-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.0734
 Security Bulletin: Man in the middle vulnerability CVE-2014-