There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7.0 that is used by IBM API Management. These issues were disclosed as part of the IBM Java SDK updates in October 2015.
Relevant CVE Information:
CVEID: CVE-2015-4872**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107361 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2015-4911**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107360 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2015-4893**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107359 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2015-4803**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107358 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Note regarding CVE-2015-4911 This was addressed by IBM in June 2008. As a reminder, users of Java 6 and above shouldrefer to the IBM XL XP-J documentation for the javax.xml.stream.supportDTD propertyfor information to help avoid this vulnerability.
IBM API Management V3.0 and V4.0
Product
| VRMF|APAR|Remediation/First Fix
—|—|—|—
IBM API Management| 3.0.0| LI78916 | http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+API+Management&release=3.0.4.0&platform=All&function=fixId&fixids=3.0.4.2-APIManagement-ManagementAppliance-20151209-1511.vcrypt2,3.0.4.2-APIManagement-ManagementAppliance-20151209-1511.ova&includeSupersedes=0
IBM API Management| 4.0.0| LI78916 | <http://www-01.ibm.com/support/docview.wss?uid=swg21973164>
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm api management | eq | 3.0 | |
ibm api management | eq | 4.0 |