Operating System:

[WIN][UNIX/Linux]

Published:

29 September 2014

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2014.1690 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1690
              Multiple vulnerabilities in IBM API Management
                             29 September 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM API Management
Publisher:         IBM
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Modify Arbitrary Files   -- Remote/Unauthenticated
                   Delete Arbitrary Files   -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-4263 CVE-2014-4244 

Reference:         ASB-2014.0102
                   ASB-2014.0077
                   ESB-2014.1688
                   ESB-2014.1655
                   ESB-2014.1647
                   ESB-2014.1645
                   ESB-2014.1624
                   ESB-2014.1598

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21685396

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Multiple vulnerabilities in IBM API Management

Document information

More support for:

IBM API Management

Software version:

2.0, 3.0

Operating system(s):

Platform Independent

Reference #:

1685396

Modified date:

2014-09-26

Security Bulletin

Summary

Multiple security vulnerabilities exist in the IBM SDK for Java that is shipped with IBM API Management V2.0 and V3.0

Vulnerability Details

CVEID: CVE-2014-4263

DESCRIPTION: An unspecified vulnerability related to the Security component has partial confidentiality impact, partial integrity impact, and no availability impact.

CVSS:
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94606 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVEID: CVE-2014-4244

DESCRIPTION: An unspecified vulnerability related to the Security component has partial confidentiality impact, partial integrity impact, and no availability impact.

CVSS:
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94605 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

Affected Products and Versions

IBM API Management V2.0 and V3.0

Remediation/Fixes

Product			VRMF	APAR		Remediation/First Fix

IBM API Management	V3.0.0	LI78204		Apply fixpack V3.0.1.0
IBM API Management	V2.0.0	LI78204		Apply V2.0.0.2 cumulative interim fix 009

Workarounds and Mitigations
None

References
Complete CVSS Guide 
On-line Calculator V2

Related information
IBM Secure Engineering Web Portal 
IBM Product Security Incident Response Blog

Change History
26th September 2014: Initial version published


*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVCjwOxLndAQH1ShLAQK9+hAAt/gZ5xxQZHQZgupttW9vLQT9rV+ADxrs
IydzrrVdLpayGyGWMTqLT428qzwPiVCIUn8OmjoL6y25Amw6ikUoCj/op779z1FH
/feWtQ+/oe9acBcn6CgWyGepaz4ZEa5LHg59Mxcb0vrxsLgOt+Ki2wdrFpaVyVPu
5vYrSfmxcWBzEKtFJt6fmdEsyFsW7h/aTf+5Esr6N4TtgNAGAog7j+8SCGu8wHnp
Y0ia7a05SdXpIZ7fPeos4qMECvR036kwMmyC8T0kc8mcCq5EBtgkFnCK+Lbkclzp
lLIG3a+VnrxFDKGGsbb5x3YKjs2iG3THuLTmaYAkQ+fQdo0aPm04JknaGu5GFHIZ
fsDNngPHdNM9l+0WdtS/0w1LPzNRidE1IoKU0w3XhSzYh/rvzGUAqQ2biifprIS0
XIbDSj0aNjaHtcFZ5iA1gtElpYTwFhjMQ53H6VlKr+ERcbaQ+C8/ukijHwkAggDz
hA2W0+Zod/XVOU9xUwvF2mbUA0zTcAXHchTQzFeqZIZbVO8Nx0JFitLjBg1LR3z0
8BJdbali0Qv+fQG2D+5+Xp1pCw0owI3w6Pk1TCj9OOqMAsOLq7OyC7v4drGCStb5
BF12Z1SF+YetU1cjNZPkxJ4ZsKcfbaa2czYrg+Vt8CWp42sXYAAbmZiuFUb1mn9m
3n8EcOgsljM=
=AJhS
-----END PGP SIGNATURE-----