Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM966BEAD90E79446B8744128993496F9D64DA8B378811559F1241DD3DB2BF54F2
HistoryJan 30, 2019 - 8:20 a.m.

Security Bulletin: Multiple vulnerabilities in IBM Java SDK including Logjam affect IBM Fabric Manager (IFM)

2019-01-3008:20:01
www.ibm.com
8

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

JSON

Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7 that is used by IBM Fabric Manager (IFM). These issues were disclosed as part of the IBM Java SDK updates in July 2015 and April 2015. This bulletin also addresses the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol.

Vulnerability Details

Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7 that is used by IBM Fabric Manager (IFM). These issues were disclosed as part of the IBM Java SDK updates in July 2015 and April 2015. This bulletin also addresses the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol.

IBM Fabric Manager (IFM) has addressed the vulnerabilities listed below.

Vulnerability Details

CVE-ID: CVE-2015-4000

Description: The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as “Logjam.”

CVSS Base Score: 4.3
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/103294&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE-ID: CVE-2015-2638

Description: An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 10
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/104727&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-ID: CVE-2015-4733

Description: An unspecified vulnerability related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 10
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/104726&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-ID: CVE-2015-4732

Description: An unspecified vulnerability related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 10
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/104725&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-ID: CVE-2015-2590

Description: An unspecified vulnerability related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 10
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/104724&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-ID: CVE-2015-4731

Description: An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 10
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/104723&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-ID: CVE-2015-4760

Description: An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 10
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/104721&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-ID: CVE-2015-4736

Description: An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 9.3
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/104728&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-ID: CVE-2015-4748

Description: An unspecified vulnerability related to the Security component has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 7.6
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/104729&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

CVE-ID: CVE-2015-2664

Description: An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 6.9
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/104731&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)

CVE-ID: CVE-2015-2632

Description: An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information.

CVSS Base Score: 5
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/104732&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-ID: CVE-2015-2637

Description: An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information.

CVSS Base Score: 5
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/104738&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-ID: CVE-2015-2619

Description: An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information.

CVSS Base Score: 5
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/104737&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-ID: CVE-2015-2621

Description: An unspecified vulnerability related to the JMX component could allow a remote attacker to obtain sensitive information.

CVSS Base Score: 5
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/104735&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-ID: CVE-2015-2613

Description: An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.

CVSS Base Score: 5
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/104734&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-ID: CVE-2015-2601

Description: An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.

CVSS Base Score: 5
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/104733&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-ID: CVE-2015-4749

Description: An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service.

CVSS Base Score: 4.3
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/104740&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVE-ID: CVE-2015-4729

Description: An unspecified vulnerability related to the Deployment component has partial confidentiality impact, partial integrity impact, and no availability impact.

CVSS Base Score: 4
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/104741&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVE-ID: CVE-2015-2625

Description: An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information.

CVSS Base Score: 2.6
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/104743&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)

CVE-ID: CVE-2015-1931

Description: IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system.

CVSS Base Score: 2.1
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/102967&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)

CVE-ID: CVE-2015-0491

Description: An unspecified vulnerability in Oracle Java SE and JavaFX related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 10
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/102329&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-ID: CVE-2015-0459

Description: An unspecified vulnerability in Oracle Java SE and JavaFX related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 10
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/102328&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-ID: CVE-2015-0469

Description: An unspecified vulnerability in Oracle Java SE related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 10
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/102327&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE-ID: CVE-2015-0458

Description: An unspecified vulnerability in Oracle Java SE related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 7.6
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/102332&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

CVE-ID: CVE-2015-0480

Description: A directory traversal vulnerability in Oracle Java SE related to the Tools component and the extraction of JAR archive files could allow remote attacker to overwrite files on the system with privileges of another user.

CVSS Base Score: 5.8
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/102334&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:P)

CVE-ID: CVE-2015-0488

Description: An unspecified vulnerability in Oracle Java SE and Jrockit related to the JSSE component could allow a remote attacker to cause a denial of service.

CVSS Base Score: 5
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/102336&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-ID: CVE-2015-0478

Description: An unspecified vulnerability in Oracle Java SE and JRockit related to the JCE component could allow a remote attacker to obtain sensitive information.

CVSS Base Score: 4.3
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/102339&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE-ID: CVE-2015-0477

Description: An unspecified vulnerability in Oracle Java SE related to the Beans component has no confidentiality impact, partial integrity impact, and no availability impact.

CVSS Base Score: 4.3
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/102337&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE-ID: CVE-2015-2808

Description: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as “Bar Mitzvah Attack.”

CVSS Base Score: 5
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/101851&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-ID: CVE-2015-1914

Description: A vulnerability in the IBM implementation of the Java Virtual Machine may allow untrusted code running under a security manager to bypass permission checks and view sensitive information.

CVSS Base Score: 4.3
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/101908&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE-ID: CVE-2015-0192

Description: A vulnerability in the IBM implementation of the Java Virtual Machine may, under limited circumstances, allow untrusted code running under a security manager to elevate its privileges.

CVSS Base Score: 6.8
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/101008&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVE-ID: CVE-2015-0204

Description: A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.

