Security Bulletin: Multiple vulnerabilities have been identified in Smack API shipped with IBM Tivoli Netcool Impact (CVE-2014-0363, CVE-2014-0364)

Summary

Smack API is used by IBM Tivoli Netcool Impact as part of the Jabber service component. IBM Tivoli Netcool Impact has addressed the applicable CVEs.

Vulnerability Details

CVEID:CVE-2014-0363
**DESCRIPTION:**Ignite Realtime Smack API could allow a remote attacker to conduct spoofing attacks, caused by the failure to properly verify the basicConstraints and nameConstraints of a certificate within a certificate chain within the ServerTrustManager implementation. An attacker could exploit this vulnerability using man-in-the-middle techniques to conduct a spoofing attack.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/92954 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:CVE-2014-0364
**DESCRIPTION:**Ignite Realtime Smack API could allow a remote attacker to bypass security restrictions, caused by the failure to properly verify the from attribute for roster queries within the ParseRoster implementation. An attacker could exploit this vulnerability to add roster entries or spoof IQ responses.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/92955 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Affected Products and Versions

Remediation/Fixes

** IBM strongly recommends addressing the vulnerability now.**

Workarounds and Mitigations

None