IBMA5AFFA3DDE45BF0FA62C551E658515524B206CC5CC7EA6A392C6B1368279D585Security Bulletin: Rational Integration Tester component in Rational Test Workbench affected by Netty vulnerability (CVE-2014-3488)
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
Summary
The Netty library is vulnerable affecting the Rational Integration Tester component in IBM Rational Test Workbench.
Vulnerability Details
CVE ID: CVE-2014-3488
Description: Netty is vulnerable to a denial of service, caused by an error in SslHandler. A remote attacker could exploit this vulnerability using a specially-crafted SSLv2Hello message to exhaust all available CPU resources and cause the application to enter into an infinite loop.
CVSS Base Score: 5.0 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95285> for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Affected Products and Versions
Rational Integration Tester component in Rational Test Workbench versions:
- 8.0 - 8.0.0.3
- 8.0.1 - 8.0.1.4
- 8.5 - 8.5.0.2
- 8.5.1 - 8.5.1.3
- 8.6 - 8.6.0.2
Remediation/Fixes
The fixes for the CVE(s) mentioned above have been incorporated into the 3.9.5 release of the Netty library, and included in a set of new fixpacks available from IBM.
Upgrade your installation as follows:
Visit IBM Fix Central to search for, download and apply the following fixpacks for your version of product:
- All 8.0.0.x -> 8.0.0.4 * All 8.0.1.x ->8.0.1.5 * All 8.5.0.x ->8.5.0.3 * All 8.5.1.x ->8.5.1.4 * All 8.6.0.x ->8.6.0.3
Workarounds and Mitigations
None
Related
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P