedes=0&source=fc>)` \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T05:06:46", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Service Tester (CVE-2015-2601, CVE-2015-2625, CVE-2015-1931 )", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2625"], "modified": "2018-06-17T05:06:46", "id": "5097B9E0CB73DAB35E2A82A74BD89F9BF8CF80E46DEAEA11D40F4BE3688E1227", "href": "https://www.ibm.com/support/pages/node/267769", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T21:56:12", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 6 that is used by WebSphere Application Server shipped with IBM SmartCloud Provisioning. These issues were disclosed as part of the IBM Java SDK updates in July 2015. \n \nThis bulletin also addresses the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol affects. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>)** \nDESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103294_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103294>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n\n \n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n** \nCVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n\n** \nCVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n** \nCVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n**Principal Product**\n\n| **Affected Supporting Product Version** \n---|--- \nIBM SmartCloud Provisioning V2.1,V 2.1.0.1, V2.1.0.2, V2.1.0.3, V2.1.0.5, V2.1.0.5 from Interim Fix 1 to Interim Fix3| IBM WebSphere Application Server V8.0 \nIBM SmartCloud Provisioning V2.3, V2.3.0.1 and V2.3.0.1 from Interim Fix 1 to Interim Fix 7 | IBM WebSphere Application Server V8.0.0.1 thorugh V8.0.1.11 \n \n## Remediation/Fixes\n\nPlease note that product software support discontinuance is approaching as per [_IBM Withdrawal Announcement 916-016_](<http://www-01.ibm.com/common/ssi/rep_ca/6/897/ENUS916-016/ENUS916-016.PDF>). \n\n**Product**| **Affected Supporting Product Version**| **Remediation/First Fix** \n---|---|--- \nIBM SmartCloud Provisioning V2.1,V 2.1.0.1, V2.1.0.2, V2.1.0.3, V2.1.0.5, V2.1.0.5 from Interim Fix 1 to Interim Fix3| IBM WebSphere Application Server V8.0| Contact [_IBM support_](<https://www-947.ibm.com/support/servicerequest/newServiceRequest.action>) \nIBM SmartCloud Provisioning V2.3, V2.3.0.1 and V2.3.0.1 from Interim Fix 1 to Interim Fix 7 | IBM WebSphere Application Server V8.0.0.1 thorugh V8.0.1.11| Upgrade to Cloud Orchestrator 2.3.0.1 Interim Fix 8 or later, at [ http://www-01.ibm.com/support/docview.wss?uid=swg2C4000036](<http://www-01.ibm.com/support/docview.wss?uid=swg2C4000036>) \nNote as for logjam, you will also need to update your java.security file to add jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize <768\\. \n\nContact [_IBM support_](<https://www-947.ibm.com/support/servicerequest/newServiceRequest.action>) for questions. \n \n \nYou should verify applying this configuration change does not cause any compatibility issues. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identaify other areas where you have enabled the Diffie-Hellman key-exchange protocol used in TLS and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T22:32:53", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM SDK Java Technology Edition, and Logjam affect WebSphere Application Server shipped with SmartCloud Provisioning", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4000", "CVE-2015-4749"], "modified": "2018-06-17T22:32:53", "id": "2FE25685E021FF1A9C831364B6F5965095F1E1B81C165A2C647499A7FF03D904", "href": "https://www.ibm.com/support/pages/node/619261", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:57:32", "description": "## Summary\n\nThere are multiple security vulnerability exists in the IBM\u00ae SDK Java\u2122 Technology Edition, Version 6 and 7 that is used by IBM WebSphere Application Server Community Edition 3.0.0.4. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>)** \nDESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103294_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103294>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n \n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n** \nCVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n\n\n## Affected Products and Versions\n\nWebSphere Application Server Community Edition 3.0.0.4 \n\n## Remediation/Fixes\n\nIf you use the IBM SDK for Java: upgrade your SDK to a level as noted below, please refer to [_IBM Java SDK Security Bulletin_](<http://www-01.ibm.com/support/docview.wss?uid=swg21962302>): \n \n \nIBM SDK for Java 6: \nIBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 7 and subsequent releases \nIBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 7 and subsequent releases \n \nIBM SDK for Java 7: \nIBM SDK, Java Technology Edition, Version 7 Service Refresh 9 Fix Pack 10 and subsequent releases \nIBM SDK, Java Technology Edition, Version 7R1 Service Refresh 3 Fix Pack 10 and subsequent releases\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:03:29", "type": "ibm", "title": "Security Bulletin: Multiple Security vulnerability in IBM Java SDK including Logjam affect WebSphere Application Server Community Edition 3.0.0.4(CVE-2015-4000 CVE-2015-2613 CVE-2015-2601 CVE-2015-4749 CVE-2015-2625 CVE-2015-1931)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4000", "CVE-2015-4749"], "modified": "2018-06-15T07:03:29", "id": "1BBF2A32FAD2400D9BC729236743DB5BA10E71E968751393DCCFA07C879D7E68", "href": "https://www.ibm.com/support/pages/node/534903", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:46:17", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 5 and 7 that is used by IBM Tivoli System Automation Application Manager. These issues were disclosed as part of the IBM Java SDK updates in July 2015. \n \nThis bulletin also addresses the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol affects.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>)** \nDESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103294_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103294>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Tivoli System Automation Application Manager 4.1, 3.2.2, 3.2.1, and 3.2.0.\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the corresponding fix to IBM Tivoli System Automation Application Manager. To select the fix you need to apply in your environment, click on 'Download Link' in the table below. \n \n* If you are running IBM Tivoli System Automation Application Manager 4.1, please apply fixpack IBM Tivoli System Automation Application Manager 4.1.0.1. \n* If you are running IBM Tivoli System Automation Application Manager 3.2.2, please apply interim fix IF0010 of this product version. You can apply this iFix on top of any fixpack of version 3.2.2. \n* If you are running IBM Tivoli System Automation Application Manager 3.2.1, please apply interim fix IF0010 of this product version. You can apply this iFix on top of any fixpack of version 3.2.1. \n* If you are running IBM Tivoli System Automation Application Manager 3.2.0, please apply interim fix IF0010 of this product version. You can apply this iFix on top of any fixpack of version 3.2.0. \n \nAdditionally, you need to install the corresponding fix from IBM WebSphere Application Server. Please follow this link for details: <http://www-01.ibm.com/support/docview.wss?uid=swg21962931>. You need to apply the fix for IBM WebSphere Application Server 8.5 if you run IBM Tivoli System Automation Application Manager 4.1, and you need to apply the fix for IBM WebSphere Application Server 6.1 if you run IBM Tivoli System Automation Application Manager 3.2.2, 3.2.1, or 3.2.0. \n \n\n\n_Product_| _VRMF_| _APAR_ \n---|---|--- \n_IBM Tivoli System Automation Application Manager_| _4.1, 3.2.2, 3.2.1, 3.2.0_| [Download Link](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+System+Automation+Application+Manager&release=All&platform=All&function=all>) \n \nYou should verify applying this configuration change does not cause any compatibility issues. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the Diffie-Hellman key-exchange protocol used in TLS and take appropriate mitigation and remediation actions. \n \n_For __IBM Tivoli System Automation Application Manager 3.1__ __IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T15:07:22", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK including Logjam affect IBM Tivoli System Automation Application Manager (CVE-2015-4000, CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-4749)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4000", "CVE-2015-4749"], "modified": "2018-06-17T15:07:22", "id": "E7B27D160CD8AD6CEE5EE17DF994C844B5EC3D6A8C4976FBBC5C2E758D5732CA", "href": "https://www.ibm.com/support/pages/node/533789", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:49:06", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 6 that is used by Rational Insight. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4748_](<https://vulners.com/cve/CVE-2015-4748>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 7.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104729_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104729>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nRational Insight 1.1, 1.1.1, 1.1.1.1, 1.1.1.2, 1.1.1.3, 1.1.1.4, 1.1.1.5, 1.1.1.6 and 1.1.1.7\n\n## Remediation/Fixes\n\nApply the recommended fixes to all affected versions of Rational Insight. \n \n**Rational Insight 1.1 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.1.1 Interim Fix 14 (Implemented by file 10.1.6305.508)](<http://www-01.ibm.com/support/docview.wss?uid=swg24040520>). \nReview technote [1679272: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Insight 1.1](<http://www-01.ibm.com/support/docview.wss?uid=swg21679272>) for detailed instructions.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1, 1.1.1.1 and 1.1.1.2 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.1.1 Interim Fix 14 (Implemented by file 10.1.6305.508)](<http://www-01.ibm.com/support/docview.wss?uid=swg24040520>). \nRead technote [1679281: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679281>) for the detailed instructions for patch application.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1.3 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.2.1 Interim Fix 12 (Implemented by file 10.2.5000.506)](<http://www-01.ibm.com/support/docview.wss?uid=swg24040519>). \nReview technote [1679283: Installing Cognos Business Intelligence 10.2.1.x fix pack in Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679283>) for the detailed instructions for patch application.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1.4 and 1.1.1.5 and 1.1.1.6 and 1.1.1.7 ** \n \n\n\n 1. If the Data Collection Component or Jazz Reporting Serivce are used, perform this step first. \nReview the topics in <http://www-01.ibm.com/support/docview.wss?uid=swg21964625> for addressing the listed vulnerabilities in their underlying Jazz Team Server. \n\n 2. If the Cognos-based reporting server is used, also perform this step. \nDownload the [IBM Cognos Business Intelligence 10.2.1.1 Interim Fix 11 (Implemented by file 10.2.5008.512)](<http://www-01.ibm.com/support/docview.wss?uid=swg24040519>). \nReview technote [1679283: Installing Cognos Business Intelligence 10.2.1.x fix pack in Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679283>) for the detailed instructions for patch application.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T05:05:05", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Insight (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-4748, CVE-2015-4749)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4748", "CVE-2015-4749"], "modified": "2018-06-17T05:05:05", "id": "33F15FE0CFBF77A7171E2F0D7DA3388C60B0FC08F3BEB92A6FBAAE6443594569", "href": "https://www.ibm.com/support/pages/node/535911", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:52:06", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Versions 5.0, 6, 6R1, 7, 7R1 that is used by IBM Security Access Manager for Web. These issues were disclosed as part of the IBM Java SDK updates in July 2015\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>) \n \n**DESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-4748_](<https://vulners.com/cve/CVE-2015-4748>)\n\n**DESCRIPTION:** An unspecified vulnerability related to the Security component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 7.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104729_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104729>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)\n\n**DESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)\n\n**DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)\n\n**DESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)\n\n**DESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Security Access Manager for Web 8.0 appliances, all firmware versions\n\n## Remediation/Fixes\n\n**_Product_**\n\n| **_VRMF_**| **_APAR_**| **_Remediation_** \n---|---|---|--- \nIBM Security Access Manager for Web| 8.0| IV77071 | [8.0.1.3-ISS-WGA-IF0002](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=8.0&platform=Linux&function=all>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-16T21:26:14", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Access Manager for Web", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4748", "CVE-2015-4749"], "modified": "2018-06-16T21:26:14", "id": "E1E3EF19495F88A7ACFAAF137C61A44B066AA02B00E7F007D106152AE52B5D0F", "href": "https://www.ibm.com/support/pages/node/534209", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:41:32", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM SDK Java Technology Edition, Versions 6, 7, and 8 that are used by Rational Developer for i, Rational Developer for AIX and Linux, Rational Developer for Power Systems Software (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-4872, CVE-2015-5006). These were disclosed as part of the IBM Java SDK updates in July and October 2015 and are included in the October update.\n\n## Vulnerability Details\n\nRational Developer for i, Rational Developer for AIX and Linux, Rational Developer for Power Systems Software** **are affected by the following vulnerabilities: \n\n** **\n\n \n**CVEID**: [CVE-2015-2613](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION**: An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information.** \nCVSS Base Score**: 5** \nCVSS Temporal Score**: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \n**CVSS Environmental Score*:** Undefined** \nCVSS Vector**: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n** \nCVEID**: [CVE-2015-2601](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION**: An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.** \nCVSS Base Score**: 5** \nCVSS Temporal Score**: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \n**CVSS Environmental Score*:** Undefined** \nCVSS Vector**: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n** \nCVEID**: [CVE-2015-2625](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION**: An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information.** \nCVSS Base Score**: 2.6** \nCVSS Temporal Score**: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \n**CVSS Environmental Score*:** Undefined** \nCVSS Vector**: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n** \nCVEID**: [CVE-2015-1931](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION**: IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system.** \nCVSS Base Score**: 2.1** \nCVSS Temporal Score**: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \n**CVSS Environmental Score*:** Undefined** \nCVSS Vector**: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID**: [_CVE-2015-4872_](<https://vulners.com/cve/CVE-2015-4872>)** \nDESCRIPTION**: An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \n**CVSS Base Score**: 5 \n**CVSS Temporal Score**: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \n**CVSS Environmental Score***: Undefined \n**CVSS Vector**: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n\n**CVEID:** [_CVE-2015-5006_](<https://vulners.com/cve/CVE-2015-5006>)** \nDESCRIPTION:** IBM Java Security Components could allow an attacker with physical access to the system to obtain sensitive information from the Kerberos Credential Cache. \n**CVSS Base Score**: 4.6 \n**CVSS Temporal Score**: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/106309_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/106309>) for the current score \n**CVSS Environmental Score***: Undefined \n**CVSS Vector**: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\n**Product Name**\n\n| **Versions Affected** \n---|--- \nRational Developer for Power Systems Software| 8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.3, 8.0.3.1, 8.5, 8.5.1 \nRational Developer for i| 9.0, 9.0.0.1, 9.0.1, 9.1, 9.1.1, 9.1.1.1, 9.5, 9.5.0.1, 9.5.0.2 \nRational Developer for AIX and Linux, AIX COBOL Edition| 9.0, 9.0.0.1, 9.0.1, 9.1, 9.1.1, 9.1.1.2 \nRational Developer for AIX and Linux, C/C++ Edition| 9.0, 9.0.0.1, 9.0.1, 9.1, 9.1.1, 9.1.1.2 \n \n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **Remediation/First Fix** \n---|---|--- \nRational Developer for Power Systems Software| 8.0 through 8.5.1| \n\n * For all versions, apply [IBM SDK Java Technology Edition Critical Patch Update - October 2015 - RD Power](<http://www.ibm.com/support/docview.wss?uid=swg24041521>) \nRational Developer for i| 9.0 through to 9.5| \n\n * For all versions, update the currently installed product using Installation Manager. ** **For instructions on installing this update using Installation Manager, review the topic [_Updating Installed Product Packages_](<http://www.ibm.com/support/knowledgecenter/SSAE4W_9.1.1/com.ibm.etools.iseries.install.doc/topics/t_upgrading.html>) in the IBM Knowledge Center. \n * Or, you can optionally download the update manually and apply [IBM SDK Java Technology Edition Critical Patch Update - October 2015 - RDi](<http://www.ibm.com/support/docview.wss?uid=swg24041519>) \nRational Developer for AIX and Linux| 9.0 through to 9.1| \n\n * For all client versions, update the currently installed product using Installation Manager. For instructions on installing this update using Installation Manager, review the topic [_Updating Installed Product Packages_](<http://www.ibm.com/support/knowledgecenter/SSPSQF_9.1.1/com.ibm.etools.install.rdal.doc/topics/t_upgrading.html>) in the IBM Knowledge Center. \n * For server updates or to manually download and apply the client updates see [IBM SDK Java Technology Edition Critical Patch Update - October 2015 - RDAL](<http://www.ibm.com/support/docview.wss?uid=swg24041520>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-08-03T04:23:43", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Developer for i, Rational Developer for AIX and Linux, Rational Developer for Power Systems Software", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4872", "CVE-2015-5006"], "modified": "2018-08-03T04:23:43", "id": "046BFDFDFEF57E40AEF5921AC2EAEE3EEA1453CC00EE02DF1AEFB9C2AC05178C", "href": "https://www.ibm.com/support/pages/node/537511", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:28", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM SDK Java\u2122 Technology Edition that is used by IBM Process Designer in IBM Business Process Manager and WebSphere Lombardi Edition. These issues were disclosed as part of the IBM Java SDK updates for October 2015 and in the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n \n**CVEID:** [_CVE-2015-4872_](<https://vulners.com/cve/CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nThis vulnerability affects IBM Business Process Manager V7.5.x through V8.5.6.0 and WebSphere Lombardi Edition V7.2.0.x.\n\n## Remediation/Fixes\n\nThe eclipse-based IBM Process Designer tool includes an instance of the IBM SDK Java\u2122 Technology Edition. In order to provide the fix for this development tool, install APAR JR54682 for your version of IBM Business Process Manager or WebSphere Lombardi Edition: \n\n\n * [_IBM Business Process Manager Advanced_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Advanced&release=All&platform=All&function=aparId&apars=JR54682>)\n * [_IBM Business Process Manager Standard_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Standard&release=All&platform=All&function=aparId&apars=JR54682>)\n * [_IBM Business Process Manager Express_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Express&release=All&platform=All&function=aparId&apars=JR54682>)\n * [_WebSphere Lombardi Edition_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+Lombardi+Edition&release=7.2.0.5&platform=All&function=aparId&apars=JR54682>)\n \nIf you are on earlier unsupported releases, IBM strongly recommends to upgrade. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:04:24", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Process Designer used in IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2015-2613, CVE-2015-2601, CVE-2015-4749, CVE-2015-2625, CVE-2015-1931, CVE-2015-4872)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4749", "CVE-2015-4872"], "modified": "2018-06-15T07:04:24", "id": "A0C4AD3CFBFCE151B5419A4CAB2FE62A2088629DFE37047C4ACED864D50B6136", "href": "https://www.ibm.com/support/pages/node/273521", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:46:41", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 5 and 7 that is used by IBM Tivoli System Automation for Multiplatforms. These issues were disclosed as part of the IBM Java SDK updates in July 2015. \n \nThis bulletin also addresses the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol affects.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>)** \nDESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103294_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103294>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Tivoli System Automation for Multiplatforms 4.1, 3.2.2, 3.2.1, and 3.2.0.\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the corresponding fix to IBM Tivoli System Automation for Multiplatforms. To select the fix you need to apply in your environment, click on 'Download Link' in the table below. \n \n* If you are running IBM Tivoli System Automation for Multiplatforms 4.1, please apply fixpack IBM Tivoli System Automation for Multiplatforms 4.1.0.2. \n* If you are running IBM Tivoli System Automation for Multiplatforms 3.2.2, please apply interim fix IF0007 of this product version. You can apply this iFix on top of any fixpack of version 3.2.2. \n* If you are running IBM Tivoli System Automation for Multiplatforms 3.2.1, please apply interim fix IF0010 of this product version. You can apply this iFix on top of any fixpack of version 3.2.1. \n* If you are running IBM Tivoli System Automation for Multiplatforms 3.2.0, please apply interim fix IF0010 of this product version. You can apply this iFix on top of any fixpack of version 3.2.0. \n \nAdditionally, for IBM Tivoli System Automation for Multiplatforms 3.2.2, 3.2.1 and 3.2.0, you need to install the corresponding fix from IBM WebSphere Application Server 6.1. Please follow this link for details: <http://www-01.ibm.com/support/docview.wss?uid=swg21962931>. \n \n\n\n_Product_| _VRMF_| _APAR_ \n---|---|--- \n_IBM Tivoli System Automation for Multiplatforms _| _4.1, 3.2.2, 3.2.1, 3.2.0_| [_Download Link_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/Tivoli+System+Automation+for+Multiplatforms&release=All&platform=All&function=all>) \n \nYou should verify applying this configuration change does not cause any compatibility issues. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the Diffie-Hellman key-exchange protocol used in TLS and take appropriate mitigation and remediation actions. \n \n_For __IBM Tivoli System Automation for Multiplatforms 3.1__ __IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T15:07:21", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK including Logjam affect IBM Tivoli System Automation for Multiplatforms (CVE-2015-4000, CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-4749)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4000", "CVE-2015-4749"], "modified": "2018-06-17T15:07:21", "id": "1A6ED5D827C9B7F2277B3D67DC5CF6E6E0140AD47BEA97E4D1117C4DB04282EC", "href": "https://www.ibm.com/support/pages/node/533787", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:48:53", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6 and Version 7 that are used by IBM Rational Directory Server (Tivoli) and IBM Rational Directory Administrator. New iFixes do not include the JRE. Install new iFixes and updated JRE to resolve these issues.\n\n## Vulnerability Details\n\nRational Directory Server is affected by the following vulnerabilities: \n \n**CVEID**: [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION**: An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information.** \nCVSS Base Score**: 5** \nCVSS Temporal Score**: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104734> for the current score \n**CVSS Environmental Score*:** Undefined** \nCVSS Vector**: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n** \nCVEID**: [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION**: An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.** \nCVSS Base Score**: 5** \nCVSS Temporal Score**: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>_ for the current score \n**CVSS Environmental Score*:** Undefined** \nCVSS Vector**: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n** \nCVEID**: [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION**: An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information.** \nCVSS Base Score**: 2.6** \nCVSS Temporal Score**: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \n**CVSS Environmental Score*:** Undefined** \nCVSS Vector**: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n** \nCVEID**: [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION**: IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system.** \nCVSS Base Score**: 2.1** \nCVSS Temporal Score**: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \n**CVSS Environmental Score*:** Undefined** \nCVSS Vector**: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-7575_](<https://vulners.com/cve/CVE-2015-7575>)** \nDESCRIPTION:** The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. \nCVSS Base Score: 7.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109415_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109415>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) \n \n**CVEID**: [_CVE-2015-4872_](<https://vulners.com/cve/CVE-2015-4872>)** \nDESCRIPTION**: An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact.** \nCVSS Base Score**: 5** \nCVSS Temporal Score**: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/__107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \n**CVSS Environmental Score*:** Undefined** \nCVSS Vector**: (AV:N/AC:L/Au:N/C:N/I;P/A:N)\n\n## Affected Products and Versions\n\nRational Directory Server (Tivoli) v5.2.0.2 iFix 3 and earlier \nRational Directory Server (Tivoli) v5.2.1 iFix 8 and earlier \nRational Directory Administrator v6.0.0.2 iFix 3 and earlier\n\n## Remediation/Fixes\n\nUpgrade to Rational Directory Server (Tivoli) v5.2.1 iFix 9 or v5.2.0.2 iFix 5, and Rational Directory Administrator v6.0.0.2 iFix 4, which do not include Java. Before installing the new iFixes, install the Java Runtime Environment version 6.0.16.21 or 7.0.9.31, or subsequent versions. \n \nTo obtain the updated version of the IBM JRE, [_contact IBM Support_](<https://www-947.ibm.com/support/servicerequest/Home.action?category=2>). Support can help identify the latest JRE that is compatible with your operating system and platform. Publicly available versions of the Oracle JRE are also supported with Rational Directory Server. \n\n_For versions for Rational Directory Server that are earlier than version 5.2.0.2, and Rational Directory Administrator 6.0.0.2, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T05:10:03", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) and Rational Directory Administrator (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-7575, CVE-2015-4872)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4872", "CVE-2015-7575"], "modified": "2018-06-17T05:10:03", "id": "05EA0613CCDE54EFA5261A92BB8AD85AC9483C1FF44BBFC007A754DD1DA033F1", "href": "https://www.ibm.com/support/pages/node/542697", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:48", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition used by IBM Workload Deployer. These issues were disclosed as part of the IBM Java SDK updates in July 2015. \n \nThis bulletin also addresses the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol affects.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2590_](<https://vulners.com/cve/CVE-2015-2590>)** \nDESCRIPTION:** An unspecified vulnerability related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104724_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104724>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>)** \nDESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103294_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103294>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Workload Deployer version 3.1 and later\n\n## Remediation/Fixes\n\nThe solution is to apply the IBM Workload Deployer Interim Fix9. \n \nUpgrade the IBM Workload Deployer to the following fix level: \n \n\n\n_Product_\n\n| \n\n_VRMF_\n\n| \n\n_Remediation/First Fix_ \n \n---|---|--- \nIBM Workload Deployer System| Release V3.1.0.7| V3.1.0.7 Interim Fix, \n \n[_http://www-933.