Security Bulletin: Multiple vulnerabilities in IBM Java affect IBM FlashSystem 840 and IBM FlashSystem V840, -AE1 models, (CVE-2014-6593 and CVE-2015-0410)

2023-02-1801:45:50

www.ibm.com

ibm flashsystem

v840

840

ae1

9840

9843

9846

9848

ibm java

vulnerabilities

cve-2014-6593

cve-2015-0410

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS

0.698

Percentile

98.1%

JSON

Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 1.6.0 that is used by FlashSystem 840. These issues were disclosed as part of the IBM Java SDK updates in January 2015

Vulnerability Details

CVEID: CVE-2015-0410**
DESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100151 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2014-6593**
DESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100153 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

Affected Products and Versions

IBM FlashSystem 840:
Machine Type 9840, model -AE1 (all supported releases)
Machine Type 9843, model -AE1 (all supported releases)

IBM FlashSystem V840:
Machine Type 9846, model -AE1 (all supported releases)
Machine Type 9848, model -AE1 (all supported releases)

Code level 1.1.3.6 and earlier are affected.

Remediation/Fixes

You should verify applying this fix does not cause any compatibility issues.

<Product	VRMF	APAR	Remediation/First Fix
840 MTMs:
9840-AE1 &
9843-AE1

V840 MTMs: 9846-AE1 &
9848-AE1| A code fix is now available, the VRMF of this code level is 1.1.3.7 (or later)| _ _N/A| No work arounds or mitigations, other than applying this code fix, are known for this vulnerability

Note:
V840 customers must upgrade the code of both the -AE1 and -ACx (whether -AC0 or -AC1) nodes to address this vulnerability. A customer reading this to fix one model type (e.g. –AE1) should look for the corresponding security bulletin which describes how to fix the other model type (e.g. perhaps –AC0) in the customer’s V840.

Link to FlashSystem 840 fixes

Link to FlashSystem V840 fixes