Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMDF7E743258EECE8D977DB6645A6CF8DFDE1F2111B2363A0A163830CA509AD664
HistoryJun 17, 2018 - 2:55 p.m.

Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affecting IBM Tivoli Monitoring clients

2018-06-1714:55:49
www.ibm.com
14

0.975 High

EPSS

Percentile

100.0%

JSON

Summary

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition that is used by IBM Tivoli Monitoring clients. This also includes a fix for the Padding Oracle On Downgraded Legacy Encryption (POODLE) SSLv3 vulnerability (CVE-2014-3566). These were disclosed as part of the IBM Java SDK updates in October 2014.

Vulnerability Details

CVE IDs: CVE-2014-6513 CVE-2014-6456 CVE-2014-6503 CVE-2014-6532 CVE-2014-4288 CVE-2014-6493 CVE-2014-6492 CVE-2014-6458 CVE-2014-6466 CVE-2014-6506 CVE-2014-6476 CVE-2014-6515 CVE-2014-6511 CVE-2014-6531 CVE-2014-6512 CVE-2014-6457 CVE-2014-6527 CVE-2014-6502 CVE-2014-6558 CVE-2014-3566 CVE-2014-3065

DESCRIPTION: This bulletin covers all applicable Java SE CVEs published by Oracle as part of their October 2014 Critical Patch Update. For more information please refer to Oracle’s October 2014 CPU Advisory and the X-Force database entries referenced below.

It also describes the POODLE SSLv3 vulnerability (CVE-2014-3566), and one additional vulnerability (CVE-2014-3065).

CVEID: CVE-2014-6513**
DESCRIPTION:** An unspecified vulnerability related to the AWT component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97127&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-6456**
DESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 9.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97130&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-6503**
DESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 9.3
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/97129&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-6532**
DESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 9.3
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/97128&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-4288**
DESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 7.6
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/97135&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-6493**
DESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 7.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97134&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-6492**
DESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 7.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97133&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-6458**
DESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 6.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97137&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-6466**
DESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 6.9
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/97136&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-6506**
DESCRIPTION:** An unspecified vulnerability related to the Libraries component has partial confidentiality impact, partial integrity impact, and partial availability impact.
CVSS Base Score: 6.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97139&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVEID: CVE-2014-6476**
DESCRIPTION:** An unspecified vulnerability related to the Deployment component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97141&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-6515**
DESCRIPTION:** An unspecified vulnerability related to the Deployment component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97142&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-6511**
DESCRIPTION:** An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97140&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2014-6531**
DESCRIPTION:** An unspecified vulnerability related to the Libraries component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97146&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2014-6512**
DESCRIPTION:** An unspecified vulnerability related to the Libraries component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97147&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-6457**
DESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/97148&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVEID: CVE-2014-6527**
DESCRIPTION:** An unspecified vulnerability related to the Deployment component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 2.6
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/97149&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-6502**
DESCRIPTION:** An unspecified vulnerability related to the Libraries component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 2.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97150&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-6558**
DESCRIPTION:** An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 2.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97151&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)
**
CVE-ID: CVE-2014-3566
DESCRIPTION: *Multiple products could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and calculate the plaintext of secure connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97013&gt; for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
**
CVE-ID: CVE-2014-3065
DESCRIPTION: *IBM Java SDK contains a vulnerability in which the default configuration for the shared classes feature potentially allows arbitrary code to be injected into the shared classes cache, which may subsequently be executed by other local users.
CVSS Base Score: 6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93629&gt; for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:L/AC:H/Au:S/C:C/I:C/A:C)

Affected Products and Versions

IBM Tivoli Monitoring version 6.3.0 through 6.3.0 Fix Pack 04
IBM Tivoli Monitoring version 6.2.3 through 6.2.3 Fix Pack 05
IBM Tivoli Monitoring version 6.2.2 through 6.2.2 Fix Pack 09
IBM Tivoli Monitoring version 6.2.1 through 6.2.1 Fix Pack 04
IBM Tivoli Monitoring version 6.2.0 through 6.2.0 Fix Pack 03

Remediation/Fixes

These vulnerabilities exist where the affected Java Runtime Environment (JRE) is installed on systems running the Tivoli Enterprise Portal Browser client or Java WebStart client. The affected JRE is installed on a system when logging into the IBM Tivoli Enterprise Portal using the Browser client or WebStart client and a JRE at the required level does not exist. The portal provides an option to download the provided JRE to the system.

This fix below provides updated JRE packages for the portal server which can be downloaded by new client systems. Once the fix has been installed on the portal server, instructions in the README can be used to download the updated JRE from the portal to the portal clients.

Fix VRMF How to acquire fix
6.X.X-TIV-ITM_JRE_TEP-20150208 6.2.0 through 6.3.0 FP4 http://www.ibm.com/support/docview.wss?uid=swg24039246

