IBM Support

Security Bulletin: Denial of Service with WebSphere Application Server affecting Rational Application Developer (CVE-2014-0964)

Created by Cesar Ivan Oro… on
Published URL:
https://www.ibm.com/support/pages/node/509463
509463

Security Bulletin


Summary

There is a potential denial of service with IBM WebSphere Application Server 6.0.2 and 6.1 that affects versions of WebSphere Application Server used with IBM Rational Application Developer.

Vulnerability Details

Subscribe to My Notifications to be notified of important product support alerts like this.
  • Follow this link for more information (requires login with your IBM ID)

CVEID: CVE-2014-0964



Description: There is a potential denial of service on IBM WebSphere Application Server Version 6.1 and 6.0.2. If you run a Heartbleed scanning tool or send a specially-crafted Heartbeat messages to the server it can cause the IBM SDK for Java for WebSphere Application Server to become stuck in a processing loop resulting in high CPU usage. If enough processing loops are generated the server may become unresponsive and require a server restart. There is no impact to confidentiality or integrity.

CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/92877 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)

Affected Products and Versions

The SDK shipped with the IBM WebSphere Test Environment Version 6.1.0.0 through 6.1.0.47 and 6.0.2.0 through 6.0.2.43 packaged in Rational Application Developer 7.0, 7.5, and 8.0.

Remediation/Fixes

Upgrade the SDK of the WebSphere Test Environment to an interim fix level as determined below:


ProductVRMFAPARRemediation/First Fix
Rational Application Developer7.0 through 7.0.0.10 Interim Fix 002.PI17772For versions V6.0.2.0 through 6.0.2.43, contact IBM Rational Application Developer support and request the WebSphere Test Environment v6.0 fix for APAR PI17772.
Rational Application Developer7.5 through 7.5.5.5 Interim Fix 001

8.0 through 8.0.4.3
PI17772

Note: The fix provided by WebSphere Application Server can also be directly applied to the WebSphere Test Environment packaged with Rational Application Developer.

Workarounds and Mitigations

If you are using Heartbleed tools to detect the OpenSSL Heartbleed vulnerability, you should stop the tool.

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

None

Change History

* 14 May 2014: Original copy published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSRTLW","label":"Rational Application Developer for WebSphere Software"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Server Runtimes","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"7.0;7.0.0.1;7.0.0.10;7.0.0.2;7.0.0.3;7.0.0.4;7.0.0.5;7.0.0.6;7.0.0.7;7.0.0.8;7.0.0.9;7.5;7.5.1;7.5.2;7.5.3;7.5.4;7.5.5;7.5.5.1;7.5.5.2;7.5.5.3;7.5.5.4;7.5.5.5;8.0;8.0.1;8.0.2;8.0.3;8.0.4;8.0.4.1;8.0.4.2;8.0.4.3","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSJVRK","label":"Rational Application Developer Standard Edition for WebSphere Software"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Server Runtimes","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"8.0;8.0.1;8.0.2;8.0.3;8.0.4;8.0.4.1;8.0.4.2;8.0.4.3","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
04 February 2020

UID

swg21672627