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Workload+Deployer&release=3.1.0.7&platform=All&function=fixId&fixids=3.1.0.7-ifix9-IBM_Workload_Deployer&includeSupersedes=0_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Workload+Deployer&release=3.1.0.7&platform=All&function=fixId&fixids=3.1.0.7-ifix9-IBM_Workload_Deployer&includeSupersedes=0>) \n \nAs the length of the server key size is increased, the amount of CPU required for full TLS/SSL handshake can significantly increase. Please carefully test and assess the impact to your CPU requirements to ensure sufficient CPU resources, otherwise the system availability may be impacted. \n \n \nYou should verify applying this configuration change does not cause any compatibility issues. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the Diffie-Hellman key-exchange protocol used in TLS and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:03:36", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK including Logjam affect IBM Workload Deployer. (CVE-2015-2590, CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, and CVE-2015-4000)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2590", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4000"], "modified": "2018-06-15T07:03:36", "id": "4D31930803D2C479476478125462D5DBFB1429D04F74E21FE79B6C97E7168687", "href": "https://www.ibm.com/support/pages/node/265649", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:54:32", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 6 and 7, that is used by IBM OS Images for Red Hat Linux Systems, AIX, and Windows. These issues were disclosed as part of the IBM Java SDK updates in July 2015. \n \nThis bulletin also addresses the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol affects.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>)** \nDESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103294_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103294>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM OS Image for Red Hat Linux Systems 3.0.0.0 and earlier. \nIBM OS Image for AIX Systems 2.1.1.0 and earlier.\n\n## Remediation/Fixes\n\nVirtual machines deployed from IBM PureApplication Systems are affected. This includes RedHat Linux, AIX-based, and Windows-based deployments. The solution is to apply the following IBM PureApplication System fix to the deployed virtual machines. \n \nJava Update for Windows \n[__http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=All&platform=All&function=fixId&fixids=Java_Update_Windows_CVE-2015-2590&includeRequisites=1&includeSupersedes=0__](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=All&platform=All&function=fixId&fixids=Java_Update_Windows_CVE-2015-2590&includeRequisites=1&includeSupersedes=0>) \n \nJava Update for Linux \n[__http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=All&platform=All&function=fixId&fixids=Java_Update_Linux_CVE-2015-2590&includeRequisites=1&includeSupersedes=0__](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=All&platform=All&function=fixId&fixids=Java_Update_Linux_CVE-2015-2590&includeRequisites=1&includeSupersedes=0>) \n \nJava Update for AIX \n[__http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=All&platform=All&function=fixId&fixids=Java_Update_AIX_CVE-2015-2590&includeRequisites=1&includeSupersedes=0__](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=All&platform=All&function=fixId&fixids=Java_Update_AIX_CVE-2015-2590&includeRequisites=1&includeSupersedes=0>)__ __ \n \n \n1\\. Import the fix into the Emergency Fix catalogue. \n2\\. For deployed instances, apply this emergency fix on the VM. \n3\\. Restart the deployed instance after the fix is applied. \n \n \nYou should verify applying this configuration change does not cause any compatibility issues. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the Diffie-Hellman key-exchange protocol used in TLS and take appropriate mitigation and remediation actions.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:04:18", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM OS Images for Red Hat Linux Systems, AIX, and Windows. (CVE-2015-4000, CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, and CVE-2015-1931)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2590", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4000"], "modified": "2018-06-15T07:04:18", "id": "D6282117AB13EB25AE54CEF6988ADB83EC89FA814931738B384654ADE6C4A47A", "href": "https://www.ibm.com/support/pages/node/273147", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:57:31", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 7 and 8 that is used by Liberty for Java for IBM Bluemix. These issues were disclosed as part of the IBM Java SDK updates in July 2015. \n\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2590_](<https://vulners.com/cve/CVE-2015-2590>)** \nDESCRIPTION:** An unspecified vulnerability related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104724_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104724>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n \n\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score\n\n \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nThis vulnerability affects all versions of Liberty for Java in IBM Bluemix up to and including v1.20-20150713-1450.\n\n## Remediation/Fixes\n\nTo upgrade to Liberty for Java v1.20.1-20150729-1255 or higher, you must re-stage or re-push your application. To check which version of the Liberty for Java runtime your Bluemix application is using, navigate to the \"Files and Logs\" for your application through the Bluemix UI. In the \"logs\" directory, check the \"staging_task.log\". \n \nYou can also find this file through the command-line Cloud Foundry client by running the following command: \n \n**cf files <appname> logs/staging_task.log** \n \nYou can see \n \n\\-----> Liberty Buildpack Version: _________ \n \nTo re-stage your application using the command-line Cloud Foundry client, use the following command: \n \n**cf restage <appname>** \n \nTo re-push your application using the command-line Cloud Foundry client, use the following command: \n \n**cf push <appname>**\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:03:28", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Liberty for Java for IBM Bluemix (CVE-2015-2590)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2590", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-4749"], "modified": "2018-06-15T07:03:28", "id": "62DC15D565D3AED15E95F60C1E162CD79C80C198042969F302EBA3BFD8AA5F09", "href": "https://www.ibm.com/support/pages/node/534887", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:45:27", "description": "## Summary\n\nIBM Java is shipped as an ITM shared component of IBM Tivoli Monitoring for Virtual Environments Agent for Linux Kernel-based Virtual Machines. Information about a security vulnerability affecting Linux Kernel-based Virtual Machines agent has been published in a security bulletin.\n\n## Vulnerability Details\n\n**CVE IDs: **CVE-2015-2625 CVE-2015-1931 \n \n**DESCRIPTION**: This bulletin covers all applicable Java SE CVEs for this product. \n \n**CVEID: **[_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>) \n**DESCRIPTION: **An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.60 \nCVSS Temporal Score: \nCVSS Environmental Score*: Undefined \nCVSS Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N \n \n**CVEID: **[_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>) \n**DESCRIPTION: **IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.10 \nCVSS Temporal Score: \nCVSS Environmental Score*: Undefined \nCVSS Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N\n\n## Affected Products and Versions\n\nIBM Tivoli Monitoring for Virtual Environments Agent for Linux Kernel-based Virtual Machines** **Version** **6.2.3 includes Java Technology Edition, Version 5.0 Service Refresh 9. \nIBM Tivoli Monitoring for Virtual Environments Agent for Linux Kernel-based Virtual Machines** **Version** **7.1.0 includes Java Technology Edition, Version 5.0 Service Refresh 12, FP1. \nIBM Tivoli Monitoring for Virtual Environments Agent for Linux Kernel-based Virtual Machines** **Version 7.2.0 includes Java Technology Edition, Version 5.0 Service Refresh 12, FP1.\n\n## Remediation/Fixes\n\nThe fixes for these vulnerabilities are provided in latest Java provided as ITM shared component. Please see the below link to upgrade Java as part of ITM shared component \n<http://www-01.ibm.com/support/docview.wss?uid=swg21673490>**. ** \n \n**APAR numbers are as follows:** \n \nIV75166 (CVE-2015-2625) \nIV75182 (CVE-2015-1931)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-11-29T22:30:01", "type": "ibm", "title": "Security Bulletin: Security vulnerability has been identified in IBM Tivoli Monitoring for Virtual Environments Agent for Linux Kernel-based Virtual Machines as it is dependent on ITM shipped Java", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2625"], "modified": "2018-11-29T22:30:01", "id": "F43C795683B9F78C5CC3FE51A6FEB70AA8104D3A5F71BB174EFD86D894611AE7", "href": "https://www.ibm.com/support/pages/node/714463", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-10-18T15:03:48", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 6 and 7 that is used by IBM Installation Manager and IBM Packaging Utility. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \n \n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Installation Manager and IBM Packaging Utility versions 1.8.3 and earlier. \n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n_IBM Installation Manager and IBM Packaging Utility_| _1.7.4.x_ | _None_| [__1.7.4.4 IBM Installation Manager Remediation__](<http://www.ibm.com/support/docview.wss?uid=swg24040510>)_ \n_[__1.7.4.4 IBM Packaging Utility Remediation__](<http://www.ibm.com/support/docview.wss?uid=swg24040509>)\n\n_Please note that the 1.7.4.4 fix is intended for upgrade of 1.7.4.3 and earlier versions which continue support on platforms that are NOT supported by 1.8 or later versions. \nUsers running 1.7.4.3 or earlier version on platforms that ARE supported by 1.8.x version, should upgrade to 1.8.4._ \n \n_IBM Installation Manager and IBM Packaging Utility_| _1.8.x_| _None_| [__1.8.4 IBM Installation Manager Remediation__](<http://www.ibm.com/support/docview.wss?uid=swg24040291>)_ \n_[__1.8.4 IBM Packaging Utility Remediation__](<http://www.ibm.com/support/docview.wss?uid=swg24040292>) \n \n## Workarounds and Mitigations\n\nUpgrade products to the remediated versions per the table above.\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-25T12:12:53", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect the IBM Installation Manager and IBM Packaging Utility (CVE-2015-2625 and CVE-2015-1931 )", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2625"], "modified": "2021-10-25T12:12:53", "id": "A5370A122C5D79908DF3CF003449B027FBDD860CCB79270E2B3A98CCFC24F642", "href": "https://www.ibm.com/support/pages/node/274249", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:52:07", "description": "## Summary\n\nSeveral previously released versions of IBM QRadar SIEM, and IBM QRadar Incident Forensics are affected by multiple vulnerabilities reported in the IBM SDK Java Technology Edition Version 6 and 7.\n\n## Vulnerability Details\n\n**CVE-ID:** [_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>) \n \n**Description:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JCE component could allow a remote attacker to obtain sensitive information. \n \n**CVSS Base Score:** 4.3 \n**CVSS Temporal Score:** See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102339_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>) for the current score \n**CVSS Environmental Score:** *Undefined \n**CVSS Vector:** AV:N/AC:M/Au:N/C:P/I:N/A:N \n \n \n**CVE-ID:** [_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>) \n \n**Description:** An unspecified vulnerability in Oracle Java SE and Jrockit related to the JSSE component could allow a remote attacker to cause a denial of service. \n \n**CVSS Base Score:** 5.0 \n**CVSS Temporal Score:** See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>) for the current score \n**CVSS Environmental Score:** *Undefined \n**CVSS Vector:** AV:N/AC:L/Au:N/C:N/I:N/A:P \n \n \n**CVE-ID:** [_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>) \n \n**Description:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \n \n**CVSS Base Score:** 5.0 \n**CVSS Temporal Score:** See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>) for the current score \n**CVSS Environmental Score:** *Undefined \n**CVSS Vector:** AV:N/AC:L/Au:N/C:N/I:N/A:P \n \n \n**CVE-ID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>) \n \n**Description:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \n \n**CVSS Base Score:** 5.0 \n**CVSS Temporal Score:** See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \n**CVSS Environmental Score:** *Undefined \n**CVSS Vector:** AV:N/AC:L/Au:N/C:P/I:N/A:N \n \n \n**CVE-ID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>) \n \n**Description:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \n \n**CVSS Base Score:** 5.0 \n**CVSS Temporal Score:** See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \n**CVSS Environmental Score:** *Undefined \n**CVSS Vector:** AV:N/AC:L/Au:N/C:P/I:N/A:N \n \n \n**CVE-ID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>) \n \n**Description:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \n \n**CVSS Base Score:** 4.3 \n**CVSS Temporal Score:** See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \n**CVSS Environmental Score:** *Undefined \n**CVSS Vector:** AV:N/AC:M/Au:N/C:N/I:N/A:P \n \n \n**CVE-ID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>) \n \n**Description:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \n \n**CVSS Base Score:** 2.6 \n**CVSS Temporal Score:** See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \n**CVSS Environmental Score:** *Undefined \n**CVSS Vector:** AV:N/AC:H/Au:N/C:P/I:N/A:N \n \n \n**CVE-ID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>) \n \n**Description:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \n \n**CVSS Base Score:** 2.1 \n**CVSS Temporal Score:** See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \n**CVSS Environmental Score:** *Undefined \n**CVSS Vector:** AV:L/AC:L/Au:N/C:P/I:N/A:N\n\n## Affected Products and Versions\n\n\u00b7 IBM QRadar SIEM 7.2.5 Patch 3 and earlier versions. \n\n\u00b7 IBM QRadar SIEM 7.1 MR2 Patch 11 Interim Fix 01 and earlier versions.\n\n\u00b7 IBM QRadar Incident Forensics 7.2.5 Patch 3 and earlier versions\n\n## Remediation/Fixes\n\n[\u00b7 _IBM QRadar/QRM/QVM/QRIF 7.2.5 Patch 3 Interim Fix 01_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Security%2BSystems&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.2.0&platform=Linux&function=fixId&fixids=7.2.5-QRADAR-QRSIEM-20150722144420INT%3Ahidden&includeSupersedes=0&source=>)\n\n[\u00b7 _IBM QRadar SIEM 7.1 MR2 Patch 11 Interim Fix 02_](<http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.1.0&platform=Linux&function=fixId&fixids=7.1.0-QRADAR-QRSIEM-1104233INT&includeSupersedes=0&source=fc>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-16T21:26:04", "type": "ibm", "title": "Security Bulletin: IBM QRadar SIEM can be affected by Multiple Vulnerabilities in the IBM Java Runtime Environment. (CVE-2015-0478, CVE-2015-0488, CVE-2015-1916, CVE-2015-2613, CVE-2015-2601, CVE-2015-4749, CVE-2015-2625, CVE-2015-1931)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4749"], "modified": "2018-06-16T21:26:04", "id": "0BA3D00F2A4E161ACE7CE229FBCCA7601D73B67AF80161C317B48754F1EC9FB8", "href": "https://www.ibm.com/support/pages/node/533523", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:41:11", "description": "## Summary\n\nThere are several vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition that is shipped as part of the IBM Tivoli Monitoring (ITM) VMWare VI Agent.\n\n## Vulnerability Details\n\nCVEID: CVE-2015-2625 \nDESCRIPTION: An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104743> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \nCVEID: CVE-2015-1931 \nDESCRIPTION: IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n \nCVEID: CVE-2015-7575 \nDESCRIPTION: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as \u201cSLOTH\u201d. \nCVSS Base Score: 7.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/109415> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Product Code** \n---|--- \nIBM\u00ae Tivoli\u00ae Monitoring for Virtual Environments Agent for VMware VI versions 6.1.0 , 6.1.2 , 6.2.1 , 6.2.2 , 6.2.3 , 7.1 , 7.2 , 7.2.0.2| KVM \n \n## Remediation/Fixes\n\nVMware agent installs a Java runtime (J6 component) which is not the default Java runtime component installed by ITM framework (default is JM component on windows and JR component on non-windows). \n \nThe CVEs listed in the Vulnerability Details section above affect the Java shipped as part of the VMware VI agent. \n \nTo remediate the vulnerabilities do the following: \n1\\. Follow the steps in the technote to update the VMware VI agent to use the JRE shipped as a shared component IBM Tivoli Monitoring (default is JM component on windows and JR component on non-windows). \n[_http://www-01.ibm.com/support/docview.wss?uid=swg21883100_](<http://www-01.ibm.com/support/docview.wss?uid=swg21883100>). \n \n2\\. Update the shared component Java (CANDLEHOME) using the patch(es) listed: \n[_IBM Tivoli Monitoring 6 JRE Update (6.X.X-TIV-ITM_JRE_CANDLEHOME-20160408 )_](<http://www-01.ibm.com/support/docview.wss?uid=swg24041511>) \n \nBelow are the IBM Tivoli Monitoring security bulletins that references the patches: \n[_Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Monitoring (CVE-2015-2601,CVE-2015-4749.CVE-2015-2625,CVE-2015-1931 )_](<http://www-01.ibm.com/support/docview.wss?uid=swg21976560>) \nand \n[_Security Bulletin: Vulnerability in IBM Java SDK affect IBM Tivoli Monitoring (CVE-2015-7575)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21976066>)\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-07-23T07:35:29", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Monitoring VMWare VI Agent (CVE-2015-2625, CVE-2015-1931, CVE-2015-7575)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2625", "CVE-2015-4749", "CVE-2015-7575"], "modified": "2018-07-23T07:35:29", "id": "A79AADC73330C4877A736E350B8B7AC684DD495A938F8988EAD9C56B0FB99EA0", "href": "https://www.ibm.com/support/pages/node/277455", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:49:05", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6.0.16.2 that is used by RLKS Administration and Reporting Tool.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)\n\n**DESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information.\n\n \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)\n\n**DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.\n\n \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)\n\n**DESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information.\n\n \n \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)\n\n**DESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system.\n\n \n \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n\n\n**CVEID:** [_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>)\n\n**DESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability.\n\n \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n\n**CVEID:** [_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>)\n\n**DESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability.\n\n \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102336> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n \n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n \n**Description**: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \n** \n**CVSS Base Score: 5.0** \n**CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>_ for the current score** \n**CVSS Environmental Score*: Undefined** \n**CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \nFor more details, refer the technote at [1702789](<http://www-01.ibm.com/support/docview.wss?uid=swg21702789>) \n \n \n**CVEID:** [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>) \n \n**DESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103294_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103294>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n \n \nFor more details, refer the technote at [1959284](<http://www-01.ibm.com/support/docview.wss?uid=swg21959284>) \n \n \n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. \n\nThis vulnerability is also known as the FREAK attack. \n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://exchange.xforce.ibmcloud.com/vulnerabilities/100691_](<http://exchange.xforce.ibmcloud.com/>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n \n \nFor more details, refer the technote at [1700073](<http://www-01.ibm.com/support/docview.wss?uid=swg21700073>)\n\n## Affected Products and Versions\n\nThese vulnerabilities impact following components and their releases: \n\n\n * RLKS Administration and Reporting Tool version 8.1.4 \n * RLKS Administration and Reporting Tool version 8.1.4.2 \n * RLKS Administration and Reporting Tool version 8.1.4.3 \n * RLKS Administration and Reporting Tool version 8.1.4.4 \n * RLKS Administration and Reporting Tool version 8.1.4.5\n * RLKS Administration and Reporting Tool version 8.1.4.6\n * RLKS Administration and Reporting Tool version 8.1.4.7\n * RLKS Administration and Reporting Tool version 8.1.4.8\n * RLKS Administration and Reporting Tool version 8.1.4.9\n * RLKS Administration Agent version 8.1.4 \n * RLKS Administration Agent version 8.1.4.2 \n * RLKS Administration Agent version 8.1.4.3 \n * RLKS Administration Agent version 8.1.4.4 \n * RLKS Administration Agent version 8.1.4.5\n * RLKS Administration Agent version 8.1.4.6\n * RLKS Administration Agent version 8.1.4.7\n * RLKS Administration Agent version 8.1.4.8 [Affected only by [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>), [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>), [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>), [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>) and [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)]\n\n## Remediation/Fixes\n\nReplace the JRE used in IBM RLKS Administration and Reporting Tool and IBM RLKS Administration Agent. \n\n**_Steps to replace the JRE in IBM RLKS Administration and Reporting Tool (All Versions)_**\n\n \n \n1\\. Go to [_Fix Central_](<http://www.ibm.com/support/fixcentral>) \n \n2\\. On the **Find product** tab, enter _Rational Common Licensing_ in the **Product Selector** field and hit enter. \n \n3\\. Select the **Installed Version** and hit continue button. \n \n4\\. Select the platform of the machine where RLKS Administration and Reporting Tool is installed and hit continue button. \n \n5\\. On the **Identify fixes** page, select **Browse for fixes** and select **Show fixes that apply to this version** and hit continue button. \n \n6\\. Download the Java runtime iFix for RLKS Administration and Reporting Tool. \n** \nNote:** Although the name of the iFix is **RLKS_Administration_And_Reporting_Tool_8148_Admin_iFix_1_<Platform>_<Architecture>**, the same ifix is applicable to all previous RLKS Administration and Reporting Tool versions. \n \n7\\. Shutdown RLKS Administration and Reporting Tool. \n \n8\\. Go to the installation location of RLKS Administration and Reporting Tool. \n \n9\\. Rename <install location>/server/jre folder to **<install location>/server/jre_back**. \nThis step backs up the existing JRE. \n \n10\\. Extract the downloaded JRE into <install location>/server/ folder \n \nExample: <install location>/server/jre \n \n11\\. Startup RLKS Administration and Reporting Tool. \n \n12\\. Login to the tool using rcladmin user and verify that you see the configured license servers under 'Server' tab. \n\n**_How to fix these vulnerabilities in IBM RLKS Administration Agent (All Versions)?_**\n\nUpgrade to the IBM RLKS Administration Agent version 8.1.4.9\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T05:04:34", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect RLKS Administration and Reporting Tool (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-2808, CVE-2015-4000, CVE-2015-1916, CVE-2015-0488, CVE-2015-0138)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2808", "CVE-2015-4000"], "modified": "2018-06-17T05:04:34", "id": "34CFE8125A8881CC719C7F836804991085EA547A7871860AB1BFE0DB8E83422D", "href": "https://www.ibm.com/support/pages/node/533949", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:54:44", "description": "## Summary\n\nMultiple security vulnerabilities exist in the IBM Java Runtime Environment component of IBM WebSphere MQ Internet Pass-Thru (MQIPT). Patches for these are available in IBM SDK, Java\u2122 Technology Edition, Version 7 Service Refresh 9 Fix Pack 10 (7.0.9.10)\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2015-0488](<https://vulners.com/cve/CVE-2015-0488>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Jrockit related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102336> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [CVE-2015-0478](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102339> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [CVE-2015-1916](<https://vulners.com/cve/CVE-2015-1916>)** \nDESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101995> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [CVE-2015-0204](<https://vulners.com/cve/CVE-2015-0204>)** \nDESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99707> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n \n \n**CVEID:** [CVE-2015-2613](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104734> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [CVE-2015-2601](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104733> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [CVE-2015-2625](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104743> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [CVE-2015-1931](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM SDK, Java\u2122 Technology Edition, Version 7 (maintenance levels older than service refresh 9 fix pack 10 (7.0.9.10)) provided by WebSphere MQIPT 2.1 on all platforms.\n\n## Remediation/Fixes\n\nUpdate the JRE component following the instructions contained in this link:[http://www.ibm.com/support/docview.wss?uid=swg21678663](<http://www-01.ibm.com/support/docview.wss?uid=swg21678663>) \n \nUpdated JREs for MQIPT can be downloaded from the[ MS81: WebSphere MQ Internet Pass-Thru](<http://www.ibm.com/support/docview.wss?uid=swg24006386>) SupportPac page, via the Download package link, in the '**WebSphere MQ Internet Pass-Thru JREs**' section.\n\n## Workarounds and Mitigations\n\nNone Known\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:03:42", "type": "ibm", "title": "Security Bulletin: IBM MQIPT is affected by multiple vulnerabilities in IBM SDK, Java\u2122 Technology Edition, Version 7 (CVE-2015-0488, CVE-2015-0478. CVE-2015-2808, CVE-2015-1916, CVE-2015-0204, CVE-2015-2613, CVE-2015-2601, CVE-2015-1931, CVE-2015-2625)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2808"], "modified": "2018-06-15T07:03:42", "id": "3403EBD13C171A5D7444399BA5A9F94E5CCA875C8E3E0629AEA983CD163BAD0D", "href": "https://www.ibm.com/support/pages/node/267755", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T05:43:30", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Versions 1.7.0 and 1.7.1 that are used by IBM UrbanCode Deploy and IBM UrbanCode Deploy with Patterns. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4733_](<https://vulners.com/cve/CVE-2015-4733>)** \nDESCRIPTION:** An unspecified vulnerability related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104726> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n**CVEID:** [_CVE-2015-4732_](<https://vulners.com/cve/CVE-2015-4732>)** \nDESCRIPTION:** An unspecified vulnerability related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104725_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104725>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n**CVEID:** [_CVE-2015-2590_](<https://vulners.com/cve/CVE-2015-2590>)** \nDESCRIPTION:** An unspecified vulnerability related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104724_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104724>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n**CVEID:** [_CVE-2015-4748_](<https://vulners.com/cve/CVE-2015-4748>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 7.