Related

openvas 42
redhat 12
nessus 41
suse 8
ibm 31
aix 1
f5 2
kaspersky 1
ubuntu 3
cve 6
ubuntucve 6
cvelist 6
debiancve 6
prion 6
nvd 6
securityvulns 1
centos 4
amazon 3
osv 2
veracode 5
oraclelinux 4
mageia 1
debian 2
openvas
openvas
SUSE: Security Advisory for IBM Java (SUSE-SU-2014:1526-1)
2015-10-13 00:00:00
SUSE: Security Advisory for java-1_7_1-ibm (SUSE-SU-2014:1549-1)
2015-10-16 00:00:00
SUSE: Security Advisory (SUSE-SU-2014:1549-1)
2021-04-19 00:00:00
redhat
redhat
(RHSA-2014:1876) Critical: java-1.7.0-ibm security update
2014-11-19 00:00:00
(RHSA-2014:1880) Critical: java-1.7.1-ibm security update
2014-11-20 00:00:00
(RHSA-2014:1882) Critical: java-1.7.0-ibm security update
2014-11-20 00:00:00
nessus
nessus
SuSE 11.3 Security Update : IBM Java (SAT Patch Number 9999)
2014-12-01 00:00:00
SuSE 11.3 Security Update : IBM Java (SAT Patch Number 9992)
2014-12-01 00:00:00
SUSE SLES12 Security Update : java-1_6_0-ibm (SUSE-SU-2014:1541-1) (POODLE)
2019-01-02 00:00:00
suse
suse
Security update for java-1_7_1-ibm (important)
2014-12-03 17:04:45
Security update for IBM Java (important)
2014-12-02 19:04:43
Security update for IBM Java (important)
2014-11-28 19:05:41
ibm
ibm
Security Bulletin: Multiple vulnerabilities in current releases of the IBM® SDK, Java™ Technology Edition
2018-06-15 07:01:54
Security Bulletin: CICS Transaction Gateway for Multiplatforms
2018-06-15 07:02:44
Security Bulletin: Multiple vulnerabilities in current releases of IBM® WebSphere Real Time
2018-06-15 07:02:02
aix
aix
Multiple vulnerabilities in current releases of the IBM SDK Java Technology Edition; issues in the Oracle October 2014 Critical Patch Update plus the POODLE SSLv3 vulnerability and
2014-11-14 15:40:48
f5
f5
SOL15745 - Multiple Oracle Java vulnerabilities
2014-10-27 00:00:00
K15745 : Multiple Oracle Java vulnerabilities
2014-10-28 00:00:00
kaspersky
kaspersky
KLA10505 Multiple vulnerabilities in Oracle products
2014-10-15 00:00:00
ubuntu
ubuntu
OpenJDK 7 vulnerabilities
2014-10-23 00:00:00
OpenJDK 7 vulnerabilities
2014-10-23 00:00:00
OpenJDK 6 vulnerabilities
2014-10-17 00:00:00
cve
cve
CVE-2014-4288
2014-10-15 15:55:06
CVE-2014-6532
2014-10-15 22:55:07
CVE-2014-6493
2014-10-15 22:55:05
ubuntucve
ubuntucve
CVE-2014-6493
2014-10-15 00:00:00
CVE-2014-6532
2014-10-15 00:00:00
CVE-2014-4288
2014-10-15 00:00:00
cvelist
cvelist
CVE-2014-6532
2014-10-15 22:03:00
CVE-2014-6493
2014-10-15 22:03:00
CVE-2014-6503
2014-10-15 22:03:00
debiancve
debiancve
CVE-2014-4288
2014-10-15 15:55:06
CVE-2014-6493
2014-10-15 22:55:05
CVE-2014-6532
2014-10-15 22:55:07
prion
prion
Design/Logic Flaw
2014-10-15 22:55:00
Design/Logic Flaw
2014-10-15 22:55:00
Design/Logic Flaw
2014-10-15 22:55:00
nvd
nvd
CVE-2014-4288
2014-10-15 15:55:06
CVE-2014-6493
2014-10-15 22:55:05
CVE-2014-6532
2014-10-15 22:55:07
securityvulns
securityvulns
ESA-2015-004: EMC M&amp;R &#40;Watch4Net&#41; Multiple Vulnerabilities
2015-01-25 00:00:00
centos
centos
java security update
2014-10-15 11:42:17
java security update
2014-10-15 12:22:05
java security update
2014-10-15 11:48:47
amazon
amazon
Important: java-1.6.0-openjdk
2014-10-16 22:15:00
Important: java-1.7.0-openjdk
2014-10-16 22:16:00
Important: java-1.8.0-openjdk
2014-10-16 22:16:00
osv
osv
openjdk-6 - security update
2014-11-26 00:00:00
openjdk-7 - security update
2014-11-29 00:00:00
veracode
veracode
Information Disclosure
2019-05-02 05:12:51
Information Disclosure
2019-05-02 05:12:50
Privilege Escalation
2019-05-02 05:12:51
oraclelinux
oraclelinux
java-1.6.0-openjdk security and bug fix update
2014-10-14 00:00:00
java-1.7.0-openjdk security and bug fix update
2014-10-15 00:00:00
java-1.7.0-openjdk security and bug fix update
2014-10-15 00:00:00
mageia
mageia
Updated java-1.7.0-openjdk packages fix security vulnerabilities
2014-10-26 00:23:09
debian
debian
[SECURITY] [DSA 3080-1] openjdk-7 security update
2014-11-29 12:43:45
[SECURITY] [DSA 3077-1] openjdk-6 security update
2014-11-26 19:10:21

0.975 High

EPSS

Percentile

100.0%

JSON
Related for DF7E743258EECE8D977DB6645A6CF8DFDE1F2111B2363A0A163830CA509AD664
openvas42redhat12nessus41suse8ibm31aix1f52kaspersky1ubuntu3cve6ubuntucve6cvelist6debiancve6prion6nvd6securityvulns1centos4amazon3osv2veracode5oraclelinux4mageia1debian2