Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.0413
Multiple vulnerabilities in current releases of the IBM SDK,
Java Technology Edition
20 February 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM SDK, Java Technology Edition
Publisher: IBM
Operating System: AIX
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Delete Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2015-0412 CVE-2015-0410 CVE-2015-0408
CVE-2015-0407 CVE-2015-0406 CVE-2015-0403
CVE-2015-0400 CVE-2014-8891 CVE-2014-6593
CVE-2014-6591 CVE-2014-6587 CVE-2014-6585
CVE-2014-6549 CVE-2014-3566
Reference: ASB-2015.0009
ASB-2014.0122
Original Bulletin:
http://aix.software.ibm.com/aix/efixes/security/java_feb2015_advisory.asc
- --------------------------BEGIN INCLUDED TEXT--------------------
IBM SECURITY ADVISORY
First Issued: Thu Feb 19 10:53:54 CST 2015
The most recent version of this document is available here:
http://aix.software.ibm.com/aix/efixes/security/java_feb2015_advisory.asc
https://aix.software.ibm.com/aix/efixes/security/java_feb2015_advisory.asc
ftp://aix.software.ibm.com/aix/efixes/security/java_feb2015_advisory.asc
===============================================================================
VULNERABILITY SUMMARY
VULNERABILITY: Multiple vulnerabilities in current releases of the IBM SDK,
Java Technology Edition; issues disclosed in the Oracle Feburary
2015 Critical Patch Update vulnerability and two additional
vulnerability.
PLATFORMS: AIX 5.3, 6.1 and 7.1.
VIOS 2.2.x
SOLUTION: Apply the fix as described below.
THREAT: Varies threats described below.
CVE Numbers: CVE-2014-6549 CVSS=10, CVE-2015-0408 CVSS=10, CVE-2015-0412 CVSS=10,
CVE-2015-0403 CVSS=6.9, CVE-2015-0406 CVSS=5.8, CVE-2015-0410 VCSS=5,
CVE-2015-0407 CVSS=5, CVE-2015-0400 CVSS=5, CVE-2014-3566 CVSS=4.3
CVE-2014-6587 CVSS=4.3, CVE-2014-6593 CVSS=4, CVE-2014-6591 CVSS=2.6,
CVE-2014-6585 CVSS=2.6, CVE-2014-8891 CVSS=6.8
Reboot required? NO
Workarounds? NO
===============================================================================
DETAILED INFORMATION
I. DESCRIPTION
This bulletin covers all applicable IBM Java SDK CVEs published by Oracle as part
of their February 2015 Critical Patch Update. For more information please refer to
Oracles's February 2015 CPU Advisory and the X-Force database entries referenced
below.
II. CVSS
CVEID: CVE-2014-6549
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100141 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2015-0408
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100142 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2015-0412
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100140 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2015-0403
CVSS Base Score: 6.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100145 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2015-0406
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100147 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:P)
CVEID: CVE-2015-0410
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100151 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2015-0407
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100150 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-0400
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100149 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2014-3566
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVEID: CVE-2014-6587
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100152 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:S/C:P/I:P/A:P)
CVEID: CVE-2014-6593
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100153 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVEID: CVE-2014-6591
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100155 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)
Specific to IBM Java CVE(s):
CVEID: CVE-2014-6585
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100154 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVEID: CVE-2014-8891
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99010 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
III. PLATFORM VULNERABILITY ASSESSMENT
The following fileset levels (VRMF) are vulnerable, if the respective Java version is installed:
For Java5: Less than 5.0.0.590
For Java6: Less than 6.0.0.470
For Java7: Less than 7.0.0.195
For Java7 Release 1: Less than 7.1.0.75
Note: To find out whether the affected filesets are installed on your
systems, refer to the lslpp command found in AIX user's guide.