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104729_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104729>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C) \n \n**CVEID:** [_CVE-2015-2621_](<https://vulners.com/cve/CVE-2015-2621>)** \nDESCRIPTION:** An unspecified vulnerability related to the JMX component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104735_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104735>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n** \nCVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N):\n\n## Affected Products and Versions\n\nAll versions of IBM UrbanCode Deploy are vulnerable if used with an affected version of IBM Runtime Environment, Java Technology Edition. IBM Runtime Environment, Java Technology Edition, Version 1.7.0 SR 5, which was shipped with IBM UrbanCode Deploy 6.1.1 and 6.0, is among the versions affected. \n \nIBM UrbanCode Deploy with Patterns 6.1.0, 6.1.0.1, 6.1.0.2, 6.1.1, 6.1.1.1, 6.1.1.2, and 6.1.1.3 embed an affected version of Java.\n\n## Remediation/Fixes\n\nIf using IBM UrbanCode Deploy with an affected version of Java, remove the installation, and install one of the following fixed releases below: \n \n\\--IBM Runtime Environment, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 4 and subsequent releases \n\\--IBM Runtime Environment, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 4 and subsequent releases \n\\--IBM Runtime Environment, Java Technology Edition, Version 7 Service Refresh 9 and subsequent releases \n\\--IBM Runtime Environment, Java Technology Edition, Version 7R1 Service Refresh 3 and subsequent releases \n\\--IBM Runtime Environment, Java Technology Edition, Version 8 Service Refresh 1 and subsequent releases \n \nIBM Runtime Environment, Java Technology Edition is available for download [here](<http://www.ibm.com/developerworks/java/jdk/>). \n \nAdditional configuration steps are required, as detailed below. \n \n**Note:** The instructions below should only be used for switching between versions of IBM Runtime Environment, Java Technology Edition. Do not attempt to switch between Java vendors using these instructions. \n \n \n**_IBM UrbanCode Deploy Server_** \nAfter installing the new version of IBM Runtime Environment, Java Technology Edition, change the following line of the <server install directory>/conf/server/installed.properties file: \n\ninstall.java.home=<path to new version of Java> \nAlso, the value of JAVA_HOME will have to be changed in the executable scripts in the <server install directory>/bin directory. \n \nIn Unix systems, the line: \n\nJAVA_HOME=\"<path to old version of Java>\" must be changed to reflect the new JAVA_HOME in the set-env, init/server, and init/_server scripts. \n \nOn Windows systems, the line: \n\nset JAVA_HOME=<path to old version of Java> must be changed to reflect the new JAVA_HOME in the set_env.cmd, service/service.cmd, and service/_service.cmd scripts. \n \n \n**_IBM UrbanCode Deploy Agents_** \nAfter installing the new version of IBM Runtime Environment, Java Technology Edition, change the following line of the <agent install directory>/conf/agent/installed.properties file: \n\nIBM\\ UrbanCode\\ Deploy/java.home=<path to new version of Java> \nAlso, the value of JAVA_HOME will have to be changed in the executable scripts in the <agent install directory>/bin directory. \n \nIn Unix systems, the line: \n\nJAVA_HOME=\"<path to old version of Java>\" must be changed to reflect the new JAVA_HOME in the agent, configure-agent, and init/agent scripts. \n \nOn Windows systems, the line: \n\nset JAVA_HOME=<path to old version of Java> must be changed to reflect the new JAVA_HOME in the agent.cmd, configure-agent.cmd, and service/_agent.cmd scripts. \n \n \n**_IBM UrbanCode Deploy Agent Relays_** \nAfter installing the new version of IBM Runtime Environment, Java Technology Edition, the value of JAVA_HOME must be changed to reflect the new JAVA_HOME in the executable scripts in the <relay install directory>/bin directory. \n \nIn the agentrelay and init/agentrelay scripts, change the line: \n\nJAVA_HOME=\"<path to old version of Java>\" \nIn the agentrelay.cmd and service/_agentrelay.cmd scripts, change the line: \n\nset JAVA_HOME=<path to old version of Java> \n \n**_IBM UrbanCode Deploy with Patterns_** \nFor IBM UrbanCode Deploy with Patterns, upgrade to the IBM UrbanCode Deploy 6.1.2 component, which embeds IBM Java Runtime Environment, Java Technology Edition, Version 1.7.1 SR3 Fixpack 10. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T22:32:05", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM UrbanCode Deploy and IBM UrbanCode Deploy with Patterns (CVE-2015-2590, CVE-2015-4733, CVE-2015-4748, CVE-2015-2621, CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2590", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2621", "CVE-2015-2625", "CVE-2015-4732", "CVE-2015-4733", "CVE-2015-4748"], "modified": "2018-06-17T22:32:05", "id": "AAE18CEA84D94F309513D180426FAF54CB6717E29FCFC0F49D01CBC77C002357", "href": "https://www.ibm.com/support/pages/node/534321", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:11:06", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 7 that is used by IBM Control Center. These issues were disclosed as part of the IBM Java SDK updates in April and July 2015. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2625_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1931_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n \n \n**CVEID:** [_CVE-2015-0478_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0478>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102339_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-0488_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0488>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Jrockit related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-2808_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1916_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1916>)** \nDESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-0204_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204>)** \nDESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/99707_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\n \nIBM Control Center 6.0.0.1 \nIBM Control Center 6.0.0.0 through 6.0.0.0 iFix02 \nIBM Sterling Control Center 5.4.2 through 5.4.2.1 iFix04 \nIBM Sterling Control Center 5.4.1 through 5.4.1.0 iFix03 \nIBM Sterling Control Center 5.4.0 through 5.4.0.1 iFix04 \nIBM Sterling Control Center 5.3.0 through 5.3.0.4 iFix02 \nIBM Sterling Control Center 5.2.0 through 5.2.12\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **Fix**| **How to acquire fix** \n---|---|---|--- \nControl Center| 6.0.0.1| iFix01| [Fix Central - 6.0.0.1](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Control+Center&release=6.0.0.1&platform=All&function=all>) \nControl Center| 6.0.0.0| iFix03| [Fix Central - 6.0.0.0](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Control+Center&release=6.0.0.0&platform=All&function=all>) \nControl Center| 5.4.2.1| iFix05 | [Fix Central - 5.4.2.1](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Control+Center&release=5.4.2.1&platform=All&function=all>) \nControl Center| 5.4.1.0| APAR IT10907| [Fix Central - 5.4.1.0](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Control+Center&release=5.4.1.0&platform=All&function=all>) \nControl Center| 5.4.0.1| APAR IT10907| [Fix Central - 5.4.1.0](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Control+Center&release=5.4.1.0&platform=All&function=all>) \nControl Center| 5.3.0.4| APAR IT10907 | [Fix Central - 5.4.1.0](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Control+Center&release=5.4.1.0&platform=All&function=all>) \nControl Center| 5.2.11| APAR IT10907| Contact Support and request the fix package to be published for you on the ECuRep server. \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n[IBM Java SDK Security Bulletin April 2015](<https://www-304.ibm.com/support/docview.wss?uid=swg21883640>) \n[IBM Java SDK Security Bulletin July 2015](<http://www-01.ibm.com/support/docview.wss?uid=swg21962302>)\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\nCVE-2015-1916 was reported to IBM by Karthikeyan Bhargavan of the PROSECCO team at INRIA\n\n## Change History\n\n10 September 2015 - Original Version Published \n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SS9GLA\",\"label\":\"IBM Control Center\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"6.0.0.1;6.0;5.4.2.1;5.4.1;5.4;5.3;5.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {}, "published": "2019-12-17T22:47:42", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling Control Center", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2808"], "modified": "2019-12-17T22:47:42", "id": "25D2B9C0FA0BC7D57BDB77AFAA062F9B600D1BCD47833017C2B0950C9718A7EF", "href": "https://www.ibm.com/support/pages/node/536543", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T05:57:31", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 6 and 7 that is used by IBM Operational Decision Manager (ODM), IBM ILOG JRules and IBM WebSphere Business Events (WBE). These issues were disclosed as part of the IBM Java SDK updates in April 2015 and July 2015. \nThis bulletin also addresses FREAK: Factoring Attack on RSA-EXPORT keys\" SSL/TLS vulnerability and RC4 Bar Mitzvah Attack for SSL/TLS vulnerability.\n\n## Vulnerability Details\n\n \n**CVEID**: [CVE-2015-0488](<https://vulners.com/cve/CVE-2015-0488>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Jrockit related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [CVE-2015-0478](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102339_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n**CVEID**: [CVE-2015-2808](<https://vulners.com/cve/CVE-2015-2808>)** \n****DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID**: [CVE-2015-1916](<https://vulners.com/cve/CVE-2015-1916>)\n\n**DESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n \n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n * IBM WebSphere Business Events 7.0\n * IBM WebSphere ILOG JRules v7.1\n * IBM WebSphere Operational Decision Management v7.5 \n * IBM Operational Decision Manager v8.0 \n * IBM Operational Decision Manager v8.5\n * IBM Operational Decision Manager v8.6\n * IBM Operational Decision Manager v8.7\n\n## Remediation/Fixes\n\n \nIBM WebSphere ILOG JRules V7.1: \nInterim fix 48 for APAR RS02133 is available from [IBM Fix Central](<https://www-933.ibm.com/support/fixcentral/options?selectionBean.selectedTab=select&productGroup0=ibm/WebSphere>): **7.1.1.5-WS-BRMS_JDK-WIN-IF048** \n \nIBM WebSphere Business Event 7.0: \nInterim fix RS01752 for APAR RS02133 is available from [IBM Fix Central](<https://www-933.ibm.com/support/fixcentral/options?selectionBean.selectedTab=select&productGroup0=ibm/WebSphere>): **7.0.1.1-WS-BE-<OS>-RS02133** \n \nIBM WebSphere Operational Decision Management v7.5: \nInterim fix 45 for APAR RS02133 is available from [IBM Fix Central](<https://www-933.ibm.com/support/fixcentral/options?selectionBean.selectedTab=select&productGroup0=ibm/WebSphere>): **7.5.0.4-WS-ODM_JDK-<OS>-****IF045** \n\n\nIBM Operational Decision Manager v8.0: \n\n \nInterim fix 47 for APAR RS02133 is available from [IBM Fix Central](<https://www-933.ibm.com/support/fixcentral/options?selectionBean.selectedTab=select&productGroup0=ibm/WebSphere>): ** 8.0.1.2-WS-ODM_JDK-<OS>-****IF047** \n\n\nIBM Operational Decision Manager v8.5:\n\n \nInterim fix 51 for APAR RS02133 is available from [IBM Fix Central](<https://www-933.ibm.com/support/fixcentral/options?selectionBean.selectedTab=select&productGroup0=ibm/WebSphere>): **8.5.1.2-WS-ODM_JDK-<OS>-****IF051** \n\n\nIBM Operational Decision Manager v8.6:\n\n \nInterim fix 22 for APAR RS02133 is available from [IBM Fix Central](<https://www-933.ibm.com/support/fixcentral/options?selectionBean.selectedTab=select&productGroup0=ibm/WebSphere>): **8.6.0.2-WS-ODM_JDK-<OS>-****IF022** \n\n\nIBM Operational Decision Manager v8.7:\n\n \nInterim fix 22 for APAR RS02133 is available from [IBM Fix Central](<https://www-933.ibm.com/support/fixcentral/options?selectionBean.selectedTab=select&productGroup0=ibm/WebSphere>): **8.7.0.0-WS-ODM_JDK-<OS>-****IF022**\n\n## Workarounds and Mitigations\n\nnone known, apply fix\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:03:32", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Operational Decision Manager, WebSphere ILOG JRules and WebSphere Business Events:", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2808", "CVE-2015-4749"], "modified": "2018-06-15T07:03:32", "id": "60CE35DF934D73BFA400DF2649EEEC2388306C311088649B9FF31932969DCD56", "href": "https://www.ibm.com/support/pages/node/535947", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T05:43:30", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Versions 1.7.0 and 1.7.1 that are used by IBM UrbanCode Deploy and IBM UrbanCode Deploy with Patterns. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4733_](<https://vulners.com/cve/CVE-2015-4733>)** \nDESCRIPTION:** An unspecified vulnerability related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104726_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104726>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n**CVEID:** [_CVE-2015-4732_](<https://vulners.com/cve/CVE-2015-4732>)** \nDESCRIPTION:** An unspecified vulnerability related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104725_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104725>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n**CVEID:** [_CVE-2015-2590_](<https://vulners.com/cve/CVE-2015-2590>)** \nDESCRIPTION:** An unspecified vulnerability related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104724_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104724>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n**CVEID:** [_CVE-2015-4748_](<https://vulners.com/cve/CVE-2015-4748>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 7.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104729_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104729>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C) \n \n**CVEID:** [_CVE-2015-2621_](<https://vulners.com/cve/CVE-2015-2621>)** \nDESCRIPTION:** An unspecified vulnerability related to the JMX component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104735_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104735>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n** \nCVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N):\n\n## Affected Products and Versions\n\nAll versions of IBM UrbanCode Deploy are vulnerable if used with an affected version of IBM Runtime Environment, Java Technology Edition. IBM Runtime Environment, Java Technology Edition, Version 1.7.0 SR 5, which was shipped with IBM UrbanCode Deploy 6.1.1 and 6.0, is among the versions affected. \n \nIBM UrbanCode Deploy with Patterns 6.1.0, 6.1.0.1, 6.1.0.2, 6.1.1, 6.1.1.1, 6.1.1.2, 6.1.1.3, and 6.1.1.4 embed an affected version of Java.\n\n## Remediation/Fixes\n\nIf using IBM UrbanCode Deploy with an affected version of Java, remove the installation, and install one of the following fixed releases below: \n\n\n * IBM Runtime Environment, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 4 and subsequent releases \n \n\n * IBM Runtime Environment, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 4 and subsequent releases \n \n\n * IBM Runtime Environment, Java Technology Edition, Version 7 Service Refresh 9 and subsequent releases \n \n\n * IBM Runtime Environment, Java Technology Edition, Version 7R1 Service Refresh 3 and subsequent releases \n \n\n * IBM Runtime Environment, Java Technology Edition, Version 8 Service Refresh 1 and subsequent releases\n \nIBM Runtime Environment, Java Technology Edition is available for download [here](<http://www.ibm.com/developerworks/java/jdk/>). For Windows and Solaris environments, updated IBM UrbanCode Deploy Java Runtime Environments for [6.0.1](<http://www-933.ibm.com/support/fixcentral/swg/selectFix?product=ibm%2FRational%2FIBM+UrbanCode+Deploy&fixids=6.0.1.9.ifix01&source=SAR&function=fixId&parent=ibm/Rational>) and [6.1.1](<http://www-933.ibm.com/support/fixcentral/swg/selectFix?product=ibm%2FRational%2FIBM+UrbanCode+Deploy&fixids=6.1.1.7.ifix01&source=SAR&function=fixId&parent=ibm/Rational>) are available as interim fixes. \n \nAdditional configuration steps are required, as detailed below. \n \n**Note:** The instructions below should only be used for switching between versions of IBM Runtime Environment, Java Technology Edition. Do not attempt to switch between Java vendors using these instructions. \n \n \n**_IBM UrbanCode Deploy Server_** \nAfter installing the new version of IBM Runtime Environment, Java Technology Edition, change the following line of the <server install directory>/conf/server/installed.properties file: \n\n\n`install.java.home=<path to new version of Java``>` \nAlso, the value of JAVA_HOME will have to be changed in the executable scripts in the <server install directory>/bin directory. \n \nOn UNIX systems, the line: \n\n`JAVA_HOME=\"<path to old version of Java``>\"` must be changed to reflect the new JAVA_HOME in the set-env, init/server, and init/_server scripts. \n \nOn Windows systems, the line: \n\n`set JAVA_HOME=<path to old version of Java``>` must be changed to reflect the new JAVA_HOME in the set_env.cmd, service/service.cmd, and service/_service.cmd scripts. \n \n \n**_IBM UrbanCode Deploy Agents_** \nAfter installing the new version of IBM Runtime Environment, Java Technology Edition, change the following line of the <agent install directory>/conf/agent/installed.properties file: \n\n`I``BM\\ UrbanCode\\ Deploy/java.home=``<path to new version of Java``>` \nAlso, the value of JAVA_HOME will have to be changed in the executable scripts in the <agent install directory>/bin directory. \n \nOn UNIX systems, the line: \n\n`JAVA_HOME=\"<path to old version of Java``>\"` must be changed to reflect the new JAVA_HOME in the agent, configure-agent, and init/agent scripts. \n \nOn Windows systems, the line: \n\n`set JAVA_HOME=<path to old version of Java``>` must be changed to reflect the new JAVA_HOME in the agent.cmd, configure-agent.cmd, and service/_agent.cmd scripts. \n \n \n**_IBM UrbanCode Deploy Agent Relays_** \nAfter installing the new version of IBM Runtime Environment, Java Technology Edition, the value of JAVA_HOME must be changed to reflect the new JAVA_HOME in the executable scripts in the <relay install directory>/bin directory. \n \nIn the agentrelay and init/agentrelay scripts, change the line: \n\n`JAVA_HOME=\"<path to old version of Java``>\"` \nIn the agentrelay.cmd and service/_agentrelay.cmd scripts, change the line: \n\n`set JAVA_HOME=<path to old version of Java``>` \n \n**_IBM UrbanCode Deploy with Patterns_** \nFor IBM UrbanCode Deploy with Patterns, upgrade to the IBM UrbanCode Deploy 6.1.2 component, which embeds IBM Java Runtime Environment, Java Technology Edition, Version 1.7.1 SR3 Fixpack 10. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T22:32:05", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM UrbanCode Deploy and IBM UrbanCode Deploy with Patterns", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2590", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2621", "CVE-2015-2625", "CVE-2015-4732", "CVE-2015-4733", "CVE-2015-4748"], "modified": "2018-06-17T22:32:05", "id": "BDFDB12EE4B5C4BCFFA9F0ECC2C1F998043665BB66572D44E03147ADE97B1C63", "href": "https://www.ibm.com/support/pages/node/534711", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-04T03:12:25", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java Technology Edition, Version 1.6 that is used by IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Collaborative Lifecycle Management (CLM), Rational Requirements Composer (RRC), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM), and Rational Software Architect (RSA DM). These issues were disclosed as part of the IBM\u00ae Java SDK updates in April and July 2015. \n\n## Vulnerability Details\n\nIBM Jazz Team Server and the CLM applications (RRC, RTC, RQM, RDNG), RELM, Rhapsody DM, and RSA DM applications are affected by the following vulnerabilities disclosed in and corrected by the IBM\u00ae Java SDK updates in April and July 2015: \n \n**April 2015 vulnerabilities:** \n**CVEID:** [_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>)** \nDESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\" \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>)** \nDESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>)** \nDESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99707> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**July 2015 vulnerabilities:**\n\n \n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nRational Collaborative Lifecycle Management 3.0.1 - 6.0 \n \nRational Quality Manager 2.0 - 2.0.1 \nRational Quality Manager 3.0 - 3.0.1.6 \nRational Quality Manager 4.0 - 4.0.7 \nRational Quality Manager 5.0 - 5.0.2 \nRational Quality Manager 6.0 \n \nRational Team Concert 2.0 - 2.0.0.2 \nRational Team Concert 3.0 - 3.0.6 \nRational Team Concert 4.0 - 4.0.7 \nRational Team Concert 5.0 - 5.0.2 \nRational Team Concert 6.0 \n \nRational Requirements Composer 2.0 - 2.0.0.4 \nRational Requirements Composer 3.0 - 3.0.1.6 \nRational Requirements Composer 4.0 - 4.0.7 \n \nRational DOORS Next Generation 4.0 - 4.0.7 \nRational DOORS Next Generation 5.0 - 5.0.2 \nRational DOORS Next Generation 6.0 \n \nRational Engineering Lifecycle Manager 1.0- 1.0.0.1 \nRational Engineering Lifecycle Manager 4.0.3 - 4.0.7 \nRational Engineering Lifecycle Manager 5.0 - 5.0.2 \nRational Engineering Lifecycle Manager 6.0 \n \nRational Rhapsody Design Manager 3.0 - 3.0.1 \nRational Rhapsody Design Manager 4.0 - 4.0.7 \nRational Rhapsody Design Manager 5.0 - 5.0.2 \nRational Rhapsody Design Manager 6.0 \n \nRational Software Architect Design Manager 3.0 - 3.0.1 \nRational Software Architect Design Manager 4.0 - 4.0.7 \nRational Software Architect Design Manager 5.0 - 5.0.2 \nRational Software Architect Design Manager 6.0\n\n## Remediation/Fixes\n\nIf your product is deployed on WebSphere Application Server (WAS) and your deployment does not use an Eclipse based client nor the RM Browser plugin, then it is sufficient to continue using the existing version of the your Rational product, and only upgrade the JRE in the WAS server according to these instructions: \n[_ __Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server July 2015 CPU_](<https://www.ibm.com/support/docview.wss?uid=swg21962931>) \n \nThe July 2015 update contains all of the corrections from the April 2015 update. The April update is listed here for convenience, but upgrade to the July 2015 update to get all the corrections. \n[_ __Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server April 2015 CPU_](<https://www.ibm.com/support/docview.wss?uid=swg21902260>) \n \n**Otherwise:** \n_Note: for any of the below remediations, if you are a WAS deployment, then WAS must also be upgraded, in addition to performing your product upgrades._ \nUpgrade your products to version **3.0.1.6 or 4.0.7** or **5.0.2** or **6.0**, apply the latest ifix, and then perform the following upgrades. Request the July 2015 CPU update for the IBM_\u00ae_ Java SDK: \n \n[_How to update the IBM SDK for Java of IBM Rational products based on version 3.0.1.6 or later of IBM's Jazz technology_](<http://www.ibm.com/support/docview.wss?uid=swg21674139>)\n\n * * For the 3.x releases of Rational Software Architect Design Manager and Rhapsody Design Manager, if you cannot upgrade to 4.0.7 or 5.0 or 6.0, contact [IBM Support](<http://www.ibm.com/software/support/einfo.html>) for guidance.\n * For the 2.x releases, contact [IBM Support](<http://www.ibm.com/software/support/einfo.html>) for additional details on the fix. \n\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-28T18:35:50", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affects multiple IBM Rational products based on IBM Jazz technology (CVE-2015-0488, CVE-2015-0478, CVE-2015-2808, CVE-2015-1916, CVE-2015-0204, CVE-2015-2613, CVE-2015-2601, etc.)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2808"], "modified": "2021-04-28T18:35:50", "id": "8A73AC94075E067E0D2956EB222BBF00ACEC293AF298E2B41F4893F9FB9B6259", "href": "https://www.ibm.com/support/pages/node/535421", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:41:12", "description": "## Summary\n\nAn IBM Tivoli Monitoring shared component is included as part of Agent for Linux Kernel-based Virtual Machines. Information about a security vulnerability affecting an IBM Tivoli Monitoring shared component has been published in a security bulletin.\n\n## Vulnerability Details\n\nCVEID: CVE-2015-2625 \nDESCRIPTION: An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104743> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \nCVEID: CVE-2015-1931 \nDESCRIPTION: IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n \nCVEID: CVE-2015-7575 \nDESCRIPTION: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as \u201cSLOTH\u201d. \nCVSS Base Score: 7.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/109415> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) \n \nCVEID: CVE-2015-4000 \nDESCRIPTION: The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/103294> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Product Code**| **Affected IBM Tivoli Monitoring Version(s)** \n---|---|--- \nIBM\u00ae Tivoli\u00ae Monitoring for Virtual Environments Agent for Linux Kernel-based Virtual Machines versions 6.2.3 , 7.1 , 7.2 , 7.2.0.3| KV1| IBM Tivoli Monitoring versions 6.2.3 FP1 (JRE 6) through 6.3.0 FP6 (JRE 7) \n \n## Remediation/Fixes\n\nPlease consult the following IBM Tivoli Monitoring security bulletins for vulnerability details and information about fixes for the \"Java (CANDLEHOME) Remediation\" section. Note there is a single set of patches which address both bulletins. \n[_Security Bulletin: Vulnerability in IBM Java SDK affect IBM Tivoli Monitoring (CVE-2015-7575)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21976066>) \n \n[_Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Monitoring (CVE-2015-2601,CVE-2015-4749.CVE-2015-2625,CVE-2015-1931__ ) _](<http://www-01.ibm.com/support/docview.wss?uid=swg21976560>)\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-07-23T07:35:29", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in an IBM Tivoli Monitoring shared component shipped with Agent for Linux Kernel-based Virtual Machines (CVE-2015-2625, CVE-2015-1931, CVE-2015-7575, CVE-2015-4000)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2625", "CVE-2015-4000", "CVE-2015-4749", "CVE-2015-7575"], "modified": "2018-07-23T07:35:29", "id": "CEB27E785E600294CBB232BE2A4F87611DCB20D91D768C5E4A4B5C3B0D8D1D3A", "href": "https://www.ibm.com/support/pages/node/277409", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:46:09", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Versions 7 and 7R1 that are used by IBM MessageSight. