Security Bulletin
Summary
There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Versions 6 and 7 that are used by IBM InfoSphere Information Server. This also includes a fix for the Padding Oracle On Downgraded Legacy Encryption (POODLE) SSLv3 vulnerability (CVE-2014-3566). These were disclosed as part of the IBM Java SDK updates in October 2014.
Vulnerability Details
CVEID: CVE-2014-6457
DESCRIPTION: An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97148 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVEID: CVE-2014-6558
DESCRIPTION: An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 2.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97151 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CVE-ID: CVE-2014-3566
DESCRIPTION: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2014-3065
DESCRIPTION: IBM Java SDK contains a vulnerability in which the default configuration for the shared classes feature potentially allows arbitrary code to be injected into the shared classes cache, which may subsequently be executed by other local users.
CVSS Base Score: 6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/93629 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:S/C:C/I:C/A:C)
CVE-ID: CVE-2014-6468
DESCRIPTION: An unspecified vulnerability related to the Hotspot component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 6.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97138 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)
Affected Products and Versions
The following product, running on all supported platforms, is affected:
IBM InfoSphere Information Server: versions 8.1, 8.5, 8.7, 9.1, and 11.3
Remediation/Fixes
|
Product | VRMF | APAR | Remediation/First Fix |
| InfoSphere Information Server | 11.3 | JR51825 JR52138 | --Follow instructions in the README --Upgrade to DataDirect ODBC drivers version 7.1.4 --Follow the driver post installation steps in this TechNote |
| InfoSphere Information Server | 9.1 | JR51825 JR52138 | --Apply JR51825 --Upgrade to DataDirect ODBC drivers version 7.1.4 --Follow the driver post installation steps in this TechNote |
| InfoSphere Information Server | 8.7 | JR51825 JR52138 | --Apply IBM InfoSphere Information Server version 8.7 Fix Pack 2 --Apply JR51825 --Upgrade to DataDirect ODBC drivers version 7.1.4 --Follow the driver post installation steps in this TechNote -- In an existing installation where fixes for CVE-2014-3566 has been applied to WebSphere: Set com.ibm.ssl.protocol=TLS in <install location>/ASBServer/conf/ssl.client.props <install location>/ASBNode/eclipse/plugins/com.ibm.isf.client/ssl.client.props -- For a new installation, if you are installing to a preinstalled WebSphere system where fixes for CVE-2014-3566 has been applied, set com.ibm.ssl.protocol=TLS in the following files on your installation media: is-suite/payloads/MetadataServer/ISFNode/templates/ssl.client.props is-suite/payloads/MetadataServer/ISFServer/templates/ssl.client.props |
| InfoSphere Information Server | 8.5 | JR51825 JR52138 | --Apply IBM InfoSphere Information Server version 8.5 Fix Pack 3 --Apply JR51825 --Upgrade to DataDirect ODBC drivers version 7.1.4 --Follow the driver post installation steps in this TechNote -- In an existing installation where fixes for CVE-2014-3566 has been applied to WebSphere: Set com.ibm.ssl.protocol=TLS in <install location>/ASBServer/conf/ssl.client.props <install location>/ASBNode/eclipse/plugins/com.ibm.isf.client_8.5.0.0/ssl.client.props -- For a new installation, if you are installing to a preinstalled WebSphere system where fixes for CVE-2014-3566 has been applied, set com.ibm.ssl.protocol=TLS in the following files on your installation media: is-suite/payloads/MetadataServer/ISFNode/templates/ssl.client.props is-suite/payloads/MetadataServer/ISFServer/templates/ssl.client.props |
| InfoSphere Information Server | 8.1 | None | Contact IBM customer support. |
Note: The same fix may be listed under multiple vulnerabilities. Installing the fix addresses all vulnerabilities to which the fix applies. Also, some fixes require installing both a fix pack and a subsequent patch. While the fix pack must be installed first, any additional patches required may be installed in any order.
IBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling SSLv3. You should verify disabling SSLv3 does not cause any compatibility issues.
Workarounds and Mitigations
None.
Get Notified about Future Security Bulletins
References
Change History
6 February 2015: Original Version Published
13 March 2015: Updated for fixes in DataDirect drivers
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Internal Use Only
PSIRTs 46239 and 44244
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21693199