Security Bulletin
Summary
The IBM WebSphere Application Server component provided with Tivoli Key Lifecycle Manager is vulnerable to potential denial of service.
Vulnerability Details
CVEID:
CVE-2014-0964
DESCRIPTION: The version IBM WebSphere Application Server used by Tivoli Key Lifecycle Manager is subject to a potential denial of service when running Heartbleed scanning tools or if sending specially-crafted Heartbeat messages.
The attack does not require local network access or authentication, but a moderate degree of specialized knowledge and techniques are required. An exploit can affect the availability of the system, but it would not impact the confidentiality of information or the integrity of data.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/92877 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)
Affected Products and Versions
The following versions are affected:
- IBM Tivoli Key Lifecycle Manager (TKLM) V1.0, V2.0, V.2.0.1
Remediation/Fixes
Update your IBM WebSphere Application Server (WAS) with the appropriate Interim Fix based on information in the WebSphere security bulletin link below:
- To determine your WAS version, use the
CLI command.
tklmVersionInfo
- To determine your Java version, navigate to the install folder <TIP_HOME>/AppServer/java/bin and run
java -fullversion
Security Bulletin: Denial of Service with WebSphere Application Server and Scanning Tool (CVE-2014-0964)
| Affected versions | Websphere Application Server Version | APAR fix |
| TKLM 1.0 | 6.1.0.0 through 6.1.0.47 | PI16981 (Java 5 SR 16 FP 5) or Upgrade to WebSphere Application Server Fix Pack 6.1.0.47 Then apply Interim Fix PI51445: Will upgrade you to IBM SDK, Java 2 Technology Edition, (Java 5 SR 16 FP 14) |
| TKLM 2.0 | 6.1.0.0 through 6.1.0.47 | PI16981 (Java 5 SR 16 FP 5) or Upgrade to WebSphere Application Server Fix Pack 6.1.0.47 Then apply Interim Fix PI51445: Will upgrade you to IBM SDK, Java 2 Technology Edition, (Java 5 SR 16 FP 14) |
| TKLM 2.0.1 | 6.1.0.0 through 6.1.0.47 | PI16981 (Java 5 SR 16 FP 5) or Upgrade to WebSphere Application Server Fix Pack 6.1.0.47 Then apply Interim Fix PI51445: Will upgrade you to IBM SDK, Java 2 Technology Edition, (Java 5 SR 16 FP 14) |
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
http://xforce.iss.net/xforce/xfdb/92877
http://www.ibm.com/support/docview.wss?uid=swg21671835
http://www.ibm.com/support/docview.wss?uid=swg24037454
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21673710