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2590_](<https://vulners.com/cve/CVE-2015-2590>) \n**DESCRIPTION:** An unspecified vulnerability related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \n\n \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104724_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104724>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>) \n**DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \n\n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n \n\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)\n\n \n**DESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \n\n \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM MessageSight 1.2.0.1 and earlier\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n_IBM MessageSight_| _1.1.0.1_| IT10430 | [_1.1.0.1-IBM-IMA-IFIT10430_](<http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Other+software/MessageSight&release=All&platform=All&function=fixId&fixids=1.1.0.1-IBM-IMA-IT10430&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc>) \n_IBM MessageSight_| _1.2.0.1_| IT10430 | [_1.2.0-IBM-IMA-Physical-FP0002_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/MessageSight&release=All&platform=All&function=fixId&fixids=1.2.0-IBM-IMA-Physical-FP0002&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc>) \n[_1.2.0-IBM-IMA-VirtualEdition-FP0002_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/MessageSight&release=All&platform=All&function=fixId&fixids=1.2.0-IBM-IMA-VirtualEdition-FP0002&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc>) \n[_1.2.0-IBM-IMA-SoftLayerVirtual-FP0002_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/MessageSight&release=All&platform=All&function=fixId&fixids=1.2.0-IBM-IMA-SoftLayerVirtual-FP0002&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc>) \n[_1.2.0-IBM-IMA-BareMetal-FP0002_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/MessageSight&release=All&platform=All&function=fixId&fixids=1.2.0-IBM-IMA-BareMetal-FP0002&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T15:12:16", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MessageSight (CVE-2015-2590, CVE-2015-2613, CVE-2015-2625)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2590", "CVE-2015-2613", "CVE-2015-2625"], "modified": "2018-06-17T15:12:16", "id": "52D87171CAF873218A829198184C1E0E46AE19CC3A04599D70F2BDFF5AA4D2BF", "href": "https://www.ibm.com/support/pages/node/533819", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:48:57", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 7sr9fp10,6sr16fp7 and 5sr16fp13 that is used by IBM Rational Build Forge. These issues were disclosed as part of the IBM Java SDK updates in July and October 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n \n \n**CVEID:** [_CVE-2015-4872_](<https://vulners.com/cve/CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nAll IBM Rational Build Forge versions on all supported Platforms\n\n## Remediation/Fixes\n\n_Product_\n\n| \n\n_VRMF_ | \n\n_APAR_ | \n\n_Remediation/First Fix_ \n---|---|---|--- \n \nRational BuildForge | \n\n7.1 - 7.1.1.4 | \n\nNone | \n\n[_7.1.1.4 iFix 1_](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7ERational&product=ibm/Rational/Rational+Build+Forge&release=7.1.1.4&platform=All&function=fixId&fixids=buildforge-7.1.1.4-1-0183&includeRequisites=1&includeSupersedes=0>) \n \nRational BuildForge | \n\n7.1.2.0 - 7.1.2.3 | \n\nNone | \n\n[_7.1.2.3 iFix 7_](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7ERational&product=ibm/Rational/Rational+Build+Forge&release=7.1.2.3&platform=All&function=fixId&fixids=7.1.2.3&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp>) \n \nRational BuildForge | \n\n7.1.3.0 - 7.1.3.6 | \n\nNone | \n\n[_7.1.3.6 iFix 7_](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7ERational&product=ibm/Rational/Rational+Build+Forge&release=7.1.3.6&platform=All&function=fixId&fixids=buildforge-7.1.3.6-7-0094&includeRequisites=1&includeSupersedes=0>) \n \nRational BuildForge | \n\n8.0 - 8.0.0.2 | \n\nNone | \n\n[_8.0.0.2 iFix 8_](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7ERational&product=ibm/Rational/Rational+Build+Forge&release=8.0.0.2&platform=All&function=fixId&fixids=buildforge-8.0.0.2-8-0089-2&includeRequisites=1&includeSupersedes=0&downloadMetho>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T05:08:38", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Rational Build Forge (CVE-2015-2625, CVE-2015-1931, CVE-2015-4872)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2625", "CVE-2015-4872"], "modified": "2018-06-17T05:08:38", "id": "800A2F8ECA31C99E0164F8028DC1794BC913502CA5A3550F4D0D762DC21B21F3", "href": "https://www.ibm.com/support/pages/node/538347", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-06-28T22:07:36", "description": "## Summary\n\nThe IBM Emptoris Strategic Supply Management Suite and IBM Emptoris Services Procurement products are affected by multiple security vulnerabilities that exist in IBM SDK Java Technology Edition that is shipped with IBM WebSphere Application Server. The security bulletin includes issues disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4749_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-2625_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1931_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Emptoris Contract Management 9.5 through 10.0.4 \nIBM Emptoris Program Management 10.0.0 through 10.0.4 \nIBM Emptoris Sourcing 10.0.0 through 10.0.4 \nIBM Emptoris Spend Analysis 10.0.0 through 10.0.4 \nIBM Emptoris Supplier Lifecycle Management 9.5 through 10.0.4 \nIBM Emptoris Strategic Supply Management 10.0.0 through 10.0.4 \nIBM Emptoris Services Procurement 10.0.0\n\n## Remediation/Fixes\n\nAn interim fix has been issued for the IBM WebSphere Application Server (WAS) which will upgrade the IBM Java Development Kit to a version which is not susceptible to this vulnerability. Customers running any of the IBM Emptoris products listed above should apply the interim fix to all IBM WebSphere Application Server installations that are used to run IBM Emptoris applications. See [Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server July 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21962931>) for more details on upgrade versions. \n \nSelect the appropriate WebSphere Application Server fix based on the version being used for IBM Emptoris product version. The following table lists the IBM Emptoris application versions along with the corresponding required version of IBM WebSphere Application Server and a link to the corresponding fix version where further installation instructions are provided. \n \n \n\n\nEmptoris Product Version| WAS Version| Interim Fix \n---|---|--- \n9.5.x.x| 8.0.0.x| [_PI45308_](<http://www-01.ibm.com/support/docview.wss?uid=swg24040409>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24040159>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039956>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039668>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039304>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038812>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038093>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24037708>) \n10.0.0.x, 10.0.1.x| 8.5.0.x| [_PI45306_](<http://www-01.ibm.com/support/docview.wss?uid=swg24040396>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24040154>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039957>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039651>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039294>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038811>) \n10.0.2.x , \n10.0.4| 8.5.5.x| [_PI45306_](<http://www-01.ibm.com/support/docview.wss?uid=swg24040396>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24040154>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039957>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039651>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039294>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038811>) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n[IBM SDK Java Technology Edition Security Bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg21962302>)\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n05 Nov 2015 - Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSYQ72\",\"label\":\"Emptoris Strategic Supply Management\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Platform\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"Version Independent\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYQ89\",\"label\":\"Emptoris Contract Management\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYRER\",\"label\":\"Emptoris Program Management\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYR6U\",\"label\":\"Emptoris Services Procurement\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYR8W\",\"label\":\"Emptoris Sourcing\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYQAR\",\"label\":\"Emptoris Spend Analysis\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYRC7\",\"label\":\"Emptoris Supplier Lifecycle Management\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {}, "published": "2018-06-16T19:48:52", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management, and IBM Emptoris Services Procurement.", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2625", "CVE-2015-4749"], "modified": "2018-06-16T19:48:52", "id": "03B2B306CF3D97AF8784830C083834129C31FF9B358DEAF5C19F1B57C7716D7F", "href": "https://www.ibm.com/support/pages/node/270279", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:41:11", "description": "## Summary\n\nAn IBM Tivoli Monitoring shared component is included as part of Agent for NetApp Storage. Information about a security vulnerability affecting an IBM Tivoli Monitoring shared component has been published in a security bulletin.\n\n## Vulnerability Details\n\nCVEID: CVE-2015-2625 \nDESCRIPTION: An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104743> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \nCVEID: CVE-2015-1931 \nDESCRIPTION: IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n \nCVEID: CVE-2015-7575 \nDESCRIPTION: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as \u201cSLOTH\u201d. \nCVSS Base Score: 7.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/109415> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) \n \nCVEID: CVE-2015-4000 \nDESCRIPTION: The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/103294> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Product Code**| **Affected IBM Tivoli Monitoring Version** \n---|---|--- \nIBM\u00ae Tivoli\u00ae Monitoring for Virtual Environments Agent for NetApp Storage versions 6.2.2 , 6.2.3 , 7.1 , 7.2 , 7.2.3| KNU| IBM Tivoli Monitoring versions 6.2.3 FP1 (JRE 6) through 6.3.0 FP6 (JRE 7) \n \n## Remediation/Fixes\n\nPlease consult the following IBM Tivoli Monitoring security bulletins for vulnerability details and information about fixes for the \"Java (CANDLEHOME) Remediation\" section. Note there is a single set of patches which address both bulletins. \n[_Security Bulletin: Vulnerability in IBM Java SDK affect IBM Tivoli Monitoring (CVE-2015-7575)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21976066>)\n\n[_Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Monitoring (CVE-2015-2601,CVE-2015-4749.CVE-2015-2625,CVE-2015-1931__ ) _](<http://www-01.ibm.com/support/docview.wss?uid=swg21976560>)\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-07-23T07:35:29", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in an IBM Tivoli Monitoring shared component shipped with Agent for NetApp Storage(CVE-2015-2625, CVE-2015-1931, CVE-2015-7575, CVE-2015-4000)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2625", "CVE-2015-4000", "CVE-2015-4749", "CVE-2015-7575"], "modified": "2018-07-23T07:35:29", "id": "376881B708EE709A23D7CF26BB3E3EFE99A529E7B07BD86A464ECD42C2CA569D", "href": "https://www.ibm.com/support/pages/node/277407", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-13T09:36:15", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition that is used by IBM Network Advisor. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4748_](<https://vulners.com/cve/CVE-2015-4748>)\n\n**DESCRIPTION:** An unspecified vulnerability related to the Security component has complete confidentiality impact, complete integrity impact, and complete availability impact.\n\nCVSS Base Score: 7.6\n\nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104729_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104729>) for the current score\n\nCVSS Environmental Score*: Undefined\n\nCVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)\n\n**DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.\n\nCVSS Base Score: 5\n\nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score\n\nCVSS Environmental Score*: UndefinedCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)\n\n**DESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service.\n\nCVSS Base Score: 4.3\n\nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score\n\nCVSS Environmental Score*: Undefined\n\nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)\n\n**DESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information.\n\nCVSS Base Score: 2.6\n\nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score\n\nCVSS Environmental Score*: Undefined\n\nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)\n\n**DESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system.\n\nCVSS Base Score: 2.1\n\nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/102967_](<http://xforce.iss.net/xforce/xfdb/102967>) for the current score\n\nCVSS Environmental Score*: Undefined\n\nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)\n\n**DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.\n\nCVSS Base Score: 5\n\nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score\n\nCVSS Environmental Score*: UndefinedCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Network Advisor versions prior to 14.0.2\n\n## Remediation/Fixes\n\nFixes in IBM Network Advisor 14.0.2 \n[_http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009621_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009621>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-18T00:28:25", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK (or if just using Runtime state IBM Java Runtime) affect IBM Network Advisor (CVE-2015-4748, CVE-2016-2613, CVE-2016-2601, CVE-2016-4749, CVE-2016-2625)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4748", "CVE-2015-4749", "CVE-2016-2601", "CVE-2016-2613", "CVE-2016-2625", "CVE-2016-4749"], "modified": "2018-06-18T00:28:25", "id": "BA4ED53D3BF345F5D067EA458E9C00169A222A7759D283882B8C2E806FEC9BE7", "href": "https://www.ibm.com/support/pages/node/696351", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:44:46", "description": "## Summary\n\nMultiple vulnerabilities have been identified in IBM Cloud Orchestrator, IBM Cloud Orchestrator Enterprise, and in supporting products shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise.\n\n## Vulnerability Details\n\nThis security bulletin covers multiple vulnerabilities in IBM Cloud Orchestrator, IBM Cloud Orchestrator Enterprise, and supporting products shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise. It addresses other vulnerabilities including the IBM SDK, Java Technology Edition July 2015. \n \n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n** \nCVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n**Affected Principal Product and Version**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Cloud Orchestrator 2.4, 2.4.0.1 and 2.4.0.2 \n \n| IBM Business Process Manager Standard 8.5.0.1 \nIBM Tivoli System Automation Application Manager 4.1 \nIBM Tivoli System Automation for Multiplatforms 4.1 \nIBM Endpoint Manager for Patch Management 9.1 \nIBM DB2 Enterprise Server Edition 10.5.0.2 \nIBM Cloud Orchestrator Enterprise 2.4, 2.4.0.1 and 2.4.0.2| IBM Business Process Manager Standard 8.5.0.1 \nIBM Tivoli System Automation Application Manager 4.1 \nIBM Tivoli System Automation for Multiplatforms 4.1 \nIBM Endpoint Manager for Patch Management 9.1 \nIBM DB2 Enterprise Server Edition 10.5.0.2 \nIBM SmartCloud Cost Management 2.1.0.4 \nIBM Tivoli Monitoring 6.3.0.2 \n \n## Remediation/Fixes\n\nThe recommended solution is to apply the fixes as soon as practical. Please see below for information on the fixes available. \n \n**If you are running IBM Cloud Orchestrator 2.4, 2.4.0.1 or 2.4.0.2** , [](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/IBM+SmartCloud+Orchestrator&release=2.4.0&platform=All&function=all>)[upgrade to IBM Cloud Orchestrator 2.4.0.2 Interim Fix 1](<http://www.ibm.com/support/docview.wss?uid=swg24040617>)or later. \n \nFor affected supporting products shipped with IBM Cloud Orchestrator, consult the security bulletins below for vulnerability details and apply fixes as appropriate depending on your environment. \n\n**Affected Supporting Product**| \n\n**Version**\n\n| **Remediation/First Fix** \n---|---|--- \nIBM Business Process Manager | \n\n8.5.0.1\n\n| [_Security Bulletin: Multiple vulnerabilities in IBM Business Process Manager shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator __(__CVE-2015-1920, CVE-2015-1885, CVE-2015-1946, CVE-2015-1927, CVE-2015-4000__) _](<http://www.ibm.com/support/docview.wss?uid=swg21882542>) \nIBM Tivoli System Automation Application Manager| \n\n4.1\n\n| [_Security Bulletin: Multiple vulnerabilities in IBM Tivoli System Automation Application Manager shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator (CVE-2015-1920, CVE-2015-1885, CVE-2015-1946, CVE-2015-1927, CVE-2015-4000 )_](<http://www.ibm.com/support/docview.wss?uid=swg21882528>) \nIBM Tivoli System Automation for Multiplatforms| \n\n4.1\n\n| [_Security Bulletin: Multiple vulnerabilities in IBM Tivoli System Automation for Multiplatforms shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator (CVE-2015-1920, CVE-2015-1885, CVE-2015-4000)_](<http://www.ibm.com/support/docview.wss?uid=swg21882549>) \nIBM DB2 Enterprise Server Edition | \n\n10.5.0.2\n\n| [Security Bulletin: Multiple vulnerabilities in IBM DB2 Enterprise Server Edition shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator (_CVE-2015-4000_)](<http://www.ibm.com/support/docview.wss?uid=swg21882724>) \n \nIBM Endpoint Manager for Patch Management| \n\n9.1\n\n| [_Security Bulletin: Multiple vulnerabilities in IBM Endpoint Manager for Patch Management shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator (CVE-2015-4000)_](<http://www.ibm.com/support/docview.wss?uid=swg21882824>) \n \n \n**If you are running IBM Cloud Orchestrator Enterprise 2.4,**** 2.4.0.1 or 2.4.0.2, **[upgrade to IBM Cloud Orchestrator 2.4.0.2 Interim Fix 1](<http://www.ibm.com/support/docview.wss?uid=swg24040617>) or later. \n \nFor affected supporting products shipped with IBM Cloud Orchestrator Enterprise, consult the security bulletins below for vulnerability details and apply fixes as appropriate depending on your environment. **Affected Supporting Product**| \n\n**Version**\n\n| **Remediation/First Fix** \n---|---|--- \nIBM Business Process Manager | \n\n8.5.0.1\n\n| [_Security Bulletin: Multiple vulnerabilities in IBM Business Process Manager shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator (CVE-2015-1920, CVE-2015-1885, CVE-2015-1946, CVE-2015-1927, CVE-2015-4000) _](<http://www.ibm.com/support/docview.wss?uid=swg21882542>) \nIBM Tivoli System Automation Application Manager| \n\n4.1\n\n| [_Security Bulletin: Multiple vulnerabilities in IBM Tivoli System Automation Application Manager shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator (CVE-2015-1920, CVE-2015-1885, CVE-2015-1946, CVE-2015-1927, CVE-2015-4000 )_](<http://www.ibm.com/support/docview.wss?uid=swg21882528>) \nIBM Tivoli System Automation for Multiplatforms| \n\n4.1\n\n| [_Security Bulletin: Multiple vulnerabilities in IBM Tivoli System Automation for Multiplatforms shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator (CVE-2015-1920, CVE-2015-1885, CVE-2015-4000)_](<http://www.ibm.com/support/docview.wss?uid=swg21882549>) \nIBM Endpoint Manager for Patch Management| \n\n9.1\n\n| [_Security Bulletin: Multiple vulnerabilities in IBM Endpoint Manager for Patch Management shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator (CVE-2015-4000 and others)_](<http://www.ibm.com/support/docview.wss?uid=swg21882824>) \nIBM DB2 Enterprise Server Edition | \n\n10.5.0.2\n\n| [Security Bulletin: Multiple vulnerabilities in IBM DB2 Enterprise Server Edition shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator (_CVE-2015-4000_)](<http://www.ibm.com/support/docview.wss?uid=swg21882724>) \nIBM SmartCloud Cost Management| \n\n2.1.0.4\n\n| [_Security Bulletin: A security vulnerability in IBM SmartCloud Cost Management shipped with IBM Cloud Orchestrator Enterprise and IBM SmartCloud Orchestrator Enterprise (CVE-2015-1920, CVE-2015-1885, CVE-2015-1946, CVE-1927, CVE-2015-4000)_](<http://www.ibm.com/support/docview.wss?uid=swg21883102>) \nIBM Tivoli Monitoring| \n\n6.3.0.2\n\n| [_Security Bulletin: Multiple vulnerabilities in IBM Tivoli Monitoring shipped with IBM Cloud Orchestrator Enterprise and IBM SmartCloud Orchestrator Enterprise (CVE-2015-1920, CVE-2015-1885, CVE-2015-4000 )_](<http://www.ibm.com/support/docview.wss?uid=swg21883331>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T22:30:52", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Cloud Orchestrator, IBM Cloud Orchestrator Enterprise, and products shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1885", "CVE-2015-1920", "CVE-2015-1927", "CVE-2015-1931", "CVE-2015-1946", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4000", "CVE-2015-4749"], "modified": "2018-06-17T22:30:52", "id": "A8FCA8838CF049BF62AAB68408FB18EF0F19EB760464B7DCA7B268D4FDEBB1D1", "href": "https://www.ibm.com/support/pages/node/266527", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:38:35", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 1.7.0 that is used by Sterling Connect:Direct Browser User Interface. These issues were disclosed as part of the IBM Java SDK updates in April 2015 and July 2015. \n \nThis bulletin also addresses FREAK: Factoring Attack on RSA-EXPORT keys\" SSL/TLS vulnerability, the RC4 Bar Mitzvah Attack for SSL/TLS vulnerability, and the Logjam Diffie-Hellman (DH) key exchange vulnerability.\n\n## Vulnerability Details\n\n[_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) was fixed in IBM SDK, Java Technology Edition under [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>). Both CVEs are included in this advisory for completeness. \n\n**CVEID:** [_CVE-2015-0488_](<https://vulners.com/cve/CVE-2015-0488>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Jrockit related to the JSSE component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>) \n**DESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>) \n**DESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>) \n**DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-0478_](<https://vulners.com/cve/CVE-2015-0478>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102339_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102339>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-0204_](<https://vulners.com/cve/CVE-2015-0204>) \n**DESCRIPTION:** A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/99707_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99707>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:**[_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION**: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See[_https://exchange.xforce.ibmcloud.com/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>) \n**DESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103294_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103294>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>) \n**DESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>) \n**DESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>) \n**DESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Sterling Connect:Direct Browser 1.5.0 through 1.5.0.2 iFix 12 \n\nIBM Sterling Connect:Direct Browser 1.4.0 through 1.4.11.0 iFix 3 \n\n\n## Remediation/Fixes\n\nSterling Connect:Direct Browser\n\n| 1.5.0.2| iFix 13| [_Fix Central_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+Connect%3ADirect+Browser+User+Interface&release=1.5.0.2&platform=All&function=all>) \n---|---|---|--- \nSterling Connect:Direct Browser| 1.4.11.0| iFix 4| Contact Support and request the fix package be published for you on the ECuRep server. \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-24T22:49:37", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Sterling Connect:Direct Browser User Interface", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2808", "CVE-2015-4000", "CVE-2015-4749"], "modified": "2020-07-24T22:49:37", "id": "CB1B87BF4874E8E4FDFF0C5D0245F1B8EA7AF72E1648F87D112407D83AC6BFA1", "href": "https://www.ibm.com/support/pages/node/536483", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-13T05:37:49", "description": "## Summary\n\nThere is a vulnerability in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6 that is used by IBM SONAS. This issue was disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n \n**CVEID:** [CVE-2015-2613](<https://vulners.com/cve/CVE-2015-2613>) \n \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the JCE component could allow a remote attacker to obtain sensitive information. The Java Cryptography Extension (JCE) is a Standard Extension to the Java Platform. JCE is used for implementating encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>[](<http://xforce.iss.net/xforce/xfdb/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM SONAS \nThe product is affected when running a code releases 1.5.0.0 to 1.5.2.1\n\n## Remediation/Fixes\n\nIBM recommends that you fix this vulnerability by upgrading affected versions of IBM SONAS to the following code level or higher: \n \n1.5.2.2 \n \nPlease contact IBM support for assistance in upgrading your system.\n\n## Workarounds and Mitigations\n\nWorkaround(s): None \n \nMitigation(s) : Although IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall.\n\n## ", "cvss3": {}, "published": "2018-06-18T00:09:55", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java SDK affects IBM SONAS (CVE-2015-2613)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2613"], "modified": "2018-06-18T00:09:55", "id": "9AB5502A182187DE670E4A36623CE73D240AD6D48C76E29D270570CCA5494A55", "href": "https://www.ibm.com/support/pages/node/690611", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:52:48", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Versions 6 (Service Refresh 16 Fix Pack 5 and earlier) and 7 (Service Refresh 9 Fix Pack 1 and earlier) that is used by IBM Algo One Core, Algo Risk Application, and Counterparty Credit Risk. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4748_](<https://vulners.com/cve/CVE-2015-4748>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 7.6 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104729>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C) \n \n \n**CVEID:** [_CVE-2015-2664_](<https://vulners.com/cve/CVE-2015-2664>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 6.9 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104731>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C) \n \n**CVEID:** [_CVE-2015-2632_](<https://vulners.com/cve/CVE-2015-2632>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 5.0 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104732>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-2638_](<https://vulners.com/cve/CVE-2015-2638>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See _h__ttps://exchange.xforce.ibmcloud.com/vulnerabilities/104727_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5.0 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5.0 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-4760_](<https://vulners.com/cve/CVE-2015-4760>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10.00 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104721>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n**CVEID:** [_CVE-2015-4736_](<https://vulners.com/cve/CVE-2015-4736>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 9.3 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104728>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) \n \n**CVEID:** [_CVE-2015-2659_](<https://vulners.com/cve/CVE-2015-2659>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5.0 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104736>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n \n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-2637_](<https://vulners.com/cve/CVE-2015-2637>)** \nDESCRIPTION:** An unspecified vulnerability and JavaSX related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5.0 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104738>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-2619_](<https://vulners.com/cve/CVE-2015-2619>)** \nDESCRIPTION:** An unspecified vulnerability and JavaSX related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5.0 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104737>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n \n\n\n## Affected Products and Versions\n\nAlgo One Versions 4.7.0 through 5.0.0 \nARA Versions 2.5.8 through 5.0.0 \n \nThe following versions of the affected products are not being patched and users currently on one of the versions specified below are advised to upgrade to a patched version: \n \nARA 2.4.0.1 \nARA 2.4.1 \nARA 2.4.2 \nARA 2.5.0 \nARA 2.5.1 \nARA 2.5.2 \nARA 2.5.3 \nARA 2.5.4 \nARA 2.5.5 \nARA 2.5.5.2 \nARA 2.5.6 \nARA 2.5.7.1 \nARA 2.5.7.2 \n\n## Remediation/Fixes\n\nA fix has been created for each affected version of the named product, for CCR fixes please apply the corresponding Algo One Core patch. Download and install the appropriate fix as soon as practicable. Fixes and installation instructions are provided at the URLs listed below: \n \n \n \n\n\nPatch Number| Download URL \n---|--- \nAlgo One Core 500-228| | \n| | \n| [_http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.0.0.0-Algo-One-if0228:0&includeSupersedes=0&source=fc&login=true _](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.0.0.0-Algo-One-if0228:0&includeSupersedes=0&source=fc&login=true>) \n---|--- \nAlgo One Core 490-184| | \n| | \n| [_http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.9.0.0-Algo-One-if0184:0&includeSupersedes=0&source=fc&login=true _](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.9.0.0-Algo-One-if0184:0&includeSupersedes=0&source=fc&login=true>) \n---|--- \nAlgo One Core 480-080| | \n| | \n| [_http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.8.0.0-Algo-One-if0080:0&includeSupersedes=0&source=fc&login=true _](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.8.0.0-Algo-One-if0080:0&includeSupersedes=0&source=fc&login=true>) \n---|--- \nAlgo One Core 471-346| | \n| [_http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.7.1.0-Algo-One-if0346:0&includeSupersedes=0&source=fc&login=true _](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.7.1.0-Algo-One-if0346:0&includeSupersedes=0&source=fc&login=true>) \n---|--- \nAlgo One Core 470-325| | \n| | \n| [_http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.7.0.0-Algo-One-if0325:0&includeSupersedes=0&source=fc&login=true _](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.7.0.0-Algo-One-if0325:0&includeSupersedes=0&source=fc&login=true>) \n---|--- \nAlgo One ARA 500-229| | \n| | \n| [_http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.0.0.0-Algo-One-if0229:0&includeSupersedes=0&source=fc&login=true _](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.0.0.0-Algo-One-if0229:0&includeSupersedes=0&source=fc&login=true>) \n---|--- \nAlgo One ARA 491-036| | \n| [_http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.9.1.0-Algo-OneARA-if0013:0&includeSupersedes=0&source=fc&login=true_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.9.1.0-Algo-OneARA-if0013:0&includeSupersedes=0&source=fc&login=true>) \n---|--- \nAlgo One ARA 491-032| | \n| [_http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.9.1.1-Algo-OneARA-if0017:0&includeSupersedes=0&source=fc&login=true_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.9.1.1-Algo-OneARA-if0017:0&includeSupersedes=0&source=fc&login=true>) \n---|--- \nAlgo One ARA 258-007| | \n| | \n| [_http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=2.5.8.9-Algo-OneARA-fp0009:0&includeSupersedes=0&source=fc&login=true _](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=2.5.8.9-Algo-OneARA-fp0009:0&includeSupersedes=0&source=fc&login=true>) \n---|--- \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T22:39:24", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Algorithmics One Core, Algo Risk Application, and Counterparty Credit Risk", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2619", "CVE-2015-2625", "CVE-2015-2632", "CVE-2015-2637", "CVE-2015-2638", "CVE-2015-2659", "CVE-2015-2664", "CVE-2015-4736", "CVE-2015-4748", "CVE-2015-4749", "CVE-2015-4760"], "modified": "2018-06-15T22:39:24", "id": "CD91438C4049C3E50681096441AB24E202AD967CD3D183FD5CC2C7A6D09E32F8", "href": "https://www.ibm.com/support/pages/node/266691", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-07T19:08:24", "description": "## Summary\n\nIBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 1.6 shipped with IBM MDM SE engine, Workbench, and Brokers contains multiple vulnerabilities. IBM MDM SE engine, Workbench, and Brokers has addressed these vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-0138_](<https://vulners.com/cve/CVE-2015-0138>) \n**DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100691_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100691>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1916_](<https://vulners.com/cve/CVE-2015-1916>) \n**DESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101995_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101995>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2014-6593_](<https://vulners.com/cve/CVE-2014-6593>) \n**DESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker with an active man-in-the-middle session to hijack plaintext application data from active SSL/TLS sessions. