IBM Support

Security Bulletin: IBM Tivoli Key Lifecycle Manager can be affected by a denial of service vulnerability in WebSphere Application Server (CVE-2014-0964)

Created by Aditi Prasad on
Published URL:
https://www.ibm.com/support/pages/node/510629
510629

Security Bulletin


Summary

The IBM WebSphere Application Server component provided with Tivoli Key Lifecycle Manager is vulnerable to potential denial of service.

Vulnerability Details

CVEID:
CVE-2014-0964


DESCRIPTION: The version IBM WebSphere Application Server used by Tivoli Key Lifecycle Manager is subject to a potential denial of service when running Heartbleed scanning tools or if sending specially-crafted Heartbeat messages.

The attack does not require local network access or authentication, but a moderate degree of specialized knowledge and techniques are required. An exploit can affect the availability of the system, but it would not impact the confidentiality of information or the integrity of data.


CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/92877 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)

Affected Products and Versions

The following versions are affected:

  • IBM Tivoli Key Lifecycle Manager (TKLM) V1.0, V2.0, V.2.0.1

Remediation/Fixes

Update your IBM WebSphere Application Server (WAS) with the appropriate Interim Fix based on information in the WebSphere security bulletin link below:

  • To determine your WAS version, use the
    tklmVersionInfo
    CLI command.
  • To determine your Java version, navigate to the install folder <TIP_HOME>/AppServer/java/bin and run
    java -fullversion

Security Bulletin: Denial of Service with WebSphere Application Server and Scanning Tool (CVE-2014-0964)


Affected versionsWebsphere Application Server VersionAPAR fix
TKLM 1.06.1.0.0 through 6.1.0.47PI16981 (Java 5 SR 16 FP 5)
or
Upgrade to WebSphere Application Server Fix Pack 6.1.0.47
Then apply Interim Fix PI51445: Will upgrade you to IBM SDK, Java 2 Technology Edition, (Java 5 SR 16 FP 14)
TKLM 2.06.1.0.0 through 6.1.0.47PI16981 (Java 5 SR 16 FP 5)
or
Upgrade to WebSphere Application Server Fix Pack 6.1.0.47
Then apply Interim Fix PI51445: Will upgrade you to IBM SDK, Java 2 Technology Edition, (Java 5 SR 16 FP 14)
TKLM 2.0.16.1.0.0 through 6.1.0.47PI16981 (Java 5 SR 16 FP 5)
or
Upgrade to WebSphere Application Server Fix Pack 6.1.0.47
Then apply Interim Fix PI51445: Will upgrade you to IBM SDK, Java 2 Technology Edition, (Java 5 SR 16 FP 14)

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSWPVP","label":"IBM Security Key Lifecycle Manager"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"1.0;2.0;2.0.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21673710