Security Bulletin: IBM Tivoli Key Lifecycle Manager can be affected by a denial of service vulnerability in WebSphere Application Server (CVE-2014-0964)

Summary

The IBM WebSphere Application Server component provided with Tivoli Key Lifecycle Manager is vulnerable to potential denial of service.

Vulnerability Details

CVEID:
CVE-2014-0964

**DESCRIPTION:**The version IBM WebSphere Application Server used by Tivoli Key Lifecycle Manager is subject to a potential denial of service when running Heartbleed scanning tools or if sending specially-crafted Heartbeat messages.

The attack does not require local network access or authentication, but a moderate degree of specialized knowledge and techniques are required. An exploit can affect the availability of the system, but it would not impact the confidentiality of information or the integrity of data.

CVSS Base Score: 7.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/92877&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)

Affected Products and Versions

The following versions are affected:

• IBM Tivoli Key Lifecycle Manager (TKLM) V1.0, V2.0, V.2.0.1

Remediation/Fixes

Update your IBM WebSphere Application Server (WAS) with the appropriate Interim Fix based on information in the WebSphere security bulletin link below:

• To determine your WAS version, use the tklmVersionInfo CLI command.
• To determine your Java version, navigate to the install folder <TIP_HOME>/AppServer/java/bin and run java -fullversion

Security Bulletin: Denial of Service with WebSphere Application Server and Scanning Tool (CVE-2014-0964)

Workarounds and Mitigations

None