Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM45598BFB4E8D67B515A9DEBBBF4CF71F882A6EC2E045D148C250DA38513CBFC2
HistorySep 22, 2022 - 3:02 a.m.

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Asset and Service Management

2022-09-2203:02:31
www.ibm.com
29
ibm java sdk
asset management
service management
vulnerabilities
code escalation
confidentiality impact
integrity impact
availability impact

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

EPSS

0.491

Percentile

97.5%

JSON

Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Versions 5, 6, and 7** that are used by Maximo Asset Management, Maximo Asset Management Essentials, Maximo Asset Management for Energy Optimization, Maximo Industry Solutions (including Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas and Maximo for Utilities), Tivoli Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, Change and Configuration Management Database, TRIRIGA for Energy Optimization (previously known as Intelligent Building Management), and SmartCloud Control Desk. These issues were disclosed as part of the IBM Java SDK updates in July 2014.

Vulnerability Details

CVEID: CVE-2014-3086 DESCRIPTION: A vulnerability in the IBM implementation of the Java Virtual Machine may, under very limited circumstances, allow untrusted code running under a security manager to escalate its privileges.
CVSS Base Score: 9.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/94097&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-4227 DESCRIPTION: An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/94588&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-4262 DESCRIPTION: An unspecified vulnerability related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 9.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/94598&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-4219 DESCRIPTION: An unspecified vulnerability related to the Hotspot component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 9.3
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/94589&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-4209 DESCRIPTION: An unspecified vulnerability related to the JMX component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 6.4
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/94596&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)

CVEID: CVE-2014-4220 DESCRIPTION: An unspecified vulnerability related to the Deployment component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/94598&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-4268 DESCRIPTION: An unspecified vulnerability related to the Swing component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/94602&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2014-4218 DESCRIPTION: An unspecified vulnerability related to the Libraries component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 5
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/94599&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-4252 DESCRIPTION: An unspecified vulnerability related to the Security component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/94600&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2014-4266 DESCRIPTION: An unspecified vulnerability related to the Serviceability component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/94601&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-4265 DESCRIPTION: An unspecified vulnerability related to the Deployment component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 5
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/94597&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-4221 DESCRIPTION: An unspecified vulnerability related to the Libraries component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/94604&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2014-4263 DESCRIPTION: An unspecified vulnerability related to the Security component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/94606&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVEID: CVE-2014-4244 DESCRIPTION: An unspecified vulnerability related to the Security component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/94605&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVEID: CVE-2014-4208 DESCRIPTION: An unspecified vulnerability related to the Deployment component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 2.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/94607&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

Affected Products and Versions

The following IBM Java versions are affected:
· IBM SDK, Java 2 Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 6 and earlier
· IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 and earlier
· IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 and earlier
· IBM SDK, Java Technology Edition, Version 7 Service Refresh 7 and earlier**
· IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 1 and earlier**

IBM supplied the Java Runtime Environment (JRE) from the IBM SDK Java Technology Edition Versions with the following:

The 7.1.x versions of Maximo Asset Management, Maximo Asset Management Essentials, Maximo Asset Management for Energy Optimization, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, Maximo for Utilities, Tivoli Asset Management for IT, Tivoli Service Request Manager, and Tivoli Change and Configuration Management Database bundled the JRE from IBM SDK Java 2 Technology Edition Version 5.

The 7.2.x versions of Tivoli Asset Management for IT, Tivoli Service Request Manager, and Tivoli Change and Configuration Management Database bundled the JRE from IBM SDK Java 2 Technology Edition Version 5.

The 7.5.x versions of Maximo Asset Management, Maximo Asset Management Essentials, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, Maximo for Utilities, and SmartCloud Control Desk bundled the JRE from IBM SDK Java Technology Edition Version 6.

TRIRIGA for Energy Optimization 1.1.x bundled the JRE from IBM SDK Java Technology Edition Version 6.

It is likely that earlier unsupported versions are also affected by these vulnerabilities. Remediation is not provided for product versions that are no longer supported. IBM recommends that customers running unsupported versions upgrade to the latest supported version of products in order to obtain remediation for the vulnerabilities.

Remediation/Fixes

There are two areas where the vulnerabilities in the Java SDK/JDK or JRE may require remediation:
1. Application Server – Update the Websphere Application Server. Refer to JDK Fixes for Websphere Application Server for additional information on updating and maintaining the JDK component within Websphere. Customers with Oracle Weblogic Server, which is not an IBM product and is not shipped by IBM, will also want to update their server.
2. Browser Client - Update the Java plug-in used by the browser on client systems, using the remediated JRE version referenced on developerWorks Java__TM_ Technology Security Alerts_ or referenced on Oracle’s latest Critical Patch Update (which can be accessed via developerWorks Java__TM_ Technology Security Alerts_). Updating the browser Java plug-in may impact some applets such as Maximo Asset Management Scheduler. Download from IBM FixCentral the latest Maximo Asset Management Scheduler Interim Fix for Version 7.1 or the latest Maximo Asset Management Fix Pack for Version 7.5, which includes the resolution for APAR IV11560.