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100153_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100153>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [_CVE-2015-0410_](<https://vulners.com/cve/CVE-2015-0410>) \n**DESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100151_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100151>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-0383_](<https://vulners.com/cve/CVE-2015-0383>) \n**DESCRIPTION:** An unspecified vulnerability related to the Hotspot component has no confidentiality impact, partial integrity impact, and complete availability impact. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100148_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100148>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:C)\n\n**CVEID:** [_CVE-2014-3566_](<https://vulners.com/cve/CVE-2014-3566>) \n**DESCRIPTION:** Multiple products could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and calculate the plaintext of secure connections. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/97013_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/97013>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2014-6457_](<https://vulners.com/cve/CVE-2014-6457>) \n**DESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/97148_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/97148>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [_CVE-2014-6468_](<https://vulners.com/cve/CVE-2014-6468>) \n**DESCRIPTION:** An unspecified vulnerability related to the Hotspot component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 6.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/97138_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/97138>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2014-4263_](<https://vulners.com/cve/CVE-2014-4263>) \n**DESCRIPTION:** An unspecified vulnerability related to the Security component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/94606_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/94606>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>) \n**DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>) \n**DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>) \n**DESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>) \n**DESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nThese vulnerabilities are known to affect the following offerings: \n \nIBM Initiate Master Data Service versions 9.5, 9.7, 10.0, 10.1 (impacts _Master Data Engine_ component, [_Message Brokers_](<http://pic.dhe.ibm.com/infocenter/mdm/v11r0/topic/com.ibm.mdshs.hubover.doc/topics/c_hubover_message_broker_suite.html>) component and _Workbench_ component)\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available. \n \n\n\n**_Product_**| **_VRMF_**| **_APAR_**| **_Remediation/First Fix_** \n---|---|---|--- \nIBM Initiate Master Data Service| 9.5| None| [9.5.120315](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Master+Data+Service&release=All&platform=All&function=fixId&fixids=9.5.120315_IM_Initiate_MasterDataService_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service Patient Hub| 9.5| None| [9.5.120315](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Patient&release=All&platform=All&function=fixId&fixids=9.5.120315_IM_Initiate_Patient_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service Provider Hub| 9.5| None| [9.5.120315](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Provider&release=All&platform=All&function=fixId&fixids=9.5.120315_IM_Initiate_Provider_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service| 9.7| None| [9.7.120315](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Master+Data+Service&release=All&platform=All&function=fixId&fixids=9.7.120315_IM_Initiate_MasterDataService_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service Patient Hub| 9.7| None| [9.7.120315](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Patient&release=All&platform=All&function=fixId&fixids=9.7.120315_IM_Initiate_Patient_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service Provider Hub| 9.7| None| [9.7.120315](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Provider&release=All&platform=All&function=fixId&fixids=9.7.120315_IM_Initiate_Provider_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service| 10.0| None| [10.0.120315](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Master+Data+Service&release=All&platform=All&function=fixId&fixids=10.0.120315_IM_Initiate_MasterDataService_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service Patient Hub| 10.0| None| [10.0.120315](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Patient&release=All&platform=All&function=fixId&fixids=10.0.120315_IM_Initiate_Patient_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service Provider Hub| 10.0| None| [10.0.120315](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Provider&release=All&platform=All&function=fixId&fixids=10.0.120315_IM_Initiate_Provider_ALL_RefreshPack&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service| 10.1| None| [_10.1.120315_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Initiate+Master+Data+Service&release=All&platform=All&function=fixId&fixids=10.1.120315_IM_Initiate_MasterDataService_ALL_RefreshPack&includeSupersedes=0>) \n \n## Workarounds and Mitigations\n\nNone known\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-27T09:58:00", "type": "ibm", "title": "Security Bulletin: The IBM\u00ae Runtime Environments Java\u2122 version shipped with IBM MDM SE engine, Workbench, and Brokers may not address all security vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 6.8, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3566", "CVE-2014-4263", "CVE-2014-6457", "CVE-2014-6468", "CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0383", "CVE-2015-0410", "CVE-2015-1916", "CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2808"], "modified": "2022-04-27T09:58:00", "id": "4EA215B3645DDAC4FD37F8734C45AA03E711B96215D9E5BD79734DA548CB9D4D", "href": "https://www.ibm.com/support/pages/node/273531", "cvss": {"score": 6.8, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T21:45:26", "description": "## Summary\n\nIBM Java is shipped as a component of VMware VI agent. Information about a security vulnerability affecting IBM Java has been published in a security bulletin. \nNote: Please see technote for upgrading Java runtime for VMware VI agent at http://www-01.ibm.com/support/docview.wss?uid=swg21883100 \n\n## Vulnerability Details\n\nPlease consult the security bulletin \nCVE-2015-0488: <http://www-01.ibm.com/support/docview.wss?uid=swg1IV72348> \nCVE-2015-0204: <http://www-01.ibm.com/support/docview.wss?uid=swg1IV70681> \nCVE-2015-2808: <http://www-01.ibm.com/support/docview.wss?uid=swg1IV71888> \nCVE-2013-0443: <http://www-01.ibm.com/support/docview.wss?uid=swg1IV36188> \nCVE-2015-2625: <http://www-01.ibm.com/support/docview.wss?uid=swg1IV75166> \nCVE-2015-1931: <http://www-01.ibm.com/support/docview.wss?uid=swg1IV75182> \nfor vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nVMware VI agent 7.2 FP3 and all prior versions.\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-11-29T22:30:01", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM Java shipped with VMware VI agent (CVE-2015-0488, CVE-2015-0204, CVE-2015-2808, CVE-2013-0443, CVE-2015-2625 and CVE-2015-1931)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0443", "CVE-2015-0204", "CVE-2015-0488", "CVE-2015-1931", "CVE-2015-2625", "CVE-2015-2808"], "modified": "2018-11-29T22:30:01", "id": "C4FDA20D2B40995B6107B668E5B27AEAD5EA51C42F7A035DC4761653D1B94A39", "href": "https://www.ibm.com/support/pages/node/714449", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-24T06:15:25", "description": "## Summary\n\nJava is used by Power Hardware Management Console (HMC). HMC has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2015-4733_](<https://vulners.com/cve/CVE-2015-4733>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104726_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104726>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-4732_](<https://vulners.com/cve/CVE-2015-4732>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104725_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104725>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-2590_](<https://vulners.com/cve/CVE-2015-2590>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104724_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104724>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4731_](<https://vulners.com/cve/CVE-2015-4731>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104723_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104723>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4748_](<https://vulners.com/cve/CVE-2015-4748>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 7.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104729_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104729>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-2664_](<https://vulners.com/cve/CVE-2015-2664>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 6.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104731_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104731>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-2621_](<https://vulners.com/cve/CVE-2015-2621>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JMX component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104735_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104735>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/102967_](<http://xforce.iss.net/xforce/xfdb/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\n \nPower HMC V7.3.0.0 \nPower HMC V7.8.0.0 \nPower HMC V7.9.0.0 \nPower HMC V8.1.0.0 \nPower HMC V8.2.0.0 \nPower HMC V8.3.0.0\n\n## Remediation/Fixes\n\n \nThe following fixes are available on IBM Fix Central at: <http://www-933.ibm.com/support/fixcentral/>\n\nProduct\n\n| \n\nVRMF\n\n| \n\nAPAR\n\n| \n\nRemediation/Fix \n \n---|---|---|--- \n \nPower HMC\n\n| \n\nV7.7.3.0 SP7\n\n| \n\nMB03935\n\n| \n\nApply eFix MH01547 \n \nPower HMC\n\n| \n\nV7.7.8.0 SP2\n\n| \n\nMB03936\n\n| \n\nApply eFix MH01548 \n \nPower HMC\n\n| \n\nV7.7.9.0 SP2\n\n| \n\nMB03937\n\n| \n\nApply eFix MH01549 \n \nPower HMC\n\n| \n\nV8.8.1.0 SP2\n\n| \n\nMB03938\n\n| \n\nApply eFix MH01550 \n \nPower HMC\n\n| \n\nV8.8.2.0 SP2\n\n| \n\nMB03873 \n\n| \n\nApply Service Pack 2 MH01488 \n \nPower HMC\n\n| \n\nV8.8.3.0\n\n| \n\nMB03939\n\n| \n\nApply eFix MH01551 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-09-23T01:31:39", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Java affect Power Hardware Management Console (CVE-2015-4733, CVE-2015-4732, CVE-2015-2590, CVE-2015-4731, CVE-2015-4748, CVE-2015-2664, CVE-2015-2621, CVE-2015-2601, CVE-2015-4749, CVE-2015-2625 CVE-2015-1931)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2590", "CVE-2015-2601", "CVE-2015-2621", "CVE-2015-2625", "CVE-2015-2664", "CVE-2015-4731", "CVE-2015-4732", "CVE-2015-4733", "CVE-2015-4748", "CVE-2015-4749"], "modified": "2021-09-23T01:31:39", "id": "D173233F8673F62F52B6B2640C2820A132AFCE80B074B8596EF41B1E6B67938D", "href": "https://www.ibm.com/support/pages/node/666387", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-08T02:04:42", "description": "## Summary\n\nThe RC4 \u201cBar Mitzvah\u201d Attack for SSL/TLS affects the following IBM Jazz Team Server based Applications: Collaborative Lifecycle Management (CLM), Rational Requirements Composer (RRC), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM), and Rational Software Architect (RSA DM).\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2808_](<https://vulners.com/cve/CVE-2015-2808>) \n**DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as \"Bar Mitzvah Attack\". \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/101851_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101851>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nRational Collaborative Lifecycle Management 3.0.1 - 6.0 \n \nRational Quality Manager 2.0 - 2.0.1 \nRational Quality Manager 3.0 - 3.0.1.6 \nRational Quality Manager 4.0 - 4.0.7 \nRational Quality Manager 5.0 - 5.0.2 \nRational Quality Manager 6.0 \n \nRational Team Concert 2.0 - 2.0.0.2 \nRational Team Concert 3.0 - 3.0.6 \nRational Team Concert 4.0 - 4.0.7 \nRational Team Concert 5.0 - 5.0.2 \nRational Team Concert 6.0 \n \nRational Requirements Composer 2.0 - 2.0.0.4 \nRational Requirements Composer 3.0 - 3.0.1.6 \nRational Requirements Composer 4.0 - 4.0.7 \n \nRational DOORS Next Generation 4.0 - 4.0.7 \nRational DOORS Next Generation 5.0 - 5.0.2 \nRational DOORS Next Generation 6.0 \n \nRational Engineering Lifecycle Manager 1.0- 1.0.0.1 \nRational Engineering Lifecycle Manager 4.0.3 - 4.0.7 \nRational Engineering Lifecycle Manager 5.0 - 5.0.2 \nRational Engineering Lifecycle Manager 6.0 \n \nRational Rhapsody Design Manager 3.0 - 3.0.1 \nRational Rhapsody Design Manager 4.0 - 4.0.7 \nRational Rhapsody Design Manager 5.0 - 5.0.2 \nRational Rhapsody Design Manager 6.0 \n \nRational Software Architect Design Manager 3.0 - 3.0.1 \nRational Software Architect Design Manager 4.0 - 4.0.7 \nRational Software Architect Design Manager 5.0 - 5.0.2 \nRational Software Architect Design Manager 6.0\n\n## Remediation/Fixes\n\nIf your product is deployed on IBM WebSphere\u00ae Application Server (WAS), you should apply the WAS remediation/mitigation according to the bulletin published by WAS: \n\n[Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Application Server (CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21701503>)\n\nIf your product is deployed on Apache Tomcat, apply the workarounds listed in the Workaround and Mitigation section. \n\nUpdate your supplied IBM\u00ae Java SDK according to\n\n[Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affects multiple IBM Rational products based on IBM Jazz technology (CVE-2015-0488, CVE-2015-0478, CVE-2015-2808, CVE-2015-1916, CVE-2015-0204, CVE-2015-2613, CVE-2015-2601, etc.)](<http://www.ibm.com/support/docview.wss?uid=swg21964625>)\n\n## Workarounds and Mitigations\n\nIf your product is deployed on IBM WebSphere\u00ae Application Server (WAS), you should apply the WAS remediation/mitigation according to the bulletin published by WAS. \n\n * [Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Application Server (CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21701503>)\n\nIf your product is deployed on Apache Tomcat, then you should apply the following mitigation:\n\n 1. Open the `<Jazz Install>\\server\\tomcat\\conf\\server.xml file`, and search for '`SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,` ' (no quotes), and delete the found text. If your version of server.xml has any other ciphers containing the \"RC4\", delete that cipher also. \n \n\n 2. Stop and restart the Apache Tomcat server.\n\nYou should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.\n\n## ", "cvss3": {}, "published": "2021-04-28T18:35:50", "type": "ibm", "title": "Security Bulletin: Vulnerability in RC4 stream cipher affects multiple IBM Rational products based on IBM Jazz technology (CVE-2015-2808)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2808"], "modified": "2021-04-28T18:35:50", "id": "3E8CBD7664E23468E3388AAA8D38722322E48FB06767224AD7578A77FEF26330", "href": "https://www.ibm.com/support/pages/node/261183", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-02-10T00:00:00", "description": "## Summary\n\nJava SE issues disclosed in the Oracle July 2015 Critical Patch Update, plus CVE-2015-1931\n\n## Vulnerability Details\n\n**CVE IDs:** CVE-2015-2638 CVE-2015-4733 CVE-2015-4732 CVE-2015-2590 CVE-2015-4731 CVE-2015-4760 CVE-2015-4736 CVE-2015-4748 CVE-2015-2664 CVE-2015-2632 CVE-2015-2637 CVE-2015-2619 CVE-2015-2621 CVE-2015-2613 CVE-2015-2601 CVE-2015-4749 CVE-2015-4729 CVE-2015-2625 CVE-2015-1931 \n\n**DESCRIPTION:** This bulletin covers all applicable Java SE CVEs published by Oracle as part of their July 2015 Critical Patch Update. For more information please refer to [_Oracle's July 2015 CPU Advisory_](<http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA>) and the X-Force database entries referenced below.\n\nThis bulletin also covers CVE-2015-1931, which describes a vulnerability in the IBM Java Security Components that are shipped as part of the IBM SDK, Java Technology Edition.\n\n \n \n**CVEID:** [_CVE-2015-2638_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2638>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104727_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104727>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-4733_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4733>)** \nDESCRIPTION:** An unspecified vulnerability related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104726_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104726>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4732_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4732>)** \nDESCRIPTION:** An unspecified vulnerability related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104725_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104725>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-2590_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2590>)** \nDESCRIPTION:** An unspecified vulnerability related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104724_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104724>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4731_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4731>)** \nDESCRIPTION:** An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104723_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104723>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4760_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4760>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104721_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104721>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4736_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4736>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 9.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104728_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104728>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4748_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4748>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 7.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104729_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104729>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-2664_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2664>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 6.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104731_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104731>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-2632_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2632>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104732_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104732>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2637_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2637>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104738_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104738>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2619_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2619>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104737_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104737>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2621_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2621>)** \nDESCRIPTION:** An unspecified vulnerability related to the JMX component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104735_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104735>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2613_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2601_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4749_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4729_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4729>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104741_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104741>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [_CVE-2015-2625_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n \n \n**CVEID:** [CVE-2015-1931](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nThese vulnerabilities affect IBM SDK, Java 2 Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 11 and earlier releases \nThese vulnerabilities affect IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 5 and earlier releases \nThese vulnerabilities affect IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 5 and earlier releases \nThese vulnerabilities affect IBM SDK, Java Technology Edition, Version 7 Service Refresh 9 Fix Pack 1 and earlier releases \nThese vulnerabilities affect IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 3 Fix Pack 1 and earlier releases \nThese vulnerabilities affect IBM SDK, Java Technology Edition, Version 8 Service Refresh 1 Fix Pack 1 and earlier releases\n\n## Remediation/Fixes\n\nThe fixes for these vulnerabilities are included in IBM SDK, Java 2 Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 13 and subsequent releases \nThe fixes for these vulnerabilities are included in IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 7 and subsequent releases \nThe fixes for these vulnerabilities are included in IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 7 and subsequent releases \nThe fixes for these vulnerabilities are included in IBM SDK, Java Technology Edition, Version 7 Service Refresh 9 Fix Pack 10 and subsequent releases \nThe fixes for these vulnerabilities are included in IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 3 Fix Pack 10 and subsequent releases \nThe fixes for these vulnerabilities are included in IBM SDK, Java Technology Edition, Version 8 Service Refresh 1 Fix Pack 10 and subsequent releases \n \nFor detailed information on which CVEs affect which releases, please refer to the [_IBM SDK, Java Technology Edition Security Alerts page_](<http://www.ibm.com/developerworks/java/jdk/alerts/>). \n \nIBM SDK, Java Technology Edition releases can be downloaded, subject to the terms of the developerWorks license, from [_here_](<http://www.ibm.com/developerworks/java/jdk/index.html>) \n \nIBM customers requiring an update for an SDK shipped with an IBM product should contact [_IBM support_](<http://www.ibm.com/support/>), and/or refer to the appropriate product security bulletin. \n \n**APAR numbers are as follows:**\n\n[_IV75126_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75126>) (CVE-2015-2638)_ \n_[_IV75130_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75130>) (CVE-2015-4733)_ \n_[_IV75133_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75133>) (CVE-2015-4732)_ \n_[_IV75143_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75143>) (CVE-2015-2590)_ \n_[_IV75145_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75145>) (CVE-2015-4731)_ \n_[_IV75147_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75147>) (CVE-2015-4760)_ \n_[_IV75149_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75149>) (CVE-2015-4736)_ \n_[_IV75150_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75150>) (CVE-2015-4748)_ \n_[_IV75152_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75152>) (CVE-2015-2664)_ \n_[_IV75154_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75154>) (CVE-2015-2632)_ \n_[_IV75180_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75180>) (CVE-2015-2637)_ \n_[_IV75156_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75156>) (CVE-2015-2619)_ \n_[_IV75157_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75157>) (CVE-2015-2621)_ \n_[_IV75160_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75160>) (CVE-2015-2613)_ \n_[_IV75161_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75161>) (CVE-2015-2601)_ \n_[_IV75163_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75163>) (CVE-2015-4749)_ \n_[_IV75165_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75165>) (CVE-2015-4729)_ \n_[_IV75166_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75166>) (CVE-2015-2625)_ \n_[_IV75182_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75182>) (CVE-2015-1931)\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n## Important Note\n\nIBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [System z Security web site](<http://www.ibm.com/systems/z/solutions/security_subintegrity.html>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n \n[_Oracle July 2015 Java SE Critical Patch Update Advisory_](<http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA>)_ \n_[_IBM SDK, Java Technology Edition Security Alerts_](<http://www.ibm.com/developerworks/java/jdk/alerts/>)\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n20 July 2015: Original version published \n27 July 2015: Fixed some minor CVE description problems\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n[{\"Product\":{\"code\":\"SSNVBF\",\"label\":\"Runtimes for Java Technology\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"8.0;7.1;7.0;6.1;6.0;5.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB36\",\"label\":\"IBM Automation\"}}]", "cvss3": {}, "published": "2018-06-15T07:03:23", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in current releases of the IBM\u00ae SDK, Java\u2122 Technology Edition", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2590", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2619", "CVE-2015-2621", "CVE-2015-2625", "CVE-2015-2632", "CVE-2015-2637", "CVE-2015-2638", "CVE-2015-2664", "CVE-2015-4729", "CVE-2015-4731", "CVE-2015-4732", "CVE-2015-4733", "CVE-2015-4736", "CVE-2015-4748", "CVE-2015-4749", "CVE-2015-4760"], "modified": "2018-06-15T07:03:23", "id": "3ABCE5B97D3FBEF2653E542822B7E2A4916949E65B52DFB6C87BAF2D516FD1F4", "href": "https://www.ibm.com/support/pages/node/532445", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-23T21:50:22", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM(R) SDK Java(TM) Technology Edition, Version 7 that is used by MegaRAID Storage Manager. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**Summary**\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 7 that is used by MegaRAID Storage Manager. