IBM Support

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM InfoSphere Information Server (CVE-2014-6457, CVE-2014-6558, CVE-2014-3566, CVE-2014-3065, CVE-2014-6468)

Created by Clyde Mendonca on
Published URL:
https://www.ibm.com/support/pages/node/522521
522521

Security Bulletin


Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Versions 6 and 7 that are used by IBM InfoSphere Information Server. This also includes a fix for the Padding Oracle On Downgraded Legacy Encryption (POODLE) SSLv3 vulnerability (CVE-2014-3566). These were disclosed as part of the IBM Java SDK updates in October 2014.

Vulnerability Details

CVEID: CVE-2014-6457

DESCRIPTION: An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact.

CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97148 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVEID: CVE-2014-6558

DESCRIPTION: An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact.

CVSS Base Score: 2.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97151 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

CVE-ID: CVE-2014-3566

DESCRIPTION: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE-ID: CVE-2014-3065

DESCRIPTION: IBM Java SDK contains a vulnerability in which the default configuration for the shared classes feature potentially allows arbitrary code to be injected into the shared classes cache, which may subsequently be executed by other local users.

CVSS Base Score: 6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/93629 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:S/C:C/I:C/A:C)

CVE-ID: CVE-2014-6468

DESCRIPTION: An unspecified vulnerability related to the Hotspot component has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 6.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97138 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)

Affected Products and Versions

The following product, running on all supported platforms, is affected:
IBM InfoSphere Information Server: versions 8.1, 8.5, 8.7, 9.1, and 11.3

Remediation/Fixes

Product

VRMFAPARRemediation/First Fix
InfoSphere Information Server11.3JR51825
JR52138
--Follow instructions in the README
--Upgrade to DataDirect ODBC drivers version 7.1.4
--Follow the driver post installation steps in this TechNote
InfoSphere Information Server9.1JR51825
JR52138
--Apply JR51825
--Upgrade to DataDirect ODBC drivers version 7.1.4
--Follow the driver post installation steps in this TechNote
InfoSphere Information Server8.7JR51825
JR52138
--Apply IBM InfoSphere Information Server version 8.7 Fix Pack 2
--Apply JR51825
--Upgrade to DataDirect ODBC drivers version 7.1.4
--Follow the driver post installation steps in this TechNote
-- In an existing installation where fixes for CVE-2014-3566 has been applied to WebSphere:
Set com.ibm.ssl.protocol=TLS in
<install location>/ASBServer/conf/ssl.client.props
<install location>/ASBNode/eclipse/plugins/com.ibm.isf.client/ssl.client.props
-- For a new installation, if you are installing to a preinstalled WebSphere system where fixes for CVE-2014-3566 has been applied, set com.ibm.ssl.protocol=TLS in the following files on your installation media:
is-suite/payloads/MetadataServer/ISFNode/templates/ssl.client.props
is-suite/payloads/MetadataServer/ISFServer/templates/ssl.client.props
InfoSphere Information Server8.5JR51825
JR52138
--Apply IBM InfoSphere Information Server version 8.5 Fix Pack 3
--Apply JR51825
--Upgrade to DataDirect ODBC drivers version 7.1.4
--Follow the driver post installation steps in this TechNote
-- In an existing installation where fixes for CVE-2014-3566 has been applied to WebSphere:
Set com.ibm.ssl.protocol=TLS in
<install location>/ASBServer/conf/ssl.client.props
<install location>/ASBNode/eclipse/plugins/com.ibm.isf.client_8.5.0.0/ssl.client.props
-- For a new installation, if you are installing to a preinstalled WebSphere system where fixes for CVE-2014-3566 has been applied, set com.ibm.ssl.protocol=TLS in the following files on your installation media:
is-suite/payloads/MetadataServer/ISFNode/templates/ssl.client.props
is-suite/payloads/MetadataServer/ISFServer/templates/ssl.client.props
InfoSphere Information Server8.1NoneContact IBM customer support.

Note: The same fix may be listed under multiple vulnerabilities. Installing the fix addresses all vulnerabilities to which the fix applies. Also, some fixes require installing both a fix pack and a subsequent patch. While the fix pack must be installed first, any additional patches required may be installed in any order.

IBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling SSLv3. You should verify disabling SSLv3 does not cause any compatibility issues.

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

References

Off

Change History

6 February 2015: Original Version Published
13 March 2015: Updated for fixes in DataDirect drivers

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only

PSIRTs 46239 and 44244

[{"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"11.3;8.1;8.5;8.7;9.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"11.3;8.1;8.5;8.7;9.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
16 June 2018

UID

swg21693199