Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMDBFA25CB8FF2DD571CB6CD192628EF0B397E16C9909CF76FAFA29BEF0C97A619
HistoryAug 03, 2018 - 4:23 a.m.

Security Bulletin: Man In The Middle Attack Vulnerability Affecting Rational Developer for AIX and Linux, Rational Developer for i, and Rational Developer for Power Systems Software (CVE-2014-0411)

2018-08-0304:23:43
www.ibm.com
11

EPSS

0.008

Percentile

81.5%

JSON

Summary

The version of the Java Runtime Environment shipped with certain versions of Rational Developer for AIX and Linux, Rational Developer for i, and Rational Developer for Power Systems Software has security vulnerabilities which affect these products.

Vulnerability Details

| Subscribe to My Notifications to be notified of important product support alerts like this.

  • Follow this link for more information (requires login with your IBM ID)
    —|—

CVEID: CVE-2014-0411**

Description:** Rational Developer for AIX and Linux, Rational Developer for i, and Rational Developer for Power Systems Software all ship the IBM Java Runtime Environment, certain versions of which are vulnerable to a Man In The Middle attack. When connecting to a remote system via Java’s JSSE/TLS mechanism (e.g. via SSH or SSL) timing differences based on the validity of messages can be exploited to decrypt the entire session. The exploit is not trivial, requiring a man-in-the-middle position and a long time (around 20 hours). Hence any communications from the IDE client to the IDE server are potentially vulnerable, as are any number of other services within the IDE which make use of JSSE/TLS.

CVSS Base Score: 4 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90357&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

Affected Products and Versions

Product Name

| Versions Affected
—|—
Rational Developer for Power Systems Software| 7.6, 7.6.0.1, 7.6.0.2, 8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.3, 8.0.3.1, 8.5, 8.5.1
Rational Developer for AIX and Linux, C/C++ Edition| 9.0, 9.0.0.1
Rational Developer for AIX and Linux, AIX COBOL Edition| 9.0, 9.0.0.1
Rational Developer for i| 9.0, 9.0.0.1

Remediation/Fixes

There is a fix to the JRE that eliminates the timing differences. This fix has been incorporated into fixes for the affected products which are available at:

Product Type Title
Rational Developer for AIX and Linux Interim Fix IBM Java Quarterly Critical Patch Update - April 2014
Rational Developer for i Interim Fix IBM Java Quarterly Critical Patch Update - April 2014
Rational Developer for Power Systems Software Interim Fix IBM Java Quarterly Critical Patch Update - April 2014

Workarounds and Mitigations

None

Related

ibm 51
cvelist 1
prion 1
f5 4
ubuntucve 1
cve 1
nvd 1
veracode 13
redhat 10
nessus 39
openvas 37
ubuntu 3
amazon 2
oraclelinux 3
centos 3
mageia 1
aix 1
suse 5
kaspersky 1
securityvulns 1
oracle 1
gentoo 1
ibm
ibm
Security Bulletin: Java vulnerability on IBM SAN Volume Controller and Storwize Family (CVE-2014-0411)
2023-03-29 01:48:02
Security Bulletin: Security vulnerability in current IBM SDK for Java for WebSphere Application Server Community Edition 3.0.0.4 Jan 2014 CPU (CVE-2014-0411)
2018-06-15 06:59:36
Security Bulletin: A security vulnerability has been identified in an IBM Tivoli Monitoring shared component shipped with IBM Tivoli Composite Application Manager for J2EE (CVE-2014-0411).
2019-05-10 14:33:22
cvelist
cvelist
CVE-2014-0411
2014-01-15 02:50:00
prion
prion
Design/Logic Flaw
2014-01-15 16:08:00
f5
f5
K02004209 : Oracle Java vulnerability CVE-2014-0411
2015-12-30 00:00:00
SOL02004209 - Oracle Java vulnerability CVE-2014-0411
2015-12-30 00:00:00
SOL53146535 - Multiple Sun Java vulnerabilities
2015-12-30 00:00:00
ubuntucve
ubuntucve
CVE-2014-0411
2014-01-15 00:00:00
cve
cve
CVE-2014-0411
2014-01-15 16:08:10
nvd
nvd
CVE-2014-0411
2014-01-15 16:08:10
veracode
veracode
Cryptography Key Leakage
2019-05-02 04:56:14
Sandbox Restrictions Bypass
2019-05-02 05:01:06
Sandbox Restrictions Bypass
2019-05-02 05:01:08
redhat
redhat
(RHSA-2014:0136) Important: java-1.5.0-ibm security update
2014-02-04 00:00:00
(RHSA-2014:0097) Important: java-1.6.0-openjdk security update
2014-01-27 00:00:00
(RHSA-2014:0026) Critical: java-1.7.0-openjdk security update
2014-01-15 00:00:00
nessus
nessus
RHEL 5 / 6 : java-1.5.0-ibm (RHSA-2014:0136)
2014-02-05 00:00:00
Ubuntu 10.04 LTS / 12.04 LTS : openjdk-6 vulnerabilities (USN-2124-1)
2014-02-28 00:00:00
Ubuntu 10.04 LTS / 12.04 LTS : openjdk-6 regression (USN-2124-2)
2014-04-08 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-2124-2)
2014-04-08 00:00:00
RedHat Update for java-1.6.0-openjdk RHSA-2014:0097-01
2014-01-30 00:00:00
CentOS Update for java CESA-2014:0097 centos6
2014-01-30 00:00:00
ubuntu
ubuntu
OpenJDK 6 regression
2014-04-08 00:00:00
OpenJDK 6 vulnerabilities
2014-02-27 00:00:00
OpenJDK 7 vulnerabilities
2014-01-23 00:00:00
amazon
amazon
Important: java-1.6.0-openjdk
2014-02-03 15:27:00
Critical: java-1.7.0-openjdk
2014-01-15 10:28:00
oraclelinux
oraclelinux
java-1.6.0-openjdk security update
2014-01-27 00:00:00
java-1.7.0-openjdk security update
2014-01-14 00:00:00
java-1.7.0-openjdk security update
2014-01-14 00:00:00
centos
centos
java security update
2014-01-15 11:04:23
java security update
2014-01-27 22:53:27
java security update
2014-01-15 11:16:34
mageia
mageia
Updated java-1.7.0-openjdk package fixes multiple security vulnerabilities
2014-01-21 20:22:18
aix
aix
AIX Java Multiple Vulnerabilities (Oracle Java 2014 CPU)
2014-03-06 13:24:59
suse
suse
Security update for IBM Java 6 (important)
2014-02-24 22:04:17
Security update for IBM Java 6 (important)
2014-02-20 20:04:38
Security update for IBM Java 6 (important)
2014-03-26 18:04:12
kaspersky
kaspersky
KLA10511 Multiple vulnerabilities in Oracle products
2014-01-15 00:00:00
securityvulns
securityvulns
Oracle / Sun / MySQL / PeopleSoft / OpenJDK applications multiple security vulnerabilities
2014-05-05 00:00:00
oracle
oracle
Oracle Critical Patch Update - January 2014
2014-01-14 00:00:00
gentoo
gentoo
Oracle JRE/JDK: Multiple vulnerabilities
2014-01-27 00:00:00

EPSS

0.008

Percentile

81.5%

JSON
Related for DBFA25CB8FF2DD571CB6CD192628EF0B397E16C9909CF76FAFA29BEF0C97A619
ibm51cvelist1prion1f54ubuntucve1cve1nvd1veracode13redhat10nessus39openvas37ubuntu3amazon2oraclelinux3centos3mageia1aix1suse5kaspersky1securityvulns1oracle1gentoo1