There is a potential denial of service with WebSphere Application Server Version 6.1 when running a Heartbleed scanning tool. WebSphere Application Server Versions 7.0 and higher are not affected by this.
IBM WebSphere Application Server is not vulnerable to the Heartbleed vulnerability (CVE-2014-0160) where secure data might not be protected. However, there is a potential denial of service on IBM WebSphere Application Server Version 6.1 and 6.0.2 when running the Heartbleed scanning tools or if sending specially-crafted Heartbeat messages.
CVEID: CVE-2014-0964
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/92877 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C) ** **
Upgrade your SDK to an interim fix level as determined below: **_
For IBM WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition_** :
Download and apply the interim fix APARs below, for your appropriate release:
**
For V6.1.0.23 through 6.1.0.47:**
For V6.1.0.0 through 6.1.0.21:
Apply Interim Fix PI16981: Will upgrade you to Java 5 SR 16 FP 5.
or
Refer to the October 2015 CPU for the latest updates
then
Apply Interim Fix PK81286 to avoid issue with application deployment
**** For V6.0.2.37 through 6.0.2.43:
Please contact customer support for Interim Fix PI17128
For V6.0.2.0 through 6.0.2.35: