Security Bulletin
Summary
Multiple N series products incorporate the Java Runtime Environment (JRE) software libraries. JRE versions up to 8u31 and 7u75 are susceptible to multiple vulnerabilities, potentially leading to an unauthorized Operating System takeover including arbitrary code execution, a partial denial of service, or unauthorized update, insert or delete access to some Java SE accessible data.
Vulnerability Details
CVEID: CVE-2014-3566
DESCRIPTION: Multiple products could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and calculate the plaintext of secure connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVEID: CVE-2014-6549
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100141 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2014-6585
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the 2D component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100154 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVEID: CVE-2014-6587
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Libraries component has partial confidentiality impact, partial integrity impact, and partial availability impact.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100152 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:S/C:P/I:P/A:P)
CVEID: CVE-2014-6591
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the 2D component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100155 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-0383
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and JRockit related to the Hotspot component has no confidentiality impact, partial integrity impact, and complete availability impact.
CVSS Base Score: 5.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100148 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:C)
CVEID: CVE-2015-0395
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Hotspot component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100143 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2015-0400
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Libraries component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100149 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-0403
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 6.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100145 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2015-0406
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Deployment component has partial confidentiality impact, no integrity impact, and partial availability impact.
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100147 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:P)
CVEID: CVE-2015-0407
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Swing component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100150 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-0408
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100142 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2014-6593
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and JRockit related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100153 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVEID: CVE-2014-6601
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Hotspot component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100139 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2015-0410
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100151 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2015-0412
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the JAX-WS component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100140 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2015-0437
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Hotspot component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100144 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Affected Products and Versions
NS OnCommand Core Package: 5.2, 5.2R1, 5.2.1P1, 5.2.1P2;
NS OnCommand Unified Manager for DataONTAP: 6.1R1;
N series VASA Provider: 1.0, 1.0.1;
SnapManager for Oracle: 3.2, 3.3, 3.3.1;
SnapManager for SAP: 3.2, 3.3, 3.3.1;
Virtual Storage Console for VMware vSphere: 4.2.1, 5.0, 6.0, 6.1;
Remediation/Fixes
For SnapManager for Oracle: the fix exists from microcode version 3.4;
For SnapManager for SAP: the fix exists from microcode version 3.4;
For Virtual Storage Console for VMware vSphere: the fix exists from microcode version: 6.2;
Please contact IBM support or go to this link to download a supported release. For customers who are using N series VASA Provider, NS OnCommand Unified Manager for DataONTAP or NS OnCommand Core Package, please contact IBM support.
Workarounds and Mitigations
None.
Get Notified about Future Security Bulletins
References
Change History
16 January 2017: Original version published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
ssg1S1009618