4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:P/A:N
Security vulnerability exist in the IBM Java Runtime Environment component of WebSphere Cast Iron in IBM JRE 6.0 SR15 FP1 (and earlier) and IBM JRE 7.0 SR6 FP1 (and earlier)
VULNERABILITY DETAILS
There is a security vulnerability in the IBM Java Runtime Environment used in WebSphere Cast Iron.
CVEID: CVE-2014-0453
DESCRIPTION: An unspecified vulnerability related to the Security component has partial confidentiality impact, partial integrity impact, and no availability impact. CVSS Base Score: 4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/92490 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
AFFECTED PLATFORMS:
IBM WebSphere Cast Iron v6.0, v6.1 v6.3, v6.4 and v7.0 Studio, Virtual Appliance and Physical Appliance
IBM WebSphere Cast Iron v6.3 and v7.0 Live SaaS offering.
WORKAROUND:
None available; Apply the fix detailed below.
REMEDIATION:
Apply the fix detailed below.
FIX:
For WebSphere Cast Iron version v6.0 :
Install the v6.0.0.6 interim fix or upgrade to v6.1.0.15/v6.3.0.2/v6.4.0.1 by applying the relevant interim fix.
For WebSphere Cast Iron version v6.1 *****:
Install the v6.1.0.15 interim fix or upgrade to v6.3.0.2/v6.4.0.1/v7.0.0.1 by applying the relevant interim fix.
For IBM WebSphere Cast Iron v6.3 *****:
Install the v6.3.0.2 interim fix or upgrade to v6.4.0.1/v7.0.0.1 by applying the relevant interim fix.
For IBM WebSphere Cast Iron v6.4 *****:
Install the v6.4.0.1 interim fix or upgrade to v7.0.0.1 by applying the relevant interim fix…
For IBM WebSphere Cast Iron v7.0:
Install the v7.0.0.1 interim fix.
*** Upgrade to v7 should not be attempted on v6.1, v6.3, v6.4 virtual appliance if the appliance was originally a fresh install of v6.0 and later upgraded to a higher version. Please refer to this**link.
The WebSphere Cast Iron V6.0 interim fix can be obtained via this link
The WebSphere Cast Iron V6.1 interim fix can be obtained via this link
The WebSphere Cast Iron V6.3 interim fix can be obtained via this link
The WebSphere Cast Iron V6.4 interim fix can be obtained via this link
The WebSphere Cast Iron V7.0 interim fix can be obtained via this link
SaaS offering (WebSphere Cast Iron Live v6.3):
The WebSphere Cast Iron V6.3 SaaS offering is scheduled to be updated during Aug 2014’s maintenance window to address the IBM Java Security Vulnerability.
SaaS offering (WebSphere Cast Iron Live v7.0):
The WebSphere Cast Iron V7.0 SaaS offering is scheduled to be updated during Aug 2014’s maintenance window to address the IBM Java Security Vulnerability.
APAR LI78037 is targeted for availability in IBM WebSphere Cast Iron v6.0.0.7, v6.1.0.16, v6.3.0.3, v6.4.0.2 and v7.0.0.2
MITIGATION:
None known
REFERENCES:
Complete CVSS Guide (http://www.first.org/cvss/v2/guide)
On-line Calculator V2 (http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2)
CVE-2014-0453 (<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0453>)
CHANGE HISTORY:
<2014/08/07>: Original Copy Published
[{“Product”:{“code”:“SSGR73”,“label”:“IBM Cast Iron Cloud Integration”},“Business Unit”:{“code”:“BU053”,“label”:“Cloud & Data Platform”},“Component”:“–”,“Platform”:[{“code”:“PF009”,“label”:“Firmware”}],“Version”:“7.0.0.1;7.0.0;6.4.0.1;6.4.0.0;6.3.0.2;6.3.0.1;6.3;6.2;6.1.0.9;6.1.0.8;6.1.0.7;6.1.0.6;6.1.0.4;6.1.0.3;6.1.0.2;6.1.0.15;6.1.0.12;6.1.0.10;6.1.0.1;6.1;6.0.0.6;6.0.0.5;6.0.0.4;6.0.0.3;6.0.0.2;6.0.0.1;6.0.0”,“Edition”:“Virtual;Physical;Cloud”,“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}}]