CVSS Base Score: 4.3
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/99707&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected products and versions

Product Affected Version
IBM Fabric Manager (IFM) 4.1.02

Remediation/Fixes

Firmware fix versions are available on Fix Central: <http://www.ibm.com/support/fixcentral/&gt;

You should verify applying the fix does not cause any compatibility issues.

Product Fixed Version
IBM Fabric Manager (IFM)
(ibm_sw_ifm-4.1.03.0037_windows_32-64)
(ibm_sw_ifm-4.1.03.0037_linux_32-64) 4.1.03.0037

Workarounds and Mitigations

None.

References

Related Information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

None

Change History
11 December 2015: Original version published

  • The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

CPENameOperatorVersion
ibm fabric manager (ifm)eq4.1.02

Related

suse 16
nessus 58
openvas 49
ibm 20
aix 2
redhat 16
veracode 17
archlinux 1
debian 3
ubuntu 2
amazon 3
centos 4
oraclelinux 4
osv 2
mageia 1
kaspersky 1
suse
suse
Security update for java-1_7_0-ibm (important)
2015-08-12 18:09:25
Security update for java-1_7_1-ibm (important)
2015-07-31 16:11:04
Security update for java-1_7_1-ibm (important)
2015-07-31 16:08:49
nessus
nessus
SUSE SLES11 Security Update : java-1_7_0-ibm (SUSE-SU-2015:1375-1) (Bar Mitzvah) (Logjam)
2015-08-13 00:00:00
RHEL 5 : java-1.7.0-ibm (RHSA-2015:1488) (Logjam)
2015-07-24 00:00:00
AIX Java Advisory : java_july2015_advisory.asc (Logjam)
2015-08-17 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2015:1375-1)
2021-06-09 00:00:00
SUSE: Security Advisory (SUSE-SU-2015:1331-1)
2021-04-19 00:00:00
SUSE: Security Advisory (SUSE-SU-2015:1345-1)
2021-06-09 00:00:00
ibm
ibm
Security Bulletin: Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 1.5.0 and 1.7.0 affect IBM Flex System Manager (FSM)
2018-06-18 01:29:36
Security Bulletin: Multiple vulnerabilities in IBM Java SDK including Logjam affect SmartCloud Provisioning for IBM Software Virtual Appliance
2018-06-17 22:30:13
Security Bulletin: Multiple vulnerabilities in IBM Java SDK including Logjam affect IBM Tivoli System Automation for Integrated Operations Management
2018-08-09 04:20:36
aix
aix
Multiple vulnerabilities in IBM Java SDK affect AIX
2015-07-31 13:04:25
Multiple vulnerabilities in IBM Java SDK affect AIX
2015-06-03 12:58:42
redhat
redhat
(RHSA-2015:1488) Critical: java-1.7.0-ibm security update
2015-07-23 00:00:00
(RHSA-2015:1485) Critical: java-1.7.1-ibm security update
2015-07-22 00:00:00
(RHSA-2015:1544) Important: java-1.5.0-ibm security update
2015-08-04 00:00:00
veracode
veracode
Sandbox Restrictions Bypass
2019-05-02 05:41:17
Sandbox Restrictions Bypass
2019-05-02 05:41:17
Sandbox Restrictions Bypass
2019-05-02 05:41:17
archlinux
archlinux
jre7-openjdk: multiple issues
2015-07-22 00:00:00
debian
debian
[SECURITY] [DSA 3339-1] openjdk-6 security update
2015-08-19 20:19:22
[SECURITY] [DLA 303-1] openjdk-6 security update
2015-08-28 08:31:00
[SECURITY] [DSA 3316-1] openjdk-7 security update
2015-07-25 10:13:47
ubuntu
ubuntu
OpenJDK 6 vulnerabilities
2015-08-06 00:00:00
OpenJDK 7 vulnerabilities
2015-07-30 00:00:00
amazon
amazon
Critical: java-1.7.0-openjdk
2015-07-22 10:00:00
Important: java-1.6.0-openjdk
2015-08-24 22:26:00
Important: java-1.8.0-openjdk
2015-07-22 10:00:00
centos
centos
java security update
2015-07-15 15:39:22
java security update
2015-07-15 15:08:01
java security update
2015-07-30 23:24:14
oraclelinux
oraclelinux
java-1.7.0-openjdk security update
2015-07-16 00:00:00
java-1.6.0-openjdk security update
2015-07-31 00:00:00
java-1.7.0-openjdk security update
2015-07-15 00:00:00
osv
osv
openjdk-6 - security update
2015-08-28 00:00:00
openjdk-7 - security update
2015-07-25 00:00:00
mageia
mageia
Updated java-1.7.0-openjdk package fixes security vulnerabilities
2015-07-23 12:39:14
kaspersky
kaspersky
KLA10629 Multiple vulnerabilities in Oracle Java SE
2015-07-14 00:00:00

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

JSON
Related for 966BEAD90E79446B8744128993496F9D64DA8B378811559F1241DD3DB2BF54F2
suse16nessus58openvas49ibm20aix2redhat16veracode17archlinux1debian3ubuntu2amazon3centos4oraclelinux4osv2mageia1kaspersky1