Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.2315
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational
Developer for i, Rational Developer for AIX and Linux, Rational Developer
for Power Systems Software (CVE-2014-4263, CVE-2014-3566,
CVE-2014-3065, CVE-2014-6457)
8 December 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Rational Developer
Publisher: IBM
Operating System: Linux variants
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Delete Arbitrary Files -- Remote/Unauthenticated
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2014-6457 CVE-2014-4263 CVE-2014-3566
CVE-2014-3065
Reference: ASB-2014.0134
ASB-2014.0131
ASB-2014.0123
ASB-2014.0122
ASB-2014.0121
ESB-2014.1185
ESB-2014.1175
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21691926
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational
Developer for i, Rational Developer for AIX and Linux, Rational Developer
for Power Systems Software (CVE-2014-4263, CVE-2014-3566, CVE-2014-3065,
CVE-2014-6457)
Document information
More support for:
Rational Developer for i
General Information+
Software version:
9.0, 9.0.0.1, 9.0.1, 9.1
Operating system(s):
Linux, Windows
Software edition:
Modernization Tools- EGL Edition, Modernization Tools- Java Edition,
RPG and COBOL Tools
Reference #:
1691926
Modified date:
2014-12-05
Security Bulletin
Summary
There are multiple vulnerabilities in IBM SDK Java Technology Edition,
Versions 6, and 7 that are used by Rational Developer for i, Rational
Developer for AIX and Linux, Rational Developer for Power Systems
Software. This also includes a fix for the Padding Oracle On Downgraded
Legacy Encryption (POODLE) SSLv3 vulnerability (CVE-2014-3566). These
were disclosed as part of the IBM Java SDK updates in July and October
2014 and are included in the October update.
Vulnerability Details
CVEID: CVE-2014-4263
Description: An unspecified vulnerability related to the Security component
has partial confidentiality impact, partial integrity impact, and no
availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94606 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVE-ID: CVE-2014-3566
Description: Product could allow a remote attacker to obtain sensitive
information, caused by a design error when using the SSLv3 protocol. A
remote user with the ability to conduct a man-in-the-middle attack could
exploit this vulnerability via a POODLE (Padding Oracle On Downgraded
Legacy Encryption) attack to decrypt SSL sessions and access the plaintext
of encrypted connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97013 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2014-3065
Description: IBM Java SDK contains a vulnerability in which the default
configuration for the shared classes feature potentially allows arbitrary
code to be injected into the shared classes cache, which may subsequently
be executed by other local users.
CVSS Base Score: 6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93629 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:S/C:C/I:C/A:C)
CVEID: CVE-2014-6457
Description: An unspecified vulnerability related to the JSSE component
has partial confidentiality impact, partial integrity impact, and no
availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97148 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
Affected Products and Versions
Product Name Versions Affected
Rational Developer for Power Systems Software 7.6, 7.6.0.1, 7.6.0.2,
8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3,
8.0.3, 8.0.3.1, 8.5, 8.5.1
Rational Developer for i 9.0, 9.0.0.1, 9.0.1, 9.1
Rational Developer for AIX and Linux, AIX COBOL 9.0, 9.0.0.1, 9.0.1, 9.1
Edition
Rational Developer for AIX and Linux, C/C++ 9.0, 9.0.0.1, 9.0.1, 9.1
Edition
Remediation/Fixes
Update the Java Development Kit of the product to address this vulnerability:
Product VRMF Remediation/First Fix
Rational Developer for Power 7.6 through 8.5.1
Systems Software
For all versions, apply IBM Java Quarterly Critical Patch Update -
October 2014 - RD Power
Rational Developer for i 9.0 through to 9.1
For all versions, update the currently installed product using
Installation Manager. For instructions on installing this update using
Installation Manager, review the topic Updating Installed Product
Packages in the IBM Knowledge Center.
Or, you can optionally download the update manually and apply IBM Java
Quarterly Critical Patch Update - October 2014 - RDi
Rational Developer for AIX and Linux 9.0 through to 9.1
For all client versions, update the currently installed product using
Installation Manager. For instructions on installing this update using
Installation Manager, review the topic Updating Installed Product
Packages in the IBM Knowledge Center.
For server updates or to manually download and apply the client updates
see IBM Java Quarterly Critical Patch Update - October 2014 - RDAL
Workarounds and Mitigations
None
References
Complete CVSS Guide
On-line Calculator V2
Security Bulletin: Multiple vulnerabilities in current releases of the
IBM SDK, JavaTM Technology Edition
Java SE issues disclosed in the Oracle July 2014 Critical Patch Update,
plus 2 additional vulnerabilities
Security Bulletin: Multiple vulnerabilities in current releases of the
IBM SDK, JavaTM Technology Edition
Java SE issues disclosed in the Oracle October 2014 Critical Patch
Update, plus the POODLE SSLv3 vulnerability and one additional
vulnerability
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
None
Change History
* 05 December 2014: Original copy published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Segment Product Component Platform Version Edition
Software Development Rational Developer for General AIX, Linux, 9.0, 9.0.0.1, AIXCOBOL Edition, C/C++ Edition
AIX and Linux Information Windows 9.0.1, 9.1
Software Development Rational Developer for General Linux, Windows 9.0, 9.0.0.1, RPG and COBOL Tools, Modernization Tools-
i Information 9.0.1, 9.1 Java Edition, Modernization Tools- EGL Edition
Software Development Rational Developer for Windows, Linux 7.6, 7.6.0.1, All Editions
Power Systems Software 7.6.0.2, 8.0,
8.0.0.1,
8.0.0.2,
8.0.0.3, 8.0.3,
8.0.3.1, 8.5,
8.5.1
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVIT7qBLndAQH1ShLAQKE6Q/9GqROU1Kd9b5uicIo2VI6mRZ2AR1gZA6I
O/ss3r3q0Af+Z7vxn20/fVmvm2htum9yxkuVuuYnLSgZQVF1bVoIhUyFcVzh42PQ
hfM8Wc3gv4ayZFxam45NW4DnGJ3hLc+a0SdGTWzYmaQXwGbJ9NFxeHx0QUcqI9T0
gwqYj0rjIcEJ3XtPrIhB78/whVxzF0PO/SXN6TTlpzblDonhgVWHnNy2BlLLlcBQ
mcuMZHZZDsjFpeF/jFvC/0QzMqE64dIgCtTnHTlxTuwbfkfo7LsE9sTcO4VO8h0K
5eJeghdl8/aWJheF+SK5xGNayGlTFrrgaD7l+hXgVLWJooKKWbQ/NJGZk6rSL495
kb+JJmRETBAxHUVra4nJnPXfGcxWBgOb9BGUXGdDfJafOi2nMXWfBoLYgg298V9z
KjGR4KCRwzNeJLBcfvrpX9ov4DzHYHDzAz3vyIEKeH6+eFemvjlf+pCOFk7LkmqU
OP7D5+fhv17jpD02PS/bKTorh/9M5eTmaIcpkgoOlCrMCHAxuzelK65FiwqH+CN2
hNarHGNOaDewiPmwlFW0vjTYOT7SSbdAgNaTlxOxpmju8Sghz/vBe1xdItYbVGs9
jG3LcdJyEEJus0jTG5GB6LMiTdJnBMAIfwtUSBKGgwnC5K42rC3Ck4O4v8Q9QYWn
qOqq/cpzV6A=
=kdJ/
-----END PGP SIGNATURE-----