Due to the threat posed by a successful attack, IBM strongly recommends that customers apply fixes as soon as possible

Workarounds and Mitigations

Until you apply the fixes, it may be possible to reduce the risk of successful attack by restricting network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from unprivileged users may help reduce the risk of successful attack. Both approaches may break application functionality, so IBM strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem

Affected configurations

Vulners
Node
ibmmaximo_asset_managementMatch7.1.1
OR
ibmmaximo_asset_managementMatch7.5
OR
ibmmaximo_asset_management_essentialsMatch7.5
OR
ibmmaximo_asset_management_essentialsMatch7.1.1
OR
ibmmaximo_for_energy_optimizationMatch7.1
OR
ibmmaximo_for_energy_optimizationMatch7.1.1
OR
ibmmaximo_for_governmentMatch7.1
OR
ibmmaximo_for_governmentMatch7.5
OR
ibmmaximo_for_nuclear_powerMatch7.1
OR
ibmmaximo_for_nuclear_powerMatch7.5
OR
ibmmaximo_for_nuclear_powerMatch7.5.1
OR
ibmmaximo_for_nuclear_powerMatch7.1.1
OR
ibmmaximo_for_transportationMatch7.1.1
OR
ibmmaximo_for_transportationMatch7.5
OR
ibmmaximo_for_transportationMatch7.5.1
OR
ibmmaximo_for_transportationMatch7.1.0
OR
ibmmaximo_for_life_sciencesMatch7.1.2
OR
ibmmaximo_for_life_sciencesMatch7.5
OR
ibmmaximo_for_life_sciencesMatch7.1.0
OR
ibmmaximo_for_oil_and_gasMatch7.1.2
OR
ibmmaximo_for_oil_and_gasMatch7.5
OR
ibmmaximo_for_oil_and_gasMatch7.5.1
OR
ibmmaximo_for_oil_and_gasMatch7.1.0
OR
ibmmaximo_for_utilitiesMatch7.1.2
OR
ibmmaximo_for_utilitiesMatch7.5
OR
ibmmaximo_for_utilitiesMatch7.1.0
OR
ibmtivoli_service_request_managerMatch7.1
OR
ibmtivoli_service_request_managerMatch7.2
OR
ibmtivoli_service_request_managerMatch7.2.1
OR
ibmmaximo_asset_managementMatch7.1
OR
ibmmaximo_asset_managementMatch7.1.1
OR
ibmmaximo_asset_managementMatch7.2
OR
ibmmaximo_asset_managementMatch7.2.1
OR
ibmmaximo_asset_managementMatch7.2.2
OR
ibmtivoli_change_and_configuration_management_databaseMatch7.1
OR
ibmtivoli_change_and_configuration_management_databaseMatch7.1.1
OR
ibmtivoli_change_and_configuration_management_databaseMatch7.2
OR
ibmtivoli_change_and_configuration_management_databaseMatch7.2.1
OR
ibmmaximo_for_energy_optimizationMatchany
OR
ibmcontrol_deskMatch7.5
OR
ibmcontrol_deskMatch7.5.1
VendorProductVersionCPE
ibmmaximo_asset_management7.1.1cpe:2.3:a:ibm:maximo_asset_management:7.1.1:*:*:*:*:*:*:*
ibmmaximo_asset_management7.5cpe:2.3:a:ibm:maximo_asset_management:7.5:*:*:*:*:*:*:*
ibmmaximo_asset_management_essentials7.5cpe:2.3:a:ibm:maximo_asset_management_essentials:7.5:*:*:*:*:*:*:*
ibmmaximo_asset_management_essentials7.1.1cpe:2.3:a:ibm:maximo_asset_management_essentials:7.1.1:*:*:*:*:*:*:*
ibmmaximo_for_energy_optimization7.1cpe:2.3:a:ibm:maximo_for_energy_optimization:7.1:*:*:*:*:*:*:*
ibmmaximo_for_energy_optimization7.1.1cpe:2.3:a:ibm:maximo_for_energy_optimization:7.1.1:*:*:*:*:*:*:*
ibmmaximo_for_government7.1cpe:2.3:a:ibm:maximo_for_government:7.1:*:*:*:*:*:*:*
ibmmaximo_for_government7.5cpe:2.3:a:ibm:maximo_for_government:7.5:*:*:*:*:*:*:*
ibmmaximo_for_nuclear_power7.1cpe:2.3:a:ibm:maximo_for_nuclear_power:7.1:*:*:*:*:*:*:*
ibmmaximo_for_nuclear_power7.5cpe:2.3:a:ibm:maximo_for_nuclear_power:7.5:*:*:*:*:*:*:*
Rows per page:
1-10 of 401

