Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMF06BAB24D9E4E17DD0677BA61DD3C1AC11E4C85147BBF86EE8D3A92E535C3E14
HistoryOct 25, 2021 - 12:12 p.m.

Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect the IBM Installation Manager and IBM Packaging Utility (CVE-2014-6593 and CVE-2015-0138)

2021-10-2512:12:53
www.ibm.com
27
ibm
java runtime
installation manager
packaging utility
freak
tls
ssl
vulnerability
cve-2014-6593
cve-2015-0138
security
downgrade

EPSS

0.698

Percentile

98.0%

JSON

Summary

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition, Versions 6 and 7 that are used by IBM Installation Manager and IBM Packaging Utility. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability.

Vulnerability Details

CVEID: CVE-2015-0138 DESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.

This vulnerability is also known as the FREAK attack.

CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-6593**
DESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100153&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

Affected Products and Versions

IBM Installation Manager and IBM Packaging Utility versions 1.8.2 and earlier.

Remediation/Fixes

Product

| VRMF| APAR| Remediation/First Fix
—|—|—|—
IBM Installation Manager and IBM Packaging Utility| 1.8.2.1| None| 1.8.2.1 IBM Installation Manager Remediation
1.8.2.1 IBM Packaging Utility Remediation
IBM Installation Manager and IBM Packaging Utility| 1.7.4.1| None| 1.7.4.1 IBM Installation Manager Remediation
1.7.4.1 IBM Packaging Utility Remediation

Please note that the 1.7.4.1 fix is intended for upgrade of 1.7.4 and earlier versions which continue support on platforms that are NOT supported by 1.8 or later versions_._

Workarounds and Mitigations

You should verify applying this configuration change does not cause any compatibility issues.

Related

ibm 166
vmware 2
threatpost 1
nvd 3
cvelist 2
debiancve 1
packetstorm 2
veracode 1
prion 2
metasploit 1
ubuntucve 1
kaspersky 1
cve 3
zdt 2
openvas 2
nessus 5
exploitdb 1
aix 1
f5 2
ibm
ibm
Security Bulletin: Multiple vulnerabilities in the IBM Runtime Environments Java Technology Edition, Versions 6 and 7 in TPF Toolkit (CVE-2014-6593, CVE-2015-0410, and CVE-2015-0138)
2018-08-03 04:23:43
Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Tivoli Monitoring (CVE-2015-0138)
2018-06-17 15:23:40
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Developer for System z (CVE-2015-0138, CVE-2015-0410, CVE-2014-6593)
2020-10-27 15:51:50
vmware
vmware
VMware product updates address critical information disclosure issue in JRE.
2015-04-02 00:00:00
VMware product updates address critical information disclosure issue in JRE
2015-04-02 00:00:00
threatpost
threatpost
VMware Fixes Java Information Disclosure Vulnerability
2015-04-03 11:03:15
nvd
nvd
CVE-2014-6593
2015-01-21 15:28:29
CVE-2015-6593
2015-05-30 19:59:10
CVE-2015-0138
2015-03-25 01:59:17
cvelist
cvelist
CVE-2014-6593
2015-01-21 15:00:00
CVE-2015-0138
2015-03-25 01:00:00
debiancve
debiancve
CVE-2014-6593
2015-01-21 15:28:29
packetstorm
packetstorm
Java Secure Socket Extension (JSSE) SKIP-TLS
2015-11-06 00:00:00
Java Secure Socket Extension (JSSE) SKIP-TLS MITM Proxy
2015-08-12 00:00:00
veracode
veracode
Authorization Bypass
2019-05-02 05:07:16
prion
prion
Design/Logic Flaw
2015-01-21 15:28:00
Design/Logic Flaw
2015-03-25 01:59:00
metasploit
metasploit
Java Secure Socket Extension (JSSE) SKIP-TLS MITM Proxy
2015-06-09 02:41:17
ubuntucve
ubuntucve
CVE-2014-6593
2015-01-21 00:00:00
kaspersky
kaspersky
KLA10530 JRE update for multiple VMware products
2015-04-02 00:00:00
cve
cve
CVE-2014-6593
2015-01-21 15:28:29
CVE-2015-6593
2015-05-30 19:59:10
CVE-2015-0138
2015-03-25 01:59:17
zdt
zdt
Java Secure Socket Extension (JSSE) SKIP-TLS
2015-11-05 00:00:00
Java Secure Socket Extension (JSSE) SKIP-TLS MITM Proxy Exploit
2015-08-13 00:00:00
openvas
openvas
VMware NSX updates address critical information disclosure issue in JRE (VMSA-2015-0003)
2015-10-27 00:00:00
SUSE: Security Advisory (SUSE-SU-2015:1073-1)
2021-04-19 00:00:00
nessus
nessus
VMware vSphere Update Manager Java Vulnerability (VMSA-2015-0003)
2015-05-01 00:00:00
IBM HTTP Server 8.5.0.0 <= 8.5.5.5 / 8.0.0.0 <= 8.0.0.10 / 7.0.0.0 <= 7.0.0.37 / 6.1.0.0 <= 6.1.0.47 / 6.0.0.0 <= 6.0.2.43 (257477)
2020-12-15 00:00:00
AIX Java Advisory : Multiple Vulnerabilities (Bar Mitzvah)
2015-04-30 00:00:00
exploitdb
exploitdb
JSSE - SKIP-TLS
2015-11-05 00:00:00
aix
aix
AIX IBM SDK Java JSSE vulnerability
2015-04-13 12:11:24
f5
f5
SOL16353 - Multiple JavaSE server-side vulnerabilities CVE-2015-0383, CVE-2015-0410, and CVE-2014-6593
2015-04-02 00:00:00
K16353 : Multiple JavaSE server-side vulnerabilities CVE-2015-0383, CVE-2015-0410, and CVE-2014-6593
2015-04-02 00:00:00

EPSS

0.698

Percentile

98.0%

JSON
Related for F06BAB24D9E4E17DD0677BA61DD3C1AC11E4C85147BBF86EE8D3A92E535C3E14
ibm166vmware2threatpost1nvd3cvelist2debiancve1packetstorm2veracode1prion2metasploit1ubuntucve1kaspersky1cve3zdt2openvas2nessus5exploitdb1aix1f52