Lucene search

K
ibmIBM9C5F005EDD59DDF4AA35915A18110FC11CB940EB2C453CB3DC3843CD28254682
HistoryJun 16, 2018 - 9:20 p.m.

Security Bulletin:IBM Tivoli/Security Directory Integrator can be affected by a vulnerability in the current IBM SDK for Java (CVE-2014-3566)

2018-06-1621:20:43
www.ibm.com
27

3.4 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

Summary

A security vulnerability exists in the IBM SDK for Java that is shipped with IBM Tivoli/Security Directory Integrator. The Java version will be updated to IBM® Runtime Environment, Java™ Technology Edition

Vulnerability Details

CVEID: CVE-2014-3566

**Description:**Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

The attack does not require local network access nor does it require authentication, but some degree of specialized knowledge and techniques are required. An exploit may impact the confidentiality of information but the integrity of data, or the availability of the system would not be compromised.

CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97013&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM Tivoli Directory Integrator (ITDI) - 7.0, 7.1, 7.1.1

IBM Security Directory Integrator (ISDI) - 7.2

Remediation/Fixes

Principal Product and Version(s)

| Affected Supporting Product and Version| Fixes
—|—|—
ITDI 7.0| IBM Java SDK 5.0| 7.0.0-TIV-TDI-LA0020-POODLE
ITDI 7.1| IBM Java SDK 6.0| 7.1.0-TIV-TDI-LA0016-POODLE
ITDI 7.1.1| IBM Java SDK 6.0| 7.1.1-TIV-TDI-LA0023-POODLE
ISDI 7.2| IBM Java SDK 7.0| 7.2.0-ISS-SDI-LA0003-POODLE

3.4 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N