Security Bulletin: The IBM FlashSystem 840 product is affected by a vulnerability in Java

Summary

Security vulnerabilities have been discovered in Java

Vulnerability Details

**CVE-ID:**CVE-2014-0411

**DESCRIPTION:**FlashSystem 840 uses an affected version of Oracle Java:

CVE-2014-0411 (Unspecified Oracle Java vulnerability)

In Oracle’s January 2014 Critical Patch Update (CPU) they disclosed, but did not fully specify, a vulnerability in Oracle Java SE related to the JSSE component that has partial confidentiality impact, partial integrity impact, and no availability impact. This unspecified vulnerability in Oracle Java SE allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. For further information on this vulnerability see: <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0411&gt;

CVSS v2 Base Score: 4.0
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/90357&gt;
CVSS Vector: (AV:N/AC:H/AU:N/C:P/I:P/A:N)

Affected Products and Versions

_FlashSystem 840 including machine type models (all available code levels) _
9840-AE1 & 9843-AE1

Remediation/Fixes

Products

| VRMF| APAR| Remediation/First Fix
—|—|—|—
9840-AE1,
9843-AE1,| A code fix is now available, the VRMF of this code level is 1.1.2.2| N/A| _The recommended remediation is to apply this code fix for this Java vulnerability. _

Workarounds and Mitigations

Close GUI sessions when they approach 20 hours open, preferably closing the session at the end of each working day. Ensure that all users who have access to the system are authenticated by another security system such as a firewall.