There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition that is shipped with IBM WebSphere Service Registry and Repository. This also includes a fix for the Padding Oracle On Downgraded Legacy Encryption (POODLE) SSLv3 vulnerability (CVE-2014-3566). These issues were disclosed as part of the IBM Java SDK updates in October 2014.
The following advisories are included in the IBM® SDK Java™ Technology Edition and WebSphere Application Server may be vulnerable to them.
CVEID: CVE-2014-6593**
DESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100153> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
**
CVEID:** CVE-2015-0400**
DESCRIPTION:** An unspecified vulnerability related to the Libraries component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100149> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
**
CVEID:** CVE-2015-0410**
DESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100151> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
WebSphere Service Registry and Repository 6.3, 7.0, 7.5, 8.0, 8.5
WebSphere Service Registry and Repository Studio 8.5
To fix the WebSphere Service Registry and Repository server, please apply the fix indicated in the WebSphere Application Server bulletin at http://www.ibm.com/support/docview.wss?uid=swg21687740
If you wish to also apply a fix to WebSphere Service Registry and Repository Studio, please either contact IBM support for a fix, or replace Studio’s bundled JRE with the updated JRE version 6 SR16-FP2. The fixed JRE can be downloaded from <https://www.ibm.com/developerworks/java/jdk/>.