IBM SECURITY ADVISORY

First Issued: Thu Feb 19 10:53:54 CST 2015

The most recent version of this document is available here:

http://aix.software.ibm.com/aix/efixes/security/java_feb2015_advisory.asc
https://aix.software.ibm.com/aix/efixes/security/java_feb2015_advisory.asc
ftp://aix.software.ibm.com/aix/efixes/security/java_feb2015_advisory.asc

                       VULNERABILITY SUMMARY

VULNERABILITY: Multiple vulnerabilities in current releases of the IBM� SDK,
Java Technology Edition; issues disclosed in the Oracle Feburary
2015 Critical Patch Update vulnerability and two additional
vulnerability.

PLATFORMS: AIX 5.3, 6.1 and 7.1.
VIOS 2.2.x

SOLUTION: Apply the fix as described below.

THREAT: Varies threats described below.

CVE Numbers: CVE-2014-6549 CVSS=10, CVE-2015-0408 CVSS=10, CVE-2015-0412 CVSS=10,
CVE-2015-0403 CVSS=6.9, CVE-2015-0406 CVSS=5.8, CVE-2015-0410 VCSS=5,
CVE-2015-0407 CVSS=5, CVE-2015-0400 CVSS=5, CVE-2014-3566 CVSS=4.3
CVE-2014-6587 CVSS=4.3, CVE-2014-6593 CVSS=4, CVE-2014-6591 CVSS=2.6,
CVE-2014-6585 CVSS=2.6, CVE-2014-8891 CVSS=6.8

Reboot required? NO
Workarounds? NO

===============================================================================
DETAILED INFORMATION

I. DESCRIPTION

This bulletin covers all applicable IBM� Java SDK CVEs published by Oracle as part
of their February 2015 Critical Patch Update. For more information please refer to 
Oracles's February 2015 CPU Advisory and the X-Force database entries referenced 
below.

II. CVSS

CVEID: CVE-2014-6549
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100141 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) 

CVEID: CVE-2015-0408
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100142 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) 

CVEID: CVE-2015-0412
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100140 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) 

CVEID: CVE-2015-0403
CVSS Base Score: 6.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100145 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C) 

CVEID: CVE-2015-0406
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100147 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:P) 

CVEID: CVE-2015-0410
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100151 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) 

CVEID: CVE-2015-0407
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100150 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) 

CVEID: CVE-2015-0400
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100149 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) 

CVEID: CVE-2014-3566
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2014-6587
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100152 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:S/C:P/I:P/A:P) 

CVEID: CVE-2014-6593
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100153 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) 

CVEID: CVE-2014-6591
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100155 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) 


Specific to IBM Java CVE(s):

CVEID: CVE-2014-6585
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100154 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)


CVEID: CVE-2014-8891
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99010 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

III. PLATFORM VULNERABILITY ASSESSMENT

The following fileset levels (VRMF) are vulnerable, if the respective Java version is installed:
For Java5: Less than 5.0.0.590
For Java6: Less than 6.0.0.470
For Java7: Less than 7.0.0.195
For Java7 Release 1: Less than 7.1.0.75

Note: To find out whether the affected filesets are installed on your
systems, refer to the lslpp command found in AIX user's guide.

Example: lslpp -L | grep -i java

IV. FIXES

AFFECTED PRODUCTS AND VERSIONS:
AIX 5.3
AIX 6.1
AIX 7.1
VIOS 2.2.x

REMEDIATION:
IBM SDK, Java Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 9 and later
32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j5b&S_TACT=105AGX05&S_CMP=JDK
64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j5b&S_TACT=105AGX05&S_CMP=JDK

IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 3 and later
32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j6b&S_TACT=105AGX05&S_CMP=JDK
64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j6b&S_TACT=105AGX05&S_CMP=JDK

IBM SDK, Java Technology Edition, Version 7, Service Refresh 8 Fix Pack 10 and later
32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j7b&S_TACT=105AGX05&S_CMP=JDK
64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j7b&S_TACT=105AGX05&S_CMP=JDK

IBM SDK, Java Technology Edition, Version 7 Release 1 Service Refresh 2 Fix Pack 10 and later
32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j7r1&S_TACT=105AGX05&S_CMP=JDK
64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j7r1&S_TACT=105AGX05&S_CMP=JDK

To learn more about AIX support levels and Java service releases, see the following:
http://www.ibm.com/developerworks/java/jdk/aix/service.html#levels

Published advisory OpenSSL signature file location:

http://aix.software.ibm.com/aix/efixes/security/java_feb2015_advisory.asc.sig
https://aix.software.ibm.com/aix/efixes/security/java_feb2015_advisory.asc.sig
ftp://aix.software.ibm.com/aix/efixes/security/java_feb2015_advisory.asc.sig

openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>

V. WORKAROUNDS

None

VI. CONTACT US

If you would like to receive AIX Security Advisories via email,
please visit "My Notifications":

    http://www.ibm.com/support/mynotifications

To view previously issued advisories, please visit:

    http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq

Comments regarding the content of this announcement can be
directed to:

    [email protected]

To obtain the OpenSSL public key that can be used to verify the
signed advisories and ifixes:

    Download the key from our web page:

    http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt

To obtain the PGP public key that can be used to communicate
securely with the AIX Security Team via [email protected] you
can either:

    A. Download the key from our web page:

        http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt

    B. Download the key from a PGP Public Key Server. The key ID is:

        0x28BFAA12

Please contact your local IBM AIX support center for any
assistance.

VII. REFERENCES:

Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html
On-line Calculator V2: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
CVE-2014-6549: https://vulners.com/cve/CVE-2014-6549
CVE-2015-0408: https://vulners.com/cve/CVE-2015-0408
CVE-2015-0412: https://vulners.com/cve/CVE-2015-0412
CVE-2015-0403: https://vulners.com/cve/CVE-2015-0403
CVE-2015-0406: https://vulners.com/cve/CVE-2015-0406
CVE-2015-0410: https://vulners.com/cve/CVE-2015-0410
CVE-2015-0407: https://vulners.com/cve/CVE-2015-0407
CVE-2015-0400: https://vulners.com/cve/CVE-2015-0400
CVE-2014-3566: https://vulners.com/cve/CVE-2014-3566
CVE-2014-6587: https://vulners.com/cve/CVE-2014-6587
CVE-2014-6593: https://vulners.com/cve/CVE-2014-6593
CVE-2014-6591: https://vulners.com/cve/CVE-2014-6591
CVE-2014-6585: https://vulners.com/cve/CVE-2014-6585
CVE-2014-8891: https://vulners.com/cve/CVE-2014-8891

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the
impact of this vulnerability in their environments by accessing the links
in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams
(FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry
open standard designed to convey vulnerability severity and help to
determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES
"AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE
RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY
VULNERABILITY.