Example: lslpp -L | grep -i java
IV. FIXES
AFFECTED PRODUCTS AND VERSIONS:
AIX 5.3
AIX 6.1
AIX 7.1
VIOS 2.2.x
REMEDIATION:
IBM SDK, Java Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 9 and later
32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j5b&S_TACT=105AGX05&S_CMP=JDK
64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j5b&S_TACT=105AGX05&S_CMP=JDK
IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 3 and later
32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j6b&S_TACT=105AGX05&S_CMP=JDK
64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j6b&S_TACT=105AGX05&S_CMP=JDK
IBM SDK, Java Technology Edition, Version 7, Service Refresh 8 Fix Pack 10 and later
32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j7b&S_TACT=105AGX05&S_CMP=JDK
64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j7b&S_TACT=105AGX05&S_CMP=JDK
IBM SDK, Java Technology Edition, Version 7 Release 1 Service Refresh 2 Fix Pack 10 and later
32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j7r1&S_TACT=105AGX05&S_CMP=JDK
64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j7r1&S_TACT=105AGX05&S_CMP=JDK
To learn more about AIX support levels and Java service releases, see the following:
http://www.ibm.com/developerworks/java/jdk/aix/service.html#levels
Published advisory OpenSSL signature file location:
http://aix.software.ibm.com/aix/efixes/security/java_feb2015_advisory.asc.sig
https://aix.software.ibm.com/aix/efixes/security/java_feb2015_advisory.asc.sig
ftp://aix.software.ibm.com/aix/efixes/security/java_feb2015_advisory.asc.sig
openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>
V. WORKAROUNDS
None
VI. CONTACT US
If you would like to receive AIX Security Advisories via email,
please visit "My Notifications":
http://www.ibm.com/support/mynotifications
To view previously issued advisories, please visit:
http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq
Comments regarding the content of this announcement can be
directed to:
security-alert@austin.ibm.com
To obtain the OpenSSL public key that can be used to verify the
signed advisories and ifixes:
Download the key from our web page:
http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt
To obtain the PGP public key that can be used to communicate
securely with the AIX Security Team via security-alert@austin.ibm.com you
can either:
A. Download the key from our web page:
http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt
B. Download the key from a PGP Public Key Server. The key ID is:
0x28BFAA12
Please contact your local IBM AIX support center for any
assistance.
VII. REFERENCES:
Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html
On-line Calculator V2: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
CVE-2014-6549: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6549
CVE-2015-0408: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0408
CVE-2015-0412: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0412
CVE-2015-0403: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0403
CVE-2015-0406: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0406
CVE-2015-0410: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0410
CVE-2015-0407: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0407
CVE-2015-0400: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0400
CVE-2014-3566: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
CVE-2014-6587: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6587
CVE-2014-6593: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593
CVE-2014-6591: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6591
CVE-2014-6585: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6585
CVE-2014-8891: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8891
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the
impact of this vulnerability in their environments by accessing the links
in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams
(FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry
open standard designed to convey vulnerability severity and help to
determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES
"AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE
RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY
VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVOanKxLndAQH1ShLAQIyHg/8CSpNYb7t9pv/sgwgTqjRNoONxV2Xr3rI
J3rlQ3l9dbbT7xKuhOLMGPwZO4B6CvMP89pzbxpWr4mQKXU+5iU6rQa88c/dH4k+
MUQTAxqkUjRuJbQbzOUnUtj4jNT4M3XFJu00udAaszhkrdXoLnYdBphReRFPDc6f
9OcEs6jJiJWnJHnnvq+/HIcKsMYnm94Up50RbgDPQjvSkEysD5wzXrR4rV8XBjvb
WHBP6nGdZtDiSp/XJ+z5JDHQftLq/TJzafiir0c5ZhJ45pcEvf/Wb+Zz9OOnRPZT
iT0HRc5U1rYC8p7W8l8/L5+Y1Gedx/g0Kyo22xJSpDHElP2Q+pyW4WclJ4SoaGDQ
6H5xnFsSSnWQxdzzHdI7dJy+XwginLQN4x+xXoxoD+W6rohIC1obTTvhMerKzi/K
Dt1aGBDH80q0KFtyC8uonTq1vTGDnPIcaar/9xqYUFXdNcO1Joe4OqKxeLlDLO4/
hjGkObBUVfrNE531S3xR08pacstp+z+n/DCAiAQ1HdPvMkgKR8QUaGP3SQyyfy81
OdRhS3aiI8Dp9LdXW1zItjBmc96KZ1O2zw32RMtPoqTGvVSCpJOR5jivHlTIAFjN
blRMN/4kuLrULEHJXz6ixdev10DFTtNita7mt9UJnFw2PrjY1pVEnpIYZTE3KuiZ
Uqe0AaoH8Gw=
=fItL
-----END PGP SIGNATURE-----