Multiple vulnerabilities in current releases of the IBM SDK Java Technology Edition

2014-06-1909:10:49

CentOS Project

aix.software.ibm.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

EPSS

0.917

Percentile

98.9%

JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Thu Jun 19 09:10:49 CDT 2014

The most recent version of this document is available here:

http://aix.software.ibm.com/aix/efixes/security/java_apr2014_advisory.asc
https://aix.software.ibm.com/aix/efixes/security/java_apr2014_advisory.asc
ftp://aix.software.ibm.com/aix/efixes/security/java_apr2014_advisory.asc

                       VULNERABILITY SUMMARY

VULNERABILITY: Multiple vulnerabilities in current releases of the IBM� SDK,
Java Technology Edition.

PLATFORMS: AIX 5.3, 6.1 and 7.1.
VIOS 2.2.x

SOLUTION: Apply the fix as described below.

THREAT: Varies threats described below.

CVE Numbers: CVE-2014-0457, CVE-2014-2421, CVE-2014-0429, CVE-2014-0461,
CVE-2014-0455, CVE-2014-2428, CVE-2014-0448, CVE-2014-0454,
CVE-2014-0446, CVE-2014-0452, CVE-2014-0451, CVE-2014-2402,
CVE-2014-2423, CVE-2014-2427, CVE-2014-0458, CVE-2014-2414,
CVE-2014-2412, CVE-2014-2409, CVE-2014-0460, CVE-2013-6954,
CVE-2013-6629, CVE-2014-2401, CVE-2014-0449, CVE-2014-0459,
CVE-2014-0453, CVE-2014-2398, CVE-2014-1876, CVE-2014-2420,
CVE-2014-0878

Reboot required? NO
Workarounds? NO

===============================================================================
DETAILED INFORMATION

I. DESCRIPTION

This bulletin covers all applicable Java SE CVEs published by Oracle as part of their 
April 2014 Critical Patch Update. For more information please refer to Oracle's April
2014 CPU Advisory and the X-Force database entries referenced below.

II. CVSS

CVEID: CVE-2014-0457
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92460 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) 

CVEID: CVE-2014-2421
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92462 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-0429
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92459 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) 

CVEID: CVE-2014-0461
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92467 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-0455
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92466 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) 

CVEID: CVE-2014-2428
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92469 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C) 

CVEID: CVE-2014-0448
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92468 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C) 

CVEID: CVE-2014-0454
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92478 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) 

CVEID: CVE-2014-0446
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92477 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) 

CVEID: CVE-2014-0452
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92474 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) 

CVEID: CVE-2014-0451
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92471 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) 

CVEID: CVE-2014-2402
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92476 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) 

CVEID: CVE-2014-2423
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92473 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) 

CVEID: CVE-2014-2427
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92479 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) 

CVEID: CVE-2014-0458
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92472 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) 

CVEID: CVE-2014-2414
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92475 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) 

CVEID: CVE-2014-2412
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92470 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) 

CVEID: CVE-2014-2409
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92481 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N) 

CVEID: CVE-2014-0460
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92482 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N) 

CVEID: CVE-2013-6954
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/89917 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) 

CVEID: CVE-2013-6629
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88783 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) 

CVEID: CVE-2014-2401
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92485 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) 

CVEID: CVE-2014-0449
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92483 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) 

CVEID: CVE-2014-0459
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92488 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) 

CVEID: CVE-2014-0453
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92490 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) 

CVEID: CVE-2014-2398
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92491 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N) 

CVEID: CVE-2014-1876
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92492 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:P) 

CVEID: CVE-2014-2420
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92493 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

Specific to IBM Java CVE(s):

CVEID: CVE-2014-0878
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/91084 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

III. PLATFORM VULNERABILITY ASSESSMENT

The following fileset levels (VRMF) are vulnerable, if the respective Java version is installed:
For Java5: Less than 5.0.0.575
For Java6: Less than 6.0.0.455
For Java7: Less than 7.0.0.130
For Java7 Release 1: Less than 7.1.0.10

Note: To find out whether the affected filesets are installed on your
systems, refer to the lslpp command found in AIX user's guide.