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n**Vulnerability Details:**\n\n**CVEID:** [CVE-2015-2638](<https://vulners.com/cve/CVE-2015-2638>)\n\n**Description:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact.\n\nCVSS Base Score: 10 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104727> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [CVE-2015-4733](<https://vulners.com/cve/CVE-2015-4733>)\n\n**Description:** An unspecified vulnerability and Java SE Embedded related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact.\n\nCVSS Base Score: 10 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104726> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [CVE-2015-4732](<https://vulners.com/cve/CVE-2015-4732>)\n\n**Description:** An unspecified vulnerability and Java SE Embedded related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact.\n\nCVSS Base Score: 10 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104725> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [CVE-2015-4731](<https://vulners.com/cve/CVE-2015-4731>)\n\n**Description:** An unspecified vulnerability and Java SE Embedded related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact.\n\nCVSS Base Score: 10 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104723> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [CVE-2015-4760](<https://vulners.com/cve/CVE-2015-4760>)\n\n**Description:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact.\n\nCVSS Base Score: 10 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104721> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [CVE-2015-4736](<https://vulners.com/cve/CVE-2015-4736>)\n\n**Description:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact.\n\nCVSS Base Score: 9.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104728> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [CVE-2015-4748](<https://vulners.com/cve/CVE-2015-4748>)\n\n**Description:** An unspecified vulnerability related to the Security component has complete confidentiality impact, complete integrity impact, and complete availability impact.\n\nCVSS Base Score: 7.6 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104729> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [CVE-2015-2664](<https://vulners.com/cve/CVE-2015-2664>)\n\n**Description:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact.\n\nCVSS Base Score: 6.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104731> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [CVE-2015-2632](<https://vulners.com/cve/CVE-2015-2632>)\n\n**Description:** An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104732> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [CVE-2015-2637](<https://vulners.com/cve/CVE-2015-2637>)\n\n**Description:** An unspecified vulnerability and JavaSX related to the 2D component could allow a remote attacker to obtain sensitive information.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104738> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [CVE-2015-2619](<https://vulners.com/cve/CVE-2015-2619>)\n\n**Description:** An unspecified vulnerability and JavaSX related to the 2D component could allow a remote attacker to obtain sensitive information.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104737> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [CVE-2015-2621](<https://vulners.com/cve/CVE-2015-2621>)\n\n**Description:** An unspecified vulnerability and Java SE Embedded related to the JMX component could allow a remote attacker to obtain sensitive information.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104735> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [CVE-2015-2613](<https://vulners.com/cve/CVE-2015-2613>)\n\n**Description:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104734> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [CVE-2015-2601](<https://vulners.com/cve/CVE-2015-2601>)\n\n**Description:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.\n\nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104733> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [CVE-2015-4749](<https://vulners.com/cve/CVE-2015-4749>)\n\n**Description:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104740> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [CVE-2015-4729](<https://vulners.com/cve/CVE-2015-4729>)\n\n**Description:** An unspecified vulnerability related to the Deployment component has partial confidentiality impact, partial integrity impact, and no availability impact.\n\nCVSS Base Score: 4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104741> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [CVE-2015-2625](<https://vulners.com/cve/CVE-2015-2625>)\n\n**Description:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information.\n\nCVSS Base Score: 2.6 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104743> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [CVE-2015-1931](<https://vulners.com/cve/CVE-2015-1931>)\n\n**Description:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system.\n\nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [https://exchange.xforce.ibmcloud.com/vulnerabilities/102967](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967%20>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n**Affected Products and Versions**\n\nProduct | Affected Version \n---|--- \nMegaRAID Storage Manager | 15.11 \n \n**Remediation/Fixes:**\n\nFirmware fix versions are available on Fix Central: \n<http://www.ibm.com/support/fixcentral/>.\n\nProduct | Fix Version \n---|--- \nMegaRAID Storage Manager \nibm_utl_msm_16.05.04.01_linux_32-64 \nibm_utl_msm_16.05.04.01_windows_32-64 | 16.05.04.01 \n \n**Workaround(s) & Mitigation(s):**\n\nNone\n\n**References:**\n\n * [Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide.html>)\n * [On-line Calculator v2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n * [IBM Java SDK Security Bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg21962302>)\n\n**Related Information:** \n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/psirt/>) \n[Lenovo Product Security Advisories](<https://support.lenovo.com/us/en/product_security/home>)\n\n**Acknowledgement**\n\nNone\n\n**Change History** \n17 May 2017: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-01-31T02:25:02", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect MegaRAID Storage Manager", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2619", "CVE-2015-2621", "CVE-2015-2625", "CVE-2015-2632", "CVE-2015-2637", "CVE-2015-2638", "CVE-2015-2664", "CVE-2015-4729", "CVE-2015-4731", "CVE-2015-4732", "CVE-2015-4733", "CVE-2015-4736", "CVE-2015-4748", "CVE-2015-4749", "CVE-2015-4760"], "modified": "2019-01-31T02:25:02", "id": "C9B127D102B44D6D14EDA190EA91F8A24449619880F766B74375DF75AC7520DB", "href": "https://www.ibm.com/support/pages/node/868706", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:53:39", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 1.5.0 and 1.7.0 that is used by IBM Flex System Manager. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/102967_](<http://xforce.iss.net/xforce/xfdb/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2638_](<https://vulners.com/cve/CVE-2015-2638>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104727_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104727>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4733_](<https://vulners.com/cve/CVE-2015-4733>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104726_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104726>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4732_](<https://vulners.com/cve/CVE-2015-4732>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104725_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104725>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-2590_](<https://vulners.com/cve/CVE-2015-2590>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104724_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104724>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4731_](<https://vulners.com/cve/CVE-2015-4731>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104723_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104723>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4760_](<https://vulners.com/cve/CVE-2015-4760>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104721_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104721>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4736_](<https://vulners.com/cve/CVE-2015-4736>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 9.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104728_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104728>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4748_](<https://vulners.com/cve/CVE-2015-4748>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 7.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104729_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104729>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-2664_](<https://vulners.com/cve/CVE-2015-2664>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 6.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104731_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104731>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-2632_](<https://vulners.com/cve/CVE-2015-2632>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104732_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104732>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2637_](<https://vulners.com/cve/CVE-2015-2637>)** \nDESCRIPTION:** An unspecified vulnerability and JavaSX related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104738_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104738>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2619_](<https://vulners.com/cve/CVE-2015-2619>)** \nDESCRIPTION:** An unspecified vulnerability and JavaSX related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104737_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104737>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2621_](<https://vulners.com/cve/CVE-2015-2621>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JMX component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104735_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104735>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4729_](<https://vulners.com/cve/CVE-2015-4729>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104741_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104741>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)\n\n## Affected Products and Versions\n\nFlex System Manager 1.1.x.x \nFlex System Manager 1.2.0.x \nFlex System Manager 1.2.1.x \nFlex System Manager 1.3.0.x \nFlex System Manager 1.3.1.x \nFlex System Manager 1.3.2.x \nFlex System Manager 1.3.3.x \nFlex System Manager 1.3.4.x\n\n## Remediation/Fixes\n\nIBM recommends updating the FSM and all affected remote Common Agent Services (CAS) endpoints using the instructions referenced in this table. \n \n \n\n\nProduct | \n\nVRMF | \n\nAPAR | Remediation \n---|---|---|--- \nFlex System Manager| \n\n1.3.4.x | \n\nIT11624 | Navigate to the [_Support Portal_](<https://www.ibm.com/support/entry/portal/support/>)_ _and search for technote [_761981453_](<http://www-01.ibm.com/support/docview.wss?uid=nas777e5323a516f40f286257f03006ae4b5>) for instructions on installing updates for the FSM and Agents. \nFlex System Manager| \n\n1.3.3.x | \n\nIT11624\n\n| Verify that [_POODLE remediation_](<https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098586>) (IT05161) has been completed, then install [_fsmfix1.3.3.0_IT10914_IT11624_](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2Fsystemx%2F8731&fixids=fsmfix1.3.3.0_IT10914_IT11624>). \n\nInstructions for verifying installation of IT05161 can be found [_here_](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=nas724cb521f58c4126286257dfd005c1958>). \n \nFlex System Manager| \n\n1.3.2.x | \n\nIT11624\n\n| Verify that [_POODLE remediation_](<https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098586>) (IT05161) has been completed, then install [_fsmfix1.3.2.0_IT10914_IT11624_](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2Fsystemx%2F8731&fixids=fsmfix1.3.2.0_IT10914_IT11624>). \n\nInstructions for verifying installation of IT05161 can be found [_here_](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=nas724cb521f58c4126286257dfd005c1958>). \n \nFlex System Manager| \n\n1.3.1.x | \n\nIT11624\n\n| IBM is no longer providing code updates for this release. Upgrade to [_FSM 1.3.4.0_](<http://www.ibm.com/support/fixcentral/systemx/quickorder?parent=Flex%2BSystem%2BManager%2BNode&product=ibm/systemx/8731&&platform=All&function=fixId&fixids=FSMApplianceUpdate-1-3-4&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc>) and follow the appropriate remediation for all vulnerabilities. \nFlex System Manager| \n\n1.3.0.x | \n\nIT11624\n\n| IBM is no longer providing code updates for this release. Upgrade to [_FSM 1.3.4.0_](<http://www.ibm.com/support/fixcentral/systemx/quickorder?parent=Flex%2BSystem%2BManager%2BNode&product=ibm/systemx/8731&&platform=All&function=fixId&fixids=FSMApplianceUpdate-1-3-4&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc>) and follow the appropriate remediation for all vulnerabilities. \nFlex System Manager| \n\n1.2.1.x | \n\nIT11624\n\n| Effective September 30, 2015, IBM has discontinued service for these version/release/modification/fix levels. \nFlex System Manager| \n\n1.2.0.x | \n\nIT11624\n\n| Effective September 30, 2015, IBM has discontinued service for these version/release/modification/fix levels. \nFlex System Manager| \n\n1.1.x.x | \n\nIT11624\n\n| Effective April 30, 2015, IBM has discontinued service for these version/release/modification/fix levels. \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-18T01:29:36", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 1.5.0 and 1.7.0 affect IBM Flex System Manager (FSM)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2590", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2619", "CVE-2015-2621", "CVE-2015-2625", "CVE-2015-2632", "CVE-2015-2637", "CVE-2015-2638", "CVE-2015-2664", "CVE-2015-4729", "CVE-2015-4731", "CVE-2015-4732", "CVE-2015-4733", "CVE-2015-4736", "CVE-2015-4748", "CVE-2015-4749", "CVE-2015-4760"], "modified": "2018-06-18T01:29:36", "id": "CD1CEEEED74112878AE5AB1C531655B7FEBD8354CEA515F99B385E9D4BE62A00", "href": "https://www.ibm.com/support/pages/node/681505", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:57:34", "description": "## Summary\n\nJava SE issues disclosed in the Oracle July 2015 Critical Patch Update, plus CVE-2015-1931.\n\n## Vulnerability Details\n\n**CVE IDs:** CVE-2015-2638 CVE-2015-4733 CVE-2015-4732 CVE-2015-2590 CVE-2015-4731 CVE-2015-4760 CVE-2015-4736 CVE-2015-4748 CVE-2015-2664 CVE-2015-2632 CVE-2015-2637 CVE-2015-2619 CVE-2015-2621 CVE-2015-2613 CVE-2015-2601 CVE-2015-4749 CVE-2015-4729 CVE-2015-2625 CVE-2015-1931 \n\n**DESCRIPTION:** This bulletin covers all applicable Java SE CVEs published by Oracle as part of their July 2015 Critical Patch Update. For more information please refer to [_Oracle's July 2015 CPU Advisory_](<http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA>) and the X-Force database entries referenced below.\n\nThis bulletin also describes CVE-2015-1931 which affects IBM WebSphere Real Time.\n\n \n \n**CVEID:** [_CVE-2015-2638_](<https://vulners.com/cve/CVE-2015-2638>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104727_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104727>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-4733_](<https://vulners.com/cve/CVE-2015-4733>)** \nDESCRIPTION:** An unspecified vulnerability related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104726_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104726>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4732_](<https://vulners.com/cve/CVE-2015-4732>)** \nDESCRIPTION:** An unspecified vulnerability related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104725_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104725>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-2590_](<https://vulners.com/cve/CVE-2015-2590>)** \nDESCRIPTION:** An unspecified vulnerability related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104724_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104724>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4731_](<https://vulners.com/cve/CVE-2015-4731>)** \nDESCRIPTION:** An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104723_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104723>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4760_](<https://vulners.com/cve/CVE-2015-4760>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104721_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104721>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4736_](<https://vulners.com/cve/CVE-2015-4736>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 9.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104728_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104728>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4748_](<https://vulners.com/cve/CVE-2015-4748>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 7.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104729_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104729>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-2664_](<https://vulners.com/cve/CVE-2015-2664>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 6.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104731_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104731>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-2632_](<https://vulners.com/cve/CVE-2015-2632>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104732_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104732>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2637_](<https://vulners.com/cve/CVE-2015-2637>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104738_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104738>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2619_](<https://vulners.com/cve/CVE-2015-2619>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104737_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104737>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2621_](<https://vulners.com/cve/CVE-2015-2621>)** \nDESCRIPTION:** An unspecified vulnerability related to the JMX component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104735_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104735>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4729_](<https://vulners.com/cve/CVE-2015-4729>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104741_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104741>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n \n \n**CVEID:** [CVE-2015-1931](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nThese vulnerabilities affect IBM WebSphere Real Time Version 3 Service Refresh 9 and earlier releases\n\n## Remediation/Fixes\n\nThe fixes for these vulnerabilities are included in IBM WebSphere Real Time Version 3 Service Refresh 9 Fix Pack 10 and subsequent releases \n \nIBM customers should download WebSphere Real Time updates from [Fix Central](<http://www.ibm.com/support/fixcentral/>). \n \nIBM WebSphere Real Time releases can also be downloaded from [_developerWorks_](<http://www.ibm.com/developerworks/java/jdk/index.html>). \n \n**APAR numbers are as follows:**\n\n[_IV75126_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75126>) (CVE-2015-2638)_ \n_[_IV75130_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75130>) (CVE-2015-4733)_ \n_[_IV75133_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75133>) (CVE-2015-4732)_ \n_[_IV75143_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75143>) (CVE-2015-2590)_ \n_[_IV75145_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75145>) (CVE-2015-4731)_ \n_[_IV75147_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75147>) (CVE-2015-4760)_ \n_[_IV75149_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75149>) (CVE-2015-4736)_ \n_[_IV75150_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75150>) (CVE-2015-4748)_ \n_[_IV75152_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75152>) (CVE-2015-2664)_ \n_[_IV75154_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75154>) (CVE-2015-2632)_ \n_[_IV75180_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75180>) (CVE-2015-2637)_ \n_[_IV75156_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75156>) (CVE-2015-2619)_ \n_[_IV75157_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75157>) (CVE-2015-2621)_ \n_[_IV75160_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75160>) (CVE-2015-2613)_ \n_[_IV75161_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75161>) (CVE-2015-2601)_ \n_[_IV75163_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75163>) (CVE-2015-4749)_ \n_[_IV75165_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75165>) (CVE-2015-4729)_ \n_[_IV75166_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75166>) (CVE-2015-2625)_ \n_[_IV75182_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV75182>) (CVE-2015-1931)\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:03:24", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in current releases of IBM\u00ae WebSphere Real Time", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2590", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2619", "CVE-2015-2621", "CVE-2015-2625", "CVE-2015-2632", "CVE-2015-2637", "CVE-2015-2638", "CVE-2015-2664", "CVE-2015-4729", "CVE-2015-4731", "CVE-2015-4732", "CVE-2015-4733", "CVE-2015-4736", "CVE-2015-4748", "CVE-2015-4749", "CVE-2015-4760"], "modified": "2018-06-15T07:03:24", "id": "D48D8B0F5BB77C84342594E22E2D168A587947CA8F126B068A1738B1CC98EEC7", "href": "https://www.ibm.com/support/pages/node/532695", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-04T03:12:18", "description": "## Summary\n\nThe Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol affects the following IBM Jazz Team Server based Applications: Collaborative Lifecycle Management (CLM), Rational Requirements Composer (RRC), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM), and Rational Software Architect (RSA DM). \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>) \n**DESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103294_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103294>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nRational Collaborative Lifecycle Management 3.0.1 - 6.0 \n \nRational Quality Manager 2.0 - 2.0.1 \nRational Quality Manager 3.0 - 3.0.1.6 \nRational Quality Manager 4.0 - 4.0.7 \nRational Quality Manager 5.0 - 5.0.2 \nRational Quality Manager 6.0 \n \nRational Team Concert 2.0 - 2.0.0.2 \nRational Team Concert 3.0 - 3.0.6 \nRational Team Concert 4.0 - 4.0.7 \nRational Team Concert 5.0 - 5.0.2 \nRational Team Concert 6.0 \n \nRational Requirements Composer 2.0 - 2.0.0.4 \nRational Requirements Composer 3.0 - 3.0.1.6 \nRational Requirements Composer 4.0 - 4.0.7 \n \nRational DOORS Next Generation 4.0 - 4.0.7 \nRational DOORS Next Generation 5.0 - 5.0.2 \nRational DOORS Next Generation 6.0 \n \nRational Engineering Lifecycle Manager 1.0- 1.0.0.1 \nRational Engineering Lifecycle Manager 4.0.3 - 4.0.7 \nRational Engineering Lifecycle Manager 5.0 - 5.0.2 \nRational Engineering Lifecycle Manager 6.0 \n \nRational Rhapsody Design Manager 3.0 - 3.0.1 \nRational Rhapsody Design Manager 4.0 - 4.0.7 \nRational Rhapsody Design Manager 5.0 - 5.0.2 \nRational Rhapsody Design Manager 6.0 \n \nRational Software Architect Design Manager 3.0 - 3.0.1 \nRational Software Architect Design Manager 4.0 - 4.0.7 \nRational Software Architect Design Manager 5.0 - 5.0.2 \nRational Software Architect Design Manager 6.0\n\n## Remediation/Fixes\n\nIf your product is deployed on IBM WebSphere\u00ae Application Server (WAS), you should apply the WAS remediation/mitigation according to the bulletin published by WAS: \n\n[Security Bulletin: Vulnerability with Diffie-Hellman ciphers may affect IBM WebSphere Application Server (CVE-2015-4000)](<http://www.ibm.com/support/docview.wss?uid=swg21957980>)\n\nIf your product is deployed on Apache Tomcat, apply the workarounds listed in the Workaround and Mitigation section.\n\nUpdate your supplied IBM\u00ae Java SDK according to\n\n[Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affects multiple IBM Rational products based on IBM Jazz technology (CVE-2015-0488, CVE-2015-0478, CVE-2015-2808, CVE-2015-1916, CVE-2015-0204, CVE-2015-2613, CVE-2015-2601, etc.)](<http://www.ibm.com/support/docview.wss?uid=swg21964625>)\n\n## Workarounds and Mitigations\n\nIf your product is deployed on IBM WebSphere\u00ae Application Server (WAS), you should apply the WAS remediation/mitigation according to the bulletin published by WAS: \n\n[Security Bulletin: Vulnerability with Diffie-Hellman ciphers may affect IBM WebSphere Application Server (CVE-2015-4000)](<http://www.ibm.com/support/docview.wss?uid=swg21957980>)\n\n**To disable vulnerable ciphers on Tomcat:**\n\n \n \n1) Open the file <JTS Install>/server/tomcat/conf/server.xml \n \n2) Modify the <Connector> element, **ciphers **property to use this list: \n`ciphers = \"SSL_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_AES_256_CBC_SHA,SSL_DHE_RSA_WITH_AES_256_CBC_SHA,SSL_DHE_RSA_WITH_AES_128_CBC_SHA256,SSL_DHE_DSS_WITH_AES_128_CBC_SHA256,SSL_DHE_RSA_WITH_AES_256_CBC_SHA256,SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,SSL_DHE_DSS_WITH_AES_128_GCM_SHA256,SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA,SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384,SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256,SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA\" ` \n \n**Note**: To be able to use the 256 bit AES Ciphers, it may be necessary to install the JCE Unlimited Strength Jurisdiction Policy Files, which can be found [_here._](<https://www.ibm.com/marketing/iwm/iwm/web/reg/pick.do?source=jcesdk&lang=en_US>) Your IBM JRE may already have these policy files depending on version. \n\n**To disable vulnerable ciphers in the RTC Client, either:**\n\n * Disabling DH and DHE cipher suites. The can be achieved by adding the DH and DHE cipher suites to the list of disabled algorithms defined by the **jdk.tls.disabledAlgorithms **security property in <RTC Client>/client/eclipse/jdk/jre/lib/security/java.security \n \n**Or **\n * Configure SP800-131a strict compliance or any Suite B configuration\n * **To disable vulnerable ciphers on Liberty:** \n \n1) Open the file <JTS Install>/server/liberty/clmServerTemplate/server.xml \n \n2) Add the following line depending on the scenario used: \n \nCase 1: Configuration when not integrating with DOORS v9.x \n`<ssl id=\"defaultSSLConfig\" sslProtocol=\"TLS\" enabledCiphers= \"SSL_DHE_RSA_WITH_AES_128_CBC_SHA SSL_DHE_DSS_WITH_AES_256_CBC_SHA SSL_DHE_RSA_WITH_AES_256_CBC_SHA SSL_DHE_RSA_WITH_AES_128_CBC_SHA256 SSL_DHE_DSS_WITH_AES_128_CBC_SHA256 SSL_DHE_RSA_WITH_AES_256_CBC_SHA256 SSL_DHE_RSA_WITH_AES_128_GCM_SHA256 SSL_DHE_DSS_WITH_AES_128_GCM_SHA256 SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256 SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256 SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384 SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA\"/>` \n \nCase 2: Configuration when integrating with DOORS v9.x (Note: DOORS 9 requires use of some ciphers not listed in Case 1. The ciphers DOORS 9 product supports may change over time. Consult your documentation for DOORS 9 releases to monitor any changes.) \n`<ssl id=\"defaultSSLConfig\" sslProtocol=\"TLS\" enabledCiphers= \"SSL_DHE_RSA_WITH_AES_128_CBC_SHA SSL_DHE_DSS_WITH_AES_256_CBC_SHA SSL_DHE_RSA_WITH_AES_256_CBC_SHA SSL_DHE_RSA_WITH_AES_128_CBC_SHA256 SSL_DHE_DSS_WITH_AES_128_CBC_SHA256 SSL_DHE_RSA_WITH_AES_256_CBC_SHA256 SSL_DHE_RSA_WITH_AES_128_GCM_SHA256 SSL_DHE_DSS_WITH_AES_128_GCM_SHA256 SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256 SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256 SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384 SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_AES_128_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA\"/>` \n \n3) Repeat steps 1 and 2 for <JTS Install>/server/liberty/servers/clm/server.xml(if exists) \n \nNote: It will be required to install the JCE Unlimited Strength Jurisdiction Policy Files, which can be found [_here._](<https://www.ibm.com/marketing/iwm/iwm/web/reg/pick.do?source=jcesdk&lang=en_US>) Your IBM JRE may already have these policy files depending on version.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-04-28T18:35:50", "type": "ibm", "title": "Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects multiple IBM Rational products based on IBM Jazz technology (CVE-2015-4000)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0204", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1916", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2808", "CVE-2015-4000"], "modified": "2021-04-28T18:35:50", "id": "6652670EF6E6EDBDD8B1BC971B1388AE4EAD3072A0556537B0DC7258BBDD9001", "href": "https://www.ibm.com/support/pages/node/714399", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T05:41:06", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 7 that is used by IBM Tivoli System Automation for Integrated Operations Management. These issues were disclosed as part of the IBM Java SDK updates in July 2015. \n \nThis bulletin also addresses the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol affects.