Security Bulletin: Rational Performance Tester vulnerabilities due to security vulnerabilities in IBM JRE 1.5, 1.6 and 1.7 (CVE-2014-0411, CVE-2014-0453)

Summary

A potential security vulnerability exists in the IBM Java Runtime Environment component of IBM Rational Performance Tester related to the use of SSL/TLS. Patches for these vulnerabilities are available in IBM JRE 7 iFixes provided with IBM Rational Performance Tester version 8.6.

Vulnerability Details

| Subscribe to My Notifications to be notified of important product support alerts like this.

• Follow this link for more information (requires login with your IBM ID)
  —|—

CVE ID:CVE-2014-0411

Description: Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit R27.7.7 and R28.2.9; Java SE Embedded 7u45; OpenJDK 7 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.

CVSS Base Score: 4 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90357&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVE ID:CVE-2014-0453

Descriptio****n: An Exception thrown by the Security component reveals information that an attacker could use to break RSA keys via a Bleichenbacher attack.

The fix removes the sensitive information from the Exception message.

CVSS Base Score: 4 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/92490&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

Affected Products and Versions

IBM JRE provided by Rational Performance Tester versions earlier than version 8.5.1.3 on all platforms.

Remediation/Fixes

Upgrade to Rational Performance Tester version 8.6

Rational Performance Tester 8.6 provides IBM JRE 7 iFixes which corrects these issues.

Vendor Fix(es):

_Example: _

Workarounds and Mitigations

None