Example: lslpp -L | grep -i java

IV. FIXES

AFFECTED PRODUCTS AND VERSIONS:
AIX 5.3
AIX 6.1
AIX 7.1
VIOS 2.2.x

REMEDIATION:
IBM SDK, Java Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 6 and later
32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j5b&S_TACT=105AGX05&S_CMP=JDK
64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j5b&S_TACT=105AGX05&S_CMP=JDK

IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 and later
32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j6b&S_TACT=105AGX05&S_CMP=JDK
64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j6b&S_TACT=105AGX05&S_CMP=JDK

IBM SDK, Java Technology Edition, Version 7, Service Refresh 7 and later
32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j7b&S_TACT=105AGX05&S_CMP=JDK
64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j7b&S_TACT=105AGX05&S_CMP=JDK

IBM SDK, Java Technology Edition, Version 7 Release 1 and later
32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j7r1&S_TACT=105AGX05&S_CMP=JDK
64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j7r1&S_TACT=105AGX05&S_CMP=JDK

To learn more about AIX support levels and Java service releases, see the following:
http://www.ibm.com/developerworks/java/jdk/aix/service.html#levels

V. WORKAROUNDS

None

VI. CONTACT INFORMATION

If you would like to receive AIX Security Advisories via email,
please visit:

     http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq 

Comments regarding the content of this announcement can be
directed to:

    [email protected]

To request the PGP public key that can be used to communicate
securely with the AIX Security Team you can either:

    A. Send an email with "get key" in the subject line to:

        [email protected]

    B. Download the key from a PGP Public Key Server. The key ID is:

        0x28BFAA12

Please contact your local IBM AIX support center for any
assistance.

eServer is a trademark of International Business Machines
Corporation.  IBM, AIX and pSeries are registered trademarks of
International Business Machines Corporation.  All other trademarks
are property of their respective holders.

VII. REFERENCES:

Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html
On-line Calculator V2: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
CVE-2014-0457: https://vulners.com/cve/CVE-2014-0457
CVE-2014-2421: https://vulners.com/cve/CVE-2014-2421
CVE-2014-0429: https://vulners.com/cve/CVE-2014-0429
CVE-2014-0461: https://vulners.com/cve/CVE-2014-0461
CVE-2014-0455: https://vulners.com/cve/CVE-2014-0455
CVE-2014-2428: https://vulners.com/cve/CVE-2014-2428
CVE-2014-0448: https://vulners.com/cve/CVE-2014-0448
CVE-2014-0454: https://vulners.com/cve/CVE-2014-0454
CVE-2014-0446: https://vulners.com/cve/CVE-2014-0446
CVE-2014-0452: https://vulners.com/cve/CVE-2014-0452
CVE-2014-0451: https://vulners.com/cve/CVE-2014-0451
CVE-2014-2402: https://vulners.com/cve/CVE-2014-2402
CVE-2014-2423: https://vulners.com/cve/CVE-2014-2423
CVE-2014-2427: https://vulners.com/cve/CVE-2014-2427
CVE-2014-0458: https://vulners.com/cve/CVE-2014-0458
CVE-2014-2414: https://vulners.com/cve/CVE-2014-2414
CVE-2014-2412: https://vulners.com/cve/CVE-2014-2412
CVE-2014-2409: https://vulners.com/cve/CVE-2014-2409
CVE-2014-0460: https://vulners.com/cve/CVE-2014-0460
CVE-2013-6954: https://vulners.com/cve/CVE-2013-6954
CVE-2013-6629: https://vulners.com/cve/CVE-2013-6629
CVE-2014-2401: https://vulners.com/cve/CVE-2014-2401
CVE-2014-0449: https://vulners.com/cve/CVE-2014-0449
CVE-2014-0459: https://vulners.com/cve/CVE-2014-0459
CVE-2014-0453: https://vulners.com/cve/CVE-2014-0453
CVE-2014-2398: https://vulners.com/cve/CVE-2014-2398
CVE-2014-1876: https://vulners.com/cve/CVE-2014-1876
CVE-2014-2420: https://vulners.com/cve/CVE-2014-2420
CVE-2014-0878: https://vulners.com/cve/CVE-2014-0878

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the
impact of this vulnerability in their environments by accessing the links
in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams
(FIRST), the Common Vulnerability Scoring System (    CVSS) is an "industry
open standard designed to convey vulnerability severity and help to
determine urgency and priority of response." IBM PROVIDES THE     CVSS SCORES
"AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE
RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY
VULNERABILITY.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (AIX)

iEYEARECAAYFAlOp1XUACgkQ4fmd+Ci/qhLI5wCePiCcg7+KKbbNu4xno/na0j7w
+SsAoIC3KSxpTPpItj9j29oKdzJh11mV
=7yrW
-----END PGP SIGNATURE-----