\n\n## Vulnerability Details\n\n**Security Bulletin: Multiple vulnerabilities in IBM Java SDK including Logjam affect IBM Tivoli System Automation for Integrated Operations Management (CVE-2015-4000, CVE-2015-2638, CVE-2015-4733, CVE-2015-4732, CVE-2015-2590, CVE-2015-4731, CVE-2015-4760, CVE-2015-4736, CVE-2015-4748, CVE-2015-2664, CVE-2015-2632, CVE-2015-2637, CVE-2015-2619, CVE-2015-2621, CVE-2015-2613, CVE-2015-2601, CVE-2015-4749, CVE-2015-4729, CVE-2015-2625, CVE-2015-1931)**\n\n**CVEID:** [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>)** \nDESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103294_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103294>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2638_](<https://vulners.com/cve/CVE-2015-2638>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104727_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104727>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-4733_](<https://vulners.com/cve/CVE-2015-4733>)** \nDESCRIPTION:** An unspecified vulnerability related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104726_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104726>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-4732_](<https://vulners.com/cve/CVE-2015-4732>)** \nDESCRIPTION:** An unspecified vulnerability related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104725_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104725>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-2590_](<https://vulners.com/cve/CVE-2015-2590>)** \nDESCRIPTION:** An unspecified vulnerability related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104724_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104724>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-4731_](<https://vulners.com/cve/CVE-2015-4731>)** \nDESCRIPTION:** An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104723_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104723>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-4760_](<https://vulners.com/cve/CVE-2015-4760>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104721_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104721>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-4736_](<https://vulners.com/cve/CVE-2015-4736>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 9.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104728_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104728>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-4748_](<https://vulners.com/cve/CVE-2015-4748>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 7.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104729_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104729>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-2664_](<https://vulners.com/cve/CVE-2015-2664>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 6.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104731_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104731>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-2632_](<https://vulners.com/cve/CVE-2015-2632>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104732_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104732>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2637_](<https://vulners.com/cve/CVE-2015-2637>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104738_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104738>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2619_](<https://vulners.com/cve/CVE-2015-2619>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104737_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104737>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2621_](<https://vulners.com/cve/CVE-2015-2621>)** \nDESCRIPTION:** An unspecified vulnerability related to the JMX component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104735_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104735>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-4729_](<https://vulners.com/cve/CVE-2015-4729>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104741_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104741>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Tivoli System Automation for Integrated Operations Management 2.1.0 and 2.1.1\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the corresponding fix to IBM Tivoli System Automation for Integrated Operations Management. Please see below for information on the fixes available. \n \n* If you are running IBM Tivoli System Automation for Integrated Operations Management 2.1.1, please apply interim fix IF0007 of this product version. You can apply this iFix on top of any fixpack of version 2.1.1. \n* If you are running IBM Tivoli System Automation for Integrated Operations Management 2.1.0, please apply interim fix IF0007 of this product version. You can apply this iFix on top of any fixpack of version 2.1.0. \nAdditionally you need to install the corresponding fix from IBM WebSphere Application Server. Please follow this link for details: [_http://www-01.ibm.com/support/docview.wss?uid=swg21957980_](<http://www-01.ibm.com/support/docview.wss?uid=swg21957980>) \n \n \n\n\n_Product_| _VRMF_| _APAR_ \n---|---|--- \n_IBM Tivoli System Automation for Integrated Operations Management_| _2.1.1, 2.1.0_| [__Download Link__](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+System+Automation+for+Integrated+Operations+Management&release=All&platform=Windows&function=all>) \n \nYou should verify applying this configuration change does not cause any compatibility issues. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the Diffie-Hellman key-exchange protocol used in TLS and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-08-09T04:20:36", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK including Logjam affect IBM Tivoli System Automation for Integrated Operations Management", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2590", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2619", "CVE-2015-2621", "CVE-2015-2625", "CVE-2015-2632", "CVE-2015-2637", "CVE-2015-2638", "CVE-2015-2664", "CVE-2015-4000", "CVE-2015-4729", "CVE-2015-4731", "CVE-2015-4732", "CVE-2015-4733", "CVE-2015-4736", "CVE-2015-4748", "CVE-2015-4749", "CVE-2015-4760"], "modified": "2018-08-09T04:20:36", "id": "11D2941D2C8C3F09B99B7AD0F337748E31169A5FE52F793E615EFEA790066C89", "href": "https://www.ibm.com/support/pages/node/533765", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:44:55", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 6 that is by SmartCloud Provisioning for IBM Software Virtual Appliance. These issues were disclosed as part of the IBM Java SDK updates in July 2015. \n \nThis bulletin also addresses the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>)** \nDESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103294_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103294>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2638_](<https://vulners.com/cve/CVE-2015-2638>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104727_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104727>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-4733_](<https://vulners.com/cve/CVE-2015-4733>)** \nDESCRIPTION:** An unspecified vulnerability related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104726_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104726>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-4732_](<https://vulners.com/cve/CVE-2015-4732>)** \nDESCRIPTION:** An unspecified vulnerability related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104725_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104725>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-2590_](<https://vulners.com/cve/CVE-2015-2590>)** \nDESCRIPTION:** An unspecified vulnerability related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104724_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104724>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-4731_](<https://vulners.com/cve/CVE-2015-4731>)** \nDESCRIPTION:** An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104723_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104723>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-4760_](<https://vulners.com/cve/CVE-2015-4760>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104721_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104721>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-4736_](<https://vulners.com/cve/CVE-2015-4736>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 9.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104728_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104728>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-4748_](<https://vulners.com/cve/CVE-2015-4748>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 7.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104729_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104729>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-2664_](<https://vulners.com/cve/CVE-2015-2664>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 6.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104731_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104731>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-2632_](<https://vulners.com/cve/CVE-2015-2632>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104732_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104732>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2637_](<https://vulners.com/cve/CVE-2015-2637>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104738_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104738>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2619_](<https://vulners.com/cve/CVE-2015-2619>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104737_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104737>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2621_](<https://vulners.com/cve/CVE-2015-2621>)** \nDESCRIPTION:** An unspecified vulnerability related to the JMX component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104735_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104735>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-4729_](<https://vulners.com/cve/CVE-2015-4729>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104741_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104741>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM SmartCloud Provisioning 2.1 for Software Virtual Appliance\n\n## Remediation/Fixes\n\nIf you are running **IBM SmartCloud Provisioning 2.1 for IBM Software Virtual Appliance**, contact [_IBM support_](<https://www-947.ibm.com/support/servicerequest/newServiceRequest.action>).\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T22:30:13", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK including Logjam affect SmartCloud Provisioning for IBM Software Virtual Appliance", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2590", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2619", "CVE-2015-2621", "CVE-2015-2625", "CVE-2015-2632", "CVE-2015-2637", "CVE-2015-2638", "CVE-2015-2664", "CVE-2015-4000", "CVE-2015-4729", "CVE-2015-4731", "CVE-2015-4732", "CVE-2015-4733", "CVE-2015-4736", "CVE-2015-4748", "CVE-2015-4749", "CVE-2015-4760"], "modified": "2018-06-17T22:30:13", "id": "937053D178A403D90ADE669A574517EC3D828AFADB2ABAAF335EADA26FB2E061", "href": "https://www.ibm.com/support/pages/node/266011", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:42:56", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition that is used by IBM i. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2638_](<https://vulners.com/cve/CVE-2015-2638>) \n**DESCRIPTION:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104727_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104727>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n \n\n\n**CVEID:** [_CVE-2015-4733_](<https://vulners.com/cve/CVE-2015-4733>) \n**DESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104726_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104726>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n \n \n \n\n\n**CVEID:** [_CVE-2015-4732_](<https://vulners.com/cve/CVE-2015-4732>) \n**DESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104725_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104725>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n \n \n \n\n\n**CVEID:** [_CVE-2015-2590_](<https://vulners.com/cve/CVE-2015-2590>) \n**DESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104724_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104724>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n \n \n \n\n\n**CVEID:** [_CVE-2015-4731_](<https://vulners.com/cve/CVE-2015-4731>) \n**DESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104723_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104723>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n \n \n \n\n\n**CVEID:** [_CVE-2015-2628_](<https://vulners.com/cve/CVE-2015-2628>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the CORBA component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104722_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104722>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n \n \n \n\n\n**CVEID:** [_CVE-2015-4760_](<https://vulners.com/cve/CVE-2015-4760>) \n**DESCRIPTION:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104721_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104721>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n \n \n \n\n\n**CVEID:** [_CVE-2015-4736_](<https://vulners.com/cve/CVE-2015-4736>) \n**DESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 9.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104728_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104728>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)\n\n \n \n \n\n\n**CVEID:** [_CVE-2015-4748_](<https://vulners.com/cve/CVE-2015-4748>) \n**DESCRIPTION:** An unspecified vulnerability related to the Security component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 7.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104729_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104729>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)\n\n \n \n \n\n\n**CVEID:** [_CVE-2015-2664_](<https://vulners.com/cve/CVE-2015-2664>) \n**DESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 6.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104731_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104731>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)\n\n \n \n \n\n\n**CVEID:** [_CVE-2015-2632_](<https://vulners.com/cve/CVE-2015-2632>) \n**DESCRIPTION:** An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104732_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104732>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n \n \n \n\n\n**CVEID:** [_CVE-2015-2637_](<https://vulners.com/cve/CVE-2015-2637>) \n**DESCRIPTION:** An unspecified vulnerability and JavaSX related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104738_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104738>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n \n \n \n\n\n**CVEID:** [_CVE-2015-2619_](<https://vulners.com/cve/CVE-2015-2619>) \n**DESCRIPTION:** An unspecified vulnerability and JavaSX related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104737_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104737>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n \n \n \n\n\n**CVEID:** [_CVE-2015-2621_](<https://vulners.com/cve/CVE-2015-2621>) \n**DESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JMX component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104735_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104735>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n \n \n \n\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>) \n**DESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n \n \n \n\n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>) \n**DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n \n \n \n\n\n**CVEID:** [_CVE-2015-2659_](<https://vulners.com/cve/CVE-2015-2659>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104736_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104736>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n \n \n \n\n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>) \n**DESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)\n\n \n \n \n\n\n**CVEID:** [_CVE-2015-2596_](<https://vulners.com/cve/CVE-2015-2596>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Hotspot component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104739_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104739>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n \n \n \n\n\n**CVEID:** [_CVE-2015-4729_](<https://vulners.com/cve/CVE-2015-4729>) \n**DESCRIPTION:** An unspecified vulnerability related to the Deployment component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104741_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104741>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)\n\n \n \n \n\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>) \n**DESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n \n \n \n\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>) \n**DESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/102967_](<http://xforce.iss.net/xforce/xfdb/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nReleases V3R7, V4R1, V4R2, V4R3, V4R4, V5R1, V5R2, V5R3, V5R4, 6.1, 7.1 and 7.2 of IBM i are affected. \n\n## Remediation/Fixes\n\nThe issue can be fixed by applying a PTF to the IBM i Operating System. \n \nReleases 6.1, 7.1 and 7.2 of IBM i are supported and will be fixed. Releases V3R7, V4R1, V4R2, V4R3, V4R4, V5R1, V5R2, V5R3 and V5R4 are unsupported and will not be fixed. \n \nPlease see the Java document at this URL for the latest Java information for IBM i: \n[_http://www.ibm.com/developerworks/ibmi/techupdates/java_](<http://www.ibm.com/developerworks/ibmi/techupdates/java>) \n \nThe IBM i Group PTF numbers are: \n \nRelease 6.1 \u2013 SF99562 level 33 \nRelease 7.1 \u2013 SF99572 level 22 \nRelease 7.2 \u2013 SF99716 level 7 \n \n**_Important note: _**_IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products._ \n** ** \nIBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling SSLv3. You should verify disabling SSLv3 does not cause any compatibility issues.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-12-18T14:26:38", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM i", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2590", "CVE-2015-2596", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2619", "CVE-2015-2621", "CVE-2015-2625", "CVE-2015-2628", "CVE-2015-2632", "CVE-2015-2637", "CVE-2015-2638", "CVE-2015-2659", "CVE-2015-2664", "CVE-2015-4729", "CVE-2015-4731", "CVE-2015-4732", "CVE-2015-4733", "CVE-2015-4736", "CVE-2015-4748", "CVE-2015-4749", "CVE-2015-4760"], "modified": "2019-12-18T14:26:38", "id": "B5ADCF6D69219ACACE818A443FD3EDF031CF92FEE48D35E7F2D1B7165382E648", "href": "https://www.ibm.com/support/pages/node/666427", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:57:28", "description": "## Summary\n\nMultiple security vulnerablilities exist in the JREs shipped with CICS TG for client applications. CICS TG itself is not vulnerable to all these risks but client side applications using the CICS TG supplied JREs might be. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2638_](<https://vulners.com/cve/CVE-2015-2638>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104727_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104727>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-4733_](<https://vulners.com/cve/CVE-2015-4733>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104726_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104726>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4732_](<https://vulners.com/cve/CVE-2015-4732>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104725_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104725>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-2590_](<https://vulners.com/cve/CVE-2015-2590>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104724_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104724>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4731_](<https://vulners.com/cve/CVE-2015-4731>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104723_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104723>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-2628_](<https://vulners.com/cve/CVE-2015-2628>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the CORBA component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104722_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104722>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4760_](<https://vulners.com/cve/CVE-2015-4760>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104721_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104721>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4736_](<https://vulners.com/cve/CVE-2015-4736>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 9.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104728_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104728>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4748_](<https://vulners.com/cve/CVE-2015-4748>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 7.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104729_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104729>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-2664_](<https://vulners.com/cve/CVE-2015-2664>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 6.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104731_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104731>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-2632_](<https://vulners.com/cve/CVE-2015-2632>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104732_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104732>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2637_](<https://vulners.com/cve/CVE-2015-2637>)** \nDESCRIPTION:** An unspecified vulnerability and JavaSX related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104738_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104738>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2619_](<https://vulners.com/cve/CVE-2015-2619>)** \nDESCRIPTION:** An unspecified vulnerability and JavaSX related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104737_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104737>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2621_](<https://vulners.com/cve/CVE-2015-2621>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JMX component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104735_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104735>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2659_](<https://vulners.com/cve/CVE-2015-2659>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104736_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104736>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-2596_](<https://vulners.com/cve/CVE-2015-2596>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Hotspot component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104739_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104739>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4729_](<https://vulners.com/cve/CVE-2015-4729>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104741_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104741>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1931_](<https://vulners.com/cve/CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102967_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nCICS Transaction Gateway for Multiplatforms v7.2, v8.0, v8.1, v9.0 and v9.1. Inclusion in this list does not imply that all the products are supported. See the[ IBM Support Lifecycle](<http://www-01.ibm.com/software/support/lifecycle/>) page for product end of support dates. \n\n## Remediation/Fixes\n\nUpdated JRE's have been made available on Fix Central. Upgrade the JRE used by CICS TG Java client applications and/or the CICS TG Gateway daemon. Updated JREs which can used with CICS TG Java client applications and the Gateway daemon are made available on Fix Central:_ \n_[http://www.ibm.com/support/fixcentral/swg/identifyFixes?query.parent=ibm~Other software&query.product=ibm~WebSphere~CICS Transaction Gateway for Multiplatforms&query.release=All&query.platform=All ](<http://www.ibm.com/support/fixcentral/swg/identifyFixes?query.parent=ibm~Other%20software&query.product=ibm~WebSphere~CICS%20Transaction%20Gateway%20for%20Multiplatforms&query.release=All&query.platform=All>)\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:03:34", "type": "ibm", "title": "Security Bulletin: CICS Transaction Gateway for Multiplatforms", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2590", "CVE-2015-2596", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2619", "CVE-2015-2621", "CVE-2015-2625", "CVE-2015-2628", "CVE-2015-2632", "CVE-2015-2637", "CVE-2015-2638", "CVE-2015-2659", "CVE-2015-2664", "CVE-2015-4729", "CVE-2015-4731", "CVE-2015-4732", "CVE-2015-4733", "CVE-2015-4736", "CVE-2015-4748", "CVE-2015-4749", "CVE-2015-4760"], "modified": "2018-06-15T07:03:34", "id": "035E31B21FA2842E5298751581BB08BF4D71E59074D3963F953E41666C138394", "href": "https://www.ibm.com/support/pages/node/537069", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:52:33", "description": "## Summary\n\nThere are multiple vulnerabilities in Oracle\u00ae Java\u2122 Runtime Environment version 1.7 that is used by IBM Flex System Manager (FSM) Storage Management Install Anywhere (SMIA) configuration tool. These issues were disclosed as part of the Java updates from July 2015, October 2015, January 2016 and April 2016.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2659_](<https://vulners.com/cve/CVE-2015-2659>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104736_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104736>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4748_](<https://vulners.com/cve/CVE-2015-4748>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 7.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104729_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104729>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4872_](<https://vulners.com/cve/CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4911_](<https://vulners.com/cve/CVE-2015-4911>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107360_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107360>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4893_](<https://vulners.com/cve/CVE-2015-4893>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107359_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107359>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4803_](<https://vulners.com/cve/CVE-2015-4803>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107358_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107358>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2016-0483_](<https://vulners.com/cve/CVE-2016-0483>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE Java SE Embedded and Jrockit related to the AWT component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109945_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109945>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2016-0475_](<https://vulners.com/cve/CVE-2016-0475>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE Java SE Embedded and Jrockit related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109946_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109946>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [_CVE-2016-0466_](<https://vulners.com/cve/CVE-2016-0466>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE Java SE Embedded and Jrockit related to the JAXP component could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109948_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109948>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2016-3427_](<https://vulners.com/cve/CVE-2016-3427>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java, SE Java SE Embedded and JRockit related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112459_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112459>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2016-3425_](<https://vulners.com/cve/CVE-2016-3425>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE Java, SE Embedded and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112460_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112460>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2016-0695_](<https://vulners.com/cve/CVE-2016-0695>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE Java SE Embedded and JRockit related to the Security component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112458_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112458>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nFlex System Manager 1.3.4.x \nFlex System Manager 1.3.3.x \nFlex System Manager 1.3.2.x\n\n## Remediation/Fixes\n\nIBM recommends updating the FSM SMIA configuration tool using the instructions referenced in this table. \n\n**IMPORTANT:** Before installing a SMIA iFix you need to determine the version that is currently installed. To determine the SMIA version level installed on the FSM log into your FSM Web-based UI and navigate to the Home page and Applications tab. The version is listed next to the \"SMIA Configuration Tool\" link.