There is a potential denial of service with IBM WebSphere Application Server 6.0.2 and 6.1 that affects versions of WebSphere Application Server used with IBM Rational Application Developer.
| Subscribe to My Notifications to be notified of important product support alerts like this.
CVEID: CVE-2014-0964
Description: There is a potential denial of service on IBM WebSphere Application Server Version 6.1 and 6.0.2. If you run a Heartbleed scanning tool or send a specially-crafted Heartbeat messages to the server it can cause the IBM SDK for Java for WebSphere Application Server to become stuck in a processing loop resulting in high CPU usage. If enough processing loops are generated the server may become unresponsive and require a server restart. There is no impact to confidentiality or integrity.
CVSS Base Score: 7.1 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/92877> for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)
The SDK shipped with the IBM WebSphere Test Environment Version 6.1.0.0 through 6.1.0.47 and 6.0.2.0 through 6.0.2.43 packaged in Rational Application Developer 7.0, 7.5, and 8.0.
Upgrade the SDK of the WebSphere Test Environment to an interim fix level as determined below:
Product | VRMF | APAR | Remediation/First Fix |
---|---|---|---|
Rational Application Developer | 7.0 through 7.0.0.10 Interim Fix 002. | PI17772 | For versions V6.0.2.0 through 6.0.2.43, contact IBM Rational Application Developer support and request the WebSphere Test Environment v6.0 fix for APAR PI17772. |
Rational Application Developer | 7.5 through 7.5.5.5 Interim Fix 001 |
8.0 through 8.0.4.3| PI17772|
Note: The fix provided by WebSphere Application Server can also be directly applied to the WebSphere Test Environment packaged with Rational Application Developer.
If you are using Heartbleed tools to detect the OpenSSL Heartbleed vulnerability, you should stop the tool.