IBM InfoSphere Information Server: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1394
 Security Bulletin: A vulnerability in the IBM SDK Java Technology Edition
       affects IBM InfoSphere Information Server and IBM InfoSphere
                         DataClick (CVE-2014-0453)
                              14 August 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM InfoSphere Information Server
Publisher:         IBM
Operating System:  AIX
                   HP-UX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated
                   Modify Arbitrary Files         -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
                   Access Confidential Data       -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0453 CVE-2014-0224 

Reference:         ASB-2014.0063
                   ASB-2014.0053
                   ESB-2014.1362
                   ESB-2014.0593
                   ESB-2014.0538
                   ESB-2014.0537
                   ESB-2014.0517

Original Bulletin: 
   https://www-304.ibm.com/support/docview.wss?uid=swg21676371
   https://www-304.ibm.com/support/docview.wss?uid=swg21680008

Comment: This bulletin contains two (2) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: A vulnerability in the IBM SDK Java Technology Edition
affects IBM InfoSphere Information Server and IBM InfoSphere DataClick
(CVE-2014-0453)

Security Bulletin

Document information

More support for:
InfoSphere Information Server

Software version:
8.5, 8.7, 9.1, 10.0, 11.3

Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows

Reference #:
1676371

Modified date:
2014-08-04

Summary

A vulnerability affecting both IBM InfoSphere Information Server and IBM
InfoSphere Data Click has been identified in a security component. The
vulnerability has partial confidentiality impact and partial integrity
impact.

Vulnerability Details

CVE ID: CVE-2014-0453
CVSS:
CVSS Base Score: 4.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92490 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

Affected Products and Versions

- -- IBM InfoSphere Information Server versions 8.0, 8.1, 8.5, 8.7, 9.1 and
11.3 running on all platforms
- -- IBM InfoSphere Data Click version 10.0 running on Linux

Remediation/Fixes

Product				VRMF	APAR	Remediation/First Fix

InfoSphere Information Server	11.3	JR50275	Contact IBM customer support.

InfoSphere Data Click		10.0	JR50275	Contact IBM customer support.

InfoSphere Information Server	9.1	JR50275	--Apply JR50275

InfoSphere Information Server	8.7	JR50275	--Apply IBM InfoSphere 
						Information Server version 
						8.7 Fix Pack 2 
						--Apply JR50275

InfoSphere Information Server	8.5	JR50275	--Apply IBM InfoSphere 
						Information Server version 8.5
						Fix Pack 3
						--Apply JR50275

InfoSphere Information Server	8.1	None	Contact IBM customer support.
InfoSphere Information Server	8.0	None	Contact IBM customer support.


Note:
1. The same fix may be listed under multiple vulnerabilities. Installing
the fix addresses all vulnerabilities to which the fix applies. Also, some
fixes require installing both a fix pack and a subsequent patch. While the
fix pack must be installed first, any additional patches required may be
installed in any order.
2. For HP-UX versions, contact IBM customer support.

Workarounds and Mitigations

None known, apply fixes

References
Complete CVSS Guide
On-line Calculator V2

Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

04 August 2014: Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- ----------------------------------------------------------------------

Security Bulletin: IBM InfoSphere Information Server is affected by the
following OpenSSL vulnerability (CVE-2014-0224)

Security Bulletin

Summary

Security vulnerabilities have been discovered in OpenSSL that were reported
on June 5, 2014 by the OpenSSL Project.

Vulnerability Details

CVE ID: CVE-2014-0224

DESCRIPTION: OpenSSL is vulnerable to a man-in-the-middle attack, caused
by the use of weak keying material in SSL/TLS clients and servers. A
remote attacker could exploit this vulnerability using a specially-crafted
handshake to conduct man-in-the-middle attacks to decrypt and modify traffic.

CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93586 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Affected Products and Versions

- -- IBM InfoSphere Information Server versions 8.0, 8.1, 8.5, 8.7, 9.1 and
11.3 running on all platforms.
- -- IBM InfoSphere Data Click version 10.0 running on Linux

Remediation/Fixes

Product				VRMF	APAR	Remediation/First Fix

InfoSphere Information Server	11.3	JR50611	--Upgrade to DataDirect ODBC
						drivers version 7.1.4
						--Follow the driver post 
						installation steps in TechNote

InfoSphere Data Click		10.0	JR50611	Contact IBM customer support 
						to obtain the fix.

InfoSphere Information Server	9.1	JR50611	--Upgrade to DataDirect ODBC
						drivers version 7.1.4
						--Follow the driver post 
						installation steps in TechNote

InfoSphere Information Server	8.7	JR39854 --Apply IBM InfoSphere 
						Information Server version 8.7 
						Fix Pack 2
					JR42587	--Upgrade to DataDirect ODBC 
						drivers version 7.1.4
					JR50611	--Follow the driver post 
						installation steps in TechNote
InfoSphere Information Server	8.5	JR39854 --Apply IBM InfoSphere 
						Information Server version 8.5 
						Fix
					JR42587	--Upgrade to DataDirect ODBC 
						drivers version 7.1.4 Pack 3
					JR50611	--Follow the driver post 
						installation steps in TechNote
InfoSphere Information Server	8.1	JR42587 Contact IBM customer support.
					JR50611		

InfoSphere Information Server	8.0	JR50611	Contact IBM customer support.

Workarounds and Mitigations

None known

References
Complete CVSS Guide
On-line Calculator V2
OpenSSL Project vulnerability website

Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

None

Change History

4 August 2014: Original Version Published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU+1aORLndAQH1ShLAQLP+w//RNys8wqYje+ZCRj0v73JMUuAaXzi18t1
8qaqdmYq0R7iloZLg23MwL5Vi1+mbyYg6dw7HQy55eLzqTVqvJsb7ag2Qy1TpVnK
FDCn/1Dykj/65N3qpO2LBPmCTafpoj6UYMPwXJBhlLmx2qFVL0MwYeroaebnl8u5
JAvZuyc/dbOgjODSBFe8omLVOfenozky/ChWaq5ewXUFkUKPsR+P2Lvy2ch3wnGB
KEe3Lg5fiKbWqCJkgQTl2AHW0Unsj3aj7TyZTLIw3nuSJsfYqHIiOfZPU4Q7TFbl
wb7DIyPmryynCVETmy0/lcuq6t6j1nCx84q5L2LDdkZO6b3jxF4T4cIaoK4bNRtp
ZPUVKe16jntaWs41abxh32qkyCZBjQ4jpmcBegdz+xWJKCAOqkkDsgAs6jPeMkD+
DhTy1TPhQQEpBGOPWPhNPvGYMhYbjaJrUAFnU5QH/xjWJrXJq/LiKVLDlZG6+mJp
rF0SzA5a56iydtRmplkwZt25L9HNC30ROwPX320P+iRdgplHY2g/mJftlAtbcLYL
kUG2pZsBLgBBi0n149WxSW36QW1ZQ2vUI/pSD/JmUw9+v5Cr5AkVaG7syuAe9qpb
oTgNMyFADTtJcuPwMpbRvmAzRLfSqL+YqAEPXS/xV6n2t3e0U9KSDhwsSIHIQNl4
SPQcxSe18Xc=
=iBlb
-----END PGP SIGNATURE-----