\n\n * If your SMIA version is less than 12.3.4, update your FSM using the instructions listed in this [Security Bulletin](<https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5098656>) ([https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5098656](<https://www-947.ibm.com/support/entry/myportal/docdisplay?lndocid=migr-5098656>)), restart the FSM and then install the iFix listed in this table. \n * If your version is 12.3.4 or greater, then install the iFix listed in this table.\n\nProduct | \n\nVRMF | \n\nAPAR | \n\nSMIA Remediation \n---|---|---|--- \nFlex System Manager| \n\n1.3.4.x | \n\nIT12600\n\n| Install [fsmfix1.3.4.0_IT12600_IT17778](<https://www-945.ibm.com/support/fixcentral/systemx/selectFixes?product=ibm%2Fsystemx%2F8731&fixids=fsmfix1.3.4.0_IT12600_IT17778&function=fixId&parent=Flex%20System%20Manager%20Node>). \nFlex System Manager| \n\n1.3.3.x | \n\nIT12600\n\n| Install [fsmfix1.3.3.0_IT12600_IT17778](<https://www-945.ibm.com/support/fixcentral/systemx/selectFixes?product=ibm%2Fsystemx%2F8731&fixids=fsmfix1.3.3.0_IT12600_IT17778&function=fixId&parent=Flex%20System%20Manager%20Node>). \nFlex System Manager| \n\n1.3.2.x | \n\nIT12600\n\n| [](<https://www-945.ibm.com/support/fixcentral/systemx/selectFixes?product=ibm%2Fsystemx%2F8731&fixids=fsmfix1.3.3.0_IT12600_IT17778&function=fixId&parent=Flex%20System%20Manager%20Node>)Install [fsmfix1.3.2.0_IT12600_IT17778](<https://www-945.ibm.com/support/fixcentral/systemx/selectFixes?product=ibm%2Fsystemx%2F8731&fixids=fsmfix1.3.2.0_IT12600_IT17778&function=fixId&parent=Flex%20System%20Manager%20Node>) \n \nFor a complete list of FSM security bulletins refer to this technote: [http://www-01.ibm.com/support/docview.wss?uid=nas7797054ebc3d9857486258027006ce4a0&myns=purflex&mync=E&cm_sp=purflex-_-NULL-_-E](<http://www-01.ibm.com/support/docview.wss?uid=nas7797054ebc3d9857486258027006ce4a0&myns=purflex&mync=E&cm_sp=purflex-_-NULL-_-E>) \n \nFor 1.1.x.x, 1.2.x.x, 1.3.0.x and 1.3.1.x IBM recommends upgrading to a fixed, supported version/release of the product. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-18T01:34:26", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in Oracle\u00ae Java\u2122 Runtime Environment version 1.7 that is used by IBM Flex System Manager (FSM) Storage Management Install Anywhere (SMIA)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2659", "CVE-2015-4748", "CVE-2015-4749", "CVE-2015-4803", "CVE-2015-4872", "CVE-2015-4893", "CVE-2015-4911", "CVE-2016-0466", "CVE-2016-0475", "CVE-2016-0483", "CVE-2016-0695", "CVE-2016-3425", "CVE-2016-3427"], "modified": "2018-06-18T01:34:26", "id": "2EBE18E6BFBAB729289EB191B100C4B2DB254A6249E2A51851B4C72069DDA2FF", "href": "https://www.ibm.com/support/pages/node/630033", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-30T21:40:59", "description": "## Problem\n\nCognos Command Center Security Bulletins.\n\n## Resolving The Problem\n\n## Tab navigation\n\n * 10.2.x\n * 10.1\n\nSecurity bulletins for Cognos Command Center 10.2.x \n--- \n**Published / Updated**| **Title** \nMay 2018| [Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVE-2018-2579, CVE-2018-2602, CVE-2018-2603, CVE-2018-2633, CVE-2018-1417, CVE-2018-2783, CVE-2018-2794)](<http://www-01.ibm.com/support/docview.wss?uid=swg22016473>) \nMarch 2018| [Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVE-2017-10295, CVE-2017-10345, CVE-2017-10355, CVE-2017-10356)](<https://www.ibm.com/support/docview.wss?uid=swg22013651>) \nNovember 2017| [Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVE-2017-10115, CVE-2017-10116)](<https://www.ibm.com/support/docview.wss?uid=swg22009304>) \nJuly 2017| [Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center](<https://www.ibm.com/support/docview.wss?uid=swg22005425>) \nMarch 2017| [Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center](<https://www.ibm.com/support/docview.wss?uid=swg22001158>) \nFebruary 2016| [Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVS-2015-7575)](<https://www.ibm.com/support/docview.wss?uid=swg21975832>) \nDecember 2015| [Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVE-2015-5006, CVE-2015-4872)](<https://www.ibm.com/support/docview.wss?uid=swg21972446>) \nDecember 2015| [Vulnerability in RC4 stream cipher affects IBM Cognos Command Center (CVE-2015-2808)](<https://www.ibm.com/support/docview.wss?uid=swg21713646>) \nOctober 2015| [ Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931)](<https://www.ibm.com/support/docview.wss?uid=swg21967158>) \nJune 2015| [Vulnerability in Diffie-Hellman ciphers affects IBM Cognos Command Center (CVE-2015-4000)](<https://www.ibm.com/support/docview.wss?uid=swg21960508>) \nApril 2015| [Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVE-2014-6593, CVE-2015-0138)](<https://www.ibm.com/support/docview.wss?uid=swg21697659>) \nJanuary 2015| [Vulnerability in SSLv3 affects IBM Cognos Command Center (CVE-2014-3566)](<https://www.ibm.com/support/docview.wss?uid=swg21690689>)", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 6.0}, "published": "2018-06-15T23:52:08", "type": "ibm", "title": "Security Bulletins - Cognos Command Center", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3566", "CVE-2014-6593", "CVE-2015-0138", "CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2808", "CVE-2015-4000", "CVE-2015-4872", "CVE-2015-5006", "CVE-2017-10115", "CVE-2017-10116", "CVE-2017-10295", "CVE-2017-10345", "CVE-2017-10355", "CVE-2017-10356", "CVE-2018-1417", "CVE-2018-2579", "CVE-2018-2602", "CVE-2018-2603", "CVE-2018-2633", "CVE-2018-2783", "CVE-2018-2794"], "modified": "2018-06-15T23:52:08", "id": "FC4C804F44282D78247FA90BC4C8C855819430A02725094AC97DBD89D0227589", "href": "https://www.ibm.com/support/pages/node/568995", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:54:29", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Versions 6 (Service Refresh 16 Fix Pack 5 and earlier) and 7 (Service Refresh 9 Fix Pack 1 and earlier) that is used by IBM Cognos Metrics Manager. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-4748_](<https://vulners.com/cve/CVE-2015-4748>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 7.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104729_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104729>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)\n\n \n \n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n\n## Affected Products and Versions\n\n * * IBM Cognos Metrics Manager 10.2.2\n * IBM Cognos Metrics Manager 10.2.1\n * IBM Cognos Metrics Manager 10.2\n * IBM Cognos Metrics Manager 10.1.1\n * IBM Cognos Metrics Manager 10.1\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the fix as soon as practical. As the fix is in a shared component across the Business Intelligence portfolio, applying the BI Interim Fix will resolve the issue. Note that the prerequisites named in the links are also satisfied by an IBM Cognos Metrics Manager install of the same version. \n\n\n[IBM Cognos Business Intelligence 10.2.x Interim Fixes](<http://www-01.ibm.com/support/docview.wss?uid=swg24040519>)\n\n[IBM Cognos Business Intelligence 10.1.x Interim Fixes](<http://www-01.ibm.com/support/docview.wss?uid=swg24040520>)\n\n_For IBM Cognos Metrics Manager versions before 10.1, IBM recommends upgrading to a fixed, supported version/release/platform of the product_\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-15T23:13:58", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Metrics Manager (CVE-2015-2625 , CVE-2015-4748, CVE-2015-4749)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2625", "CVE-2015-4748", "CVE-2015-4749"], "modified": "2018-06-15T23:13:58", "id": "5D9E23BAD0DEC7E3C9BE6EE3254C32064BFF6836711ECF93F299A394A3CEE442", "href": "https://www.ibm.com/support/pages/node/533703", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:40:04", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition Versions 6 and 7 that are used by IBM GPFS Native RAID. These issues were disclosed as part of the IBM Java SDK updates in July 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2638_](<https://vulners.com/cve/CVE-2015-2638>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104727_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104727>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n \n\n\n**CVEID:** [_CVE-2015-4760_](<https://vulners.com/cve/CVE-2015-4760>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104721_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104721>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n \n \n \n\n\n**CVEID:** [_CVE-2015-2619_](<https://vulners.com/cve/CVE-2015-2619>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104737_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104737>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n \n \n \n\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM GPFS Native RAID 4.1.0.0 and later for the Elastic Storage Server and the GPFS Storage Server\n\n## Remediation/Fixes\n\nFor the Elastic Storage Server 3.0 and 3.0.1, obtain ESS 3.0.2.\n\n \nFor the Elastic Storage Server 2.5.2, obtain ESS 2.5.2-efix1.\n\n \nFor the GPFS Storage Server 2.0, 2.0.1, 2.0.2 and 2.0.3, obtain GSS 2.0.4. \n \nThe images are at Fix Central[_http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Cluster%2Bsoftware&product=ibm/Other+software/GPFS+Native+RAID+for+GPFS+Storage+Server&release=All&platform=All&function=all_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Cluster%2Bsoftware&product=ibm/Other+software/GPFS+Native+RAID+for+GPFS+Storage+Server&release=All&platform=All&function=all>) \n \nComplete the following steps: \n1\\. Elastic Storage Server 3.0.x \nObtain ESS 3.0.2 install software and upgrade the system. See release note for details. \n \n2\\. Elastic Storage 2.5.2 \nObtain ESS 2.5.2-efix1 and upgrade the system. See release note for details.\n\n3\\. GPFS Storage Server 2.0, 2.0.1, 2.0.2 and 2.0.3 \nObtain GSS 2.0.4 and upgrade the system. See release note for details. \n\n \nFor the GPFS Storage Server 2.5, contact Lenovo at [_http://shop.lenovo.com/us/en/systems/servers/high-density/gpfs-storage/_](<http://shop.lenovo.com/us/en/systems/servers/high-density/gpfs-storage/>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2021-03-08T18:46:02", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM GPFS Native RAID (CVE-2015-2638, CVE-2015-4760, CVE-2015-2619, CVE-2015-2613)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2613", "CVE-2015-2619", "CVE-2015-2638", "CVE-2015-4760"], "modified": "2021-03-08T18:46:02", "id": "23F1F0AB4D1857515FE960B51E370FB7F21D8DE14D6A5C60A850469DBF492783", "href": "https://www.ibm.com/support/pages/node/681167", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-13T09:36:14", "description": "## Summary\n\nMultiple N series products incorporate the Oracle Java Platform, Standard Edition (Java SE) software libraries. Java SE (JDK and JRE) versions below 8u51, 7u85 and 6u101 and OpenJDK versions below 1.7.0.85 and 1.8.0.51 are susceptible to multiple vulnerabilities, potentially leading to an unauthorized Operating System takeover, a partial denial of service (DOS), an unauthorized read, update, insert or delete access to a subset of Java SE accessible data. Multiple N series products have addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2638_](<https://vulners.com/cve/CVE-2015-2638>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104727_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104727>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-4733_](<https://vulners.com/cve/CVE-2015-4733>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104726_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104726>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4732_](<https://vulners.com/cve/CVE-2015-4732>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104725_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104725>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-2590_](<https://vulners.com/cve/CVE-2015-2590>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104724_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104724>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4731_](<https://vulners.com/cve/CVE-2015-4731>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104723_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104723>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-2628_](<https://vulners.com/cve/CVE-2015-2628>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the CORBA component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104722_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104722>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4760_](<https://vulners.com/cve/CVE-2015-4760>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104721_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104721>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4736_](<https://vulners.com/cve/CVE-2015-4736>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 9.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104728_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104728>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4748_](<https://vulners.com/cve/CVE-2015-4748>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 7.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104729_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104729>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-2664_](<https://vulners.com/cve/CVE-2015-2664>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 6.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104731_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104731>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-2632_](<https://vulners.com/cve/CVE-2015-2632>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104732_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104732>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2637_](<https://vulners.com/cve/CVE-2015-2637>)** \nDESCRIPTION:** An unspecified vulnerability and JavaSX related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104738_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104738>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2619_](<https://vulners.com/cve/CVE-2015-2619>)** \nDESCRIPTION:** An unspecified vulnerability and JavaSX related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104737_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104737>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2621_](<https://vulners.com/cve/CVE-2015-2621>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JMX component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104735_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104735>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2613_](<https://vulners.com/cve/CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2601_](<https://vulners.com/cve/CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-2659_](<https://vulners.com/cve/CVE-2015-2659>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the Security component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104736_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104736>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4749_](<https://vulners.com/cve/CVE-2015-4749>)** \nDESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-2596_](<https://vulners.com/cve/CVE-2015-2596>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Hotspot component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104739_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104739>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4729_](<https://vulners.com/cve/CVE-2015-4729>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104741_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104741>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [_CVE-2015-2625_](<https://vulners.com/cve/CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nNS OnCommand Core Package: 5.2, 5.2R1, 5.2.1P1, 5.2.1P2; \nNS OnCommand Unified Manager for DataONTAP: 6.1R1; \nN series VASA Provider: 1.0, 1.0.1; \nSnapManager for Oracle: 3.2, 3.3, 3.3.1, 3.4; \nSnapManager for SAP: 3.2, 3.3, 3.3.1, 3.4; \nVirtual Storage Console for VMware vSphere: 4.2.1, 5.0, 6.0, 6.1;\n\n## Remediation/Fixes\n\nFor_ _SnapManager for Oracle: the fix exists from microcode version 3.4P2; \nFor_ _SnapManager for SAP: the fix exists from microcode version 3.4P2; \nFor Virtual Storage Console for VMware vSphere: the fix exists from microcode version: 6.2; \n \nPlease contact IBM support or go to this [_link_](<https://www-945.ibm.com/support/fixcentral/>) to download a supported release. For customers who are using N series VASA Provider, NS OnCommand Unified Manager for DataONTAP or NS OnCommand Core Package, please contact IBM support.\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {}, "published": "2018-06-18T00:28:35", "type": "ibm", "title": "Security Bulletin: July 2015 Java Platform Standard Edition Vulnerabilities in Multiple N series Products", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2590", "CVE-2015-2596", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2619", "CVE-2015-2621", "CVE-2015-2625", "CVE-2015-2628", "CVE-2015-2632", "CVE-2015-2637", "CVE-2015-2638", "CVE-2015-2659", "CVE-2015-2664", "CVE-2015-4729", "CVE-2015-4731", "CVE-2015-4732", "CVE-2015-4733", "CVE-2015-4736", "CVE-2015-4748", "CVE-2015-4749", "CVE-2015-4760"], "modified": "2018-06-18T00:28:35", "id": "418FB3B93A868C8ED89ADB32C7F0F86F1FFB5FF80A4383CEC58D35E30D807CD4", "href": "https://www.ibm.com/support/pages/node/696459", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:44:49", "description": "## Summary\n\nIBM Tivoli System Automation Application Manager is shipped as a component of IBM Cloud Orchestrator, IBM Cloud Orchestrator Enterprise, IBM SmartCloud Orchestrator, and IBM SmartCloud Orchestrator Enterprise. Information about security vulnerabilities affecting IBM Tivoli System Automation Application Manager has been published in security bulletins.\n\n## Vulnerability Details\n\nConsult the following security bulletins for IBM Tivoli System Automation Application Manager for vulnerability details and information about fixes: \n\n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-0359)](<http://www-01.ibm.com/support/docview.wss?uid=swg21986467>)\n * [Security Bulletin: Multiple security vulnerabilities have been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-3426, CVE-2016-3427)](<http://www-01.ibm.com/support/docview.wss?uid=swg21982644>)\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-0306)](<http://www-01.ibm.com/support/docview.wss?uid=swg21981988>)\n * [Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager (CVE-2016-0466, CVE-2015-7575, CVE-2016-0448)](<http://www-01.ibm.com/support/docview.wss?uid=swg21977129>)\n * [Security Bulletin: A vulnerability in Apache ActiveMQ affects IBM Tivoli System Automation Application Manager (CVE-2015-5254)](<http://www-01.ibm.com/support/docview.wss?uid=swg21977546>)\n * [](<http://www-01.ibm.com/support/docview.wss?uid=swg21970551>)\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2015-2017)](<http://www-01.ibm.com/support/docview.wss?uid=swg21970551>)\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2015-7450)](<http://www.ibm.com/support/docview.wss?uid=swg21971113>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2015-3183)](<http://www.ibm.com/support/docview.wss?uid=swg21967198>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2015-1283)](<http://www.ibm.com/support/docview.wss?uid=swg21967200>) \n \n\n * [Security Bulletin: Multiple vulnerabilities in IBM Java SDK including Logjam affect IBM Tivoli System Automation Application Manager (CVE-2015-4000, CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-4749)](<http://www.ibm.com/support/docview.wss?uid=swg21963331>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server 8.5 shipped with IBM Tivoli System Automation Application Manager 4.1 (CVE-2015-1946)](<http://www.ibm.com/support/docview.wss?uid=swg21963233>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server 8.5 shipped with IBM Tivoli System Automation Application Manager 4.1 (CVE-2015-1927)](<http://www.ibm.com/support/docview.wss?uid=swg21963673>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server 8.5 shipped with IBM Tivoli System Automation Application Manager 4.1 (CVE-2015-1885)](<http://www.ibm.com/support/docview.wss?uid=swg21963672>) \n \n\n * [Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects IBM Tivoli System Automation Application Manager (CVE-2015-4000)](<http://www.ibm.com/support/docview.wss?uid=swg21960859>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server 8.5 shipped with IBM Tivoli System Automation Application Manager 4.1 (CVE-2015-1920)](<http://www.ibm.com/support/docview.wss?uid=swg21957955>) \n \n\n * Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager (CVE-2014-3566, CVE-2014-6457) \n\n * [Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager (CVE-2014-6593, CVE-2015-0410, CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21698238>) \n \n\n * [](<http://www.ibm.com/support/docview.wss?uid=swg21698238>)[](<http://www.ibm.com/support/docview.wss?uid=swg21691929>)[Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Tivoli System Automation Application Manager (CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21882751>)\n\n## Affected Products and Versions\n\n** Principal Product and Version**\n\n| ** Affected Supporting Product and Version** \n---|--- \nIBM Cloud Orchestrator 2.5, 2.4, 2.4.0.3, 2.4.0.2, and 2.4.0.1 \n\nIBM Cloud Orchestrator Enterprise 2.5.0.2, 2.5.0.1, 2.4, 2.4.0.3, 2.4.0.2 and 2.4.0.1\n\n| IBM Tivoli System Automation Application Manager 4.1 \nIBM SmartCloud Orchestrator 2.3 and 2.3.0.1 \n\nIBM SmartCloud Orchestrator Enterprise 2.3 and 2.3.0.1\n\n| IBM Tivoli System Automation Application Manager 3.2.2 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T22:30:51", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Tivoli System Automation Application Manager shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3566", "CVE-2014-6457", "CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0410", "CVE-2015-1283", "CVE-2015-1885", "CVE-2015-1920", "CVE-2015-1927", "CVE-2015-1931", "CVE-2015-1946", "CVE-2015-2017", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2808", "CVE-2015-3183", "CVE-2015-4000", "CVE-2015-4749", "CVE-2015-5254", "CVE-2015-7450", "CVE-2015-7575", "CVE-2016-0306", "CVE-2016-0359", "CVE-2016-0448", "CVE-2016-0466", "CVE-2016-3426", "CVE-2016-3427"], "modified": "2018-06-17T22:30:51", "id": "B9410A108CEB6D3C9DFE0C1617FB34D181E021D243C3FB7F5DB35969D7C4CE52", "href": "https://www.ibm.com/support/pages/node/261351", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:44:40", "description": "## Summary\n\nIBM Tivoli System Automation for Multiplatforms is shipped as a component of IBM Cloud Orchestrator, IBM Cloud Orchestrator Enterprise, IBM SmartCloud Orchestrator, and IBM SmartCloud Orchestrator Enterprise. Information about security vulnerabilities affecting IBM Tivoli System Automation for Multiplatforms has been published in security bulletins.\n\n## Vulnerability Details\n\nConsult the security bulletins for IBM Tivoli System Automation for Multiplatforms for vulnerability details and information about fixes. \n \n\n\n * [Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms (CVE-2016-0466, CVE-2015-7575)](<http://www-01.ibm.com/support/docview.wss?uid=swg21977127>)\n * [Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms (CVE-2015-4872, CVE-2015-4911, CVE-2015-4893, CVE-2015-4803, CVE-2015-4734, CVE-2015-5006)](<http://www.ibm.com/support/docview.wss?uid=swg21971479&myns=swgtiv&mynp=OCSSRM2X&mync=E&cm_sp=swgtiv-_-OCSSRM2X-_-E>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation for Multiplatforms (CVE-2015-2017)](<http://www.ibm.com/support/docview.wss?uid=swg21970548>) \n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg21967199>)\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation for Multiplatforms (CVE-2015-1283)](<http://www-01.ibm.com/support/docview.wss?uid=swg21967199>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation for Multiplatforms (CVE-2015-3183)](<http://www-01.ibm.com/support/docview.wss?uid=swg21967197>) \n \n\n * [Security Bulletin: Multiple vulnerabilities in IBM Java SDK including Logjam affect IBM Tivoli System Automation for Multiplatforms (CVE-2015-4000, CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-4749)](<http://www.ibm.com/support/docview.wss?uid=swg21963330>) \n \n\n * [Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects IBM Tivoli System Automation for Multiplatforms (CVE-2015-4000)](<www.ibm.com/support/docview.wss?uid=swg21960862>) \n \n\n * [Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms (CVE-2015-0488, CVE-2015-0478, CVE-2015-2808, CVE-2015-1916, CVE-2015-1914, CVE-2015-0204)](<http://www.ibm.com/support/docview.wss?uid=swg21957951>) \n \n\n * [Security Bulletin: Vulnerability in WebSphere Application Server affects IBM Tivoli System Automation for Multiplatforms (CVE-2015-1920)](<http://www.ibm.com/support/docview.wss?uid=swg21957952>) \n \n\n * [Security Bulletin: Vulnerability in IBM Tivoli System Automation for Multiplatforms (CVE-2014-0453)](<http://www-01.ibm.com/support/docview.wss?uid=swg21680562>) \n \n\n * [Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Tivoli System Automation for Multiplatforms (CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21882749>). \n \n\n * Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms (CVE-2014-3566, CVE-2014-6468, CVE-2014-6457) \n \n\n * [Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms (CVE-2014-6593, CVE-2015-0410, CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21698239>)\n\n## Affected Products and Versions\n\n**Principal Product and Version**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Cloud Orchestrator 2.5, 2.5.0.1, 2.5.0.1 Interim Fix1, 2.4, 2.4.0.1, 2.4.0.2 and 2.4.0.3 \n\nIBM Cloud Orchestrator Enterprise 2.5.0.1, 2.5.0.1 Interim Fix1, 2.4, 2.4.0.1, 2.4.0.2 and 2.4.0.3\n\n| IBM Tivoli System Automation for Multiplatforms 4.1 \nIBM SmartCloud Orchestrator 2.3, 2.3.0.1 \n\nIBM SmartCloud Orchestrator Enterprise 2.3 and 2.3.0.1\n\n| IBM Tivoli System Automation for Multiplatforms 3.2.2 \n \n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T22:33:02", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Tivoli System Automation for Multiplatforms shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0453", "CVE-2014-3566", "CVE-2014-6457", "CVE-2014-6468", "CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0410", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1283", "CVE-2015-1914", "CVE-2015-1916", "CVE-2015-1920", "CVE-2015-1931", "CVE-2015-2017", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2808", "CVE-2015-3183", "CVE-2015-4000", "CVE-2015-4734", "CVE-2015-4749", "CVE-2015-4803", "CVE-2015-4872", "CVE-2015-4893", "CVE-2015-4911", "CVE-2015-5006", "CVE-2015-7575", "CVE-2016-0466"], "modified": "2018-06-17T22:33:02", "id": "5D0CC6456D2278646647F1A4FEFECEB673F2B5D1F99FBBC5755735CEF5AA6268", "href": "https://www.ibm.com/support/pages/node/261391", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-23T21:53:21", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM(R) SDK Java(TM) Technology Edition, Version 7 that is used by IBM Fabric Manager (IFM). These issues were disclosed as part of the IBM Java SDK updates in July 2015 and April 2015. This bulletin also addresses the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol.\n\n## Vulnerability Details\n\n## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 7 that is used by IBM Fabric Manager (IFM). These issues were disclosed as part of the IBM Java SDK updates in July 2015 and April 2015. This bulletin also addresses the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol.\n\nIBM Fabric Manager (IFM) has addressed the vulnerabilities listed below.\n\n**Vulnerability Details**\n\n**CVE-ID:** [CVE-2015-4000](<https://vulners.com/cve/CVE-2015-4000>)\n\n**Description:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam.\"\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/103294> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n**CVE-ID:** [CVE-2015-2638](<https://vulners.com/cve/CVE-2015-2638>)\n\n**Description:** An unspecified vuln