Related

ibm 44
aix 1
nessus 39
openvas 36
redhat 9
oraclelinux 3
amazon 2
suse 4
kaspersky 1
centos 3
debian 3
ubuntu 4
mageia 1
prion 8
cve 9
nvd 9
ubuntucve 6
cvelist 9
osv 1
thn 1
veracode 6
ibm
ibm
Security Bulletin: Vulnerabilities in IBM Tivoli System Automation for Integrated Operations Management (Several CVE's)
2018-08-09 04:20:36
Security Bulletin: Multiple vulnerabilities in the IBM SDK Java™ Technology for IBM i
2019-12-18 14:26:38
Security Bulletin: IBM Smart Analytics System 5600 is affected by multiple vulnerabilities in the IBM SDK Java™ Technology Edition, Version 6
2018-06-16 13:58:15
aix
aix
Multiple vulnerabilities in current releases of the IBM SDK Java Technology Edition
2014-08-18 14:04:26
nessus
nessus
AIX Java Advisory : java_jul2014_advisory.asc
2014-08-22 00:00:00
SuSE 11.3 Security Update : IBM Java 1.7.0 (SAT Patch Number 9616)
2014-08-20 00:00:00
RHEL 5 / 6 : java-1.7.0-ibm (RHSA-2014:1041)
2014-08-12 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2014:1037-1)
2021-06-09 00:00:00
SUSE: Security Advisory (SUSE-SU-2014:1055-1)
2021-06-09 00:00:00
Oracle Java SE JRE Multiple Unspecified Vulnerabilities-01 (Jul 2014) - Linux
2014-07-24 00:00:00
redhat
redhat
(RHSA-2014:1042) Critical: java-1.7.1-ibm security update
2014-08-11 00:00:00
(RHSA-2014:1041) Critical: java-1.7.0-ibm security update
2014-08-11 00:00:00
(RHSA-2014:1033) Critical: java-1.6.0-ibm security update
2014-08-07 00:00:00
oraclelinux
oraclelinux
java-1.6.0-openjdk security and bug fix update
2014-07-21 00:00:00
java-1.7.0-openjdk security update
2014-07-16 00:00:00
java-1.7.0-openjdk security update
2014-07-16 00:00:00
amazon
amazon
Important: java-1.6.0-openjdk
2014-07-31 13:52:00
Critical: java-1.7.0-openjdk
2014-07-23 14:01:00
suse
suse
Security update for openjdk (important)
2014-08-04 19:04:23
Security update for java-1_5_0-ibm (important)
2015-02-25 19:05:32
Security update for java-1_7_0-ibm (important)
2015-02-21 01:05:45
kaspersky
kaspersky
KLA10507 Multiple vulnerabilities in Oracle products
2014-07-17 00:00:00
centos
centos
java security update
2014-07-21 18:20:14
java security update
2014-07-16 10:46:11
java security update
2014-07-16 10:53:36
debian
debian
[SECURITY] [DSA 2980-1] openjdk-6 security update
2014-07-17 15:59:57
[SECURITY] [DSA 2987-1] openjdk-7 security update
2014-07-23 19:51:31
[SECURITY] [DLA 96-1] openjdk-6 security update
2014-11-28 10:25:51
ubuntu
ubuntu
OpenJDK 6 vulnerabilities
2014-08-12 00:00:00
OpenJDK 7 update
2014-09-17 00:00:00
OpenJDK 7 regression
2014-08-26 00:00:00
mageia
mageia
Updated java-1.7.0-openjdk packages fix multiple vulnerabilities
2014-07-26 15:03:50
prion
prion
Design/Logic Flaw
2014-07-17 05:10:00
Design/Logic Flaw
2014-07-17 05:10:00
Security feature bypass
2014-08-12 00:55:00
cve
cve
CVE-2014-4220
2014-07-17 05:10:16
CVE-2014-4208
2014-07-17 05:10:15
CVE-2014-4227
2014-07-17 05:10:16
nvd
nvd
CVE-2014-4208
2014-07-17 05:10:15
CVE-2014-4220
2014-07-17 05:10:16
CVE-2014-3086
2014-08-12 00:55:03
ubuntucve
ubuntucve
CVE-2014-4208
2014-07-17 00:00:00
CVE-2014-4220
2014-07-17 00:00:00
CVE-2014-4268
2014-07-17 00:00:00
cvelist
cvelist
CVE-2014-4220
2014-07-17 02:36:00
CVE-2014-4208
2014-07-17 02:36:00
CVE-2014-4227
2014-07-17 02:36:00
osv
osv
openjdk-6 - security update
2014-11-28 00:00:00
thn
thn
Update Your Java to Patch 20 Vulnerabilities Or Just Disable it
2014-07-15 23:03:00
veracode
veracode
Authorization Bypass
2019-05-02 05:08:04
Privilege Escalation
2020-02-12 00:05:43
Unchecked Return Value
2019-05-02 05:03:23

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

EPSS

0.491

Percentile

97.5%

JSON
Related for 45598BFB4E8D67B515A9DEBBBF4CF71F882A6EC2E045D148C250DA38513CBFC2
ibm44aix1nessus39openvas36redhat9oraclelinux3amazon2suse4kaspersky1centos3debian3ubuntu4mageia1prion8cve9nvd9ubuntucve6cvelist9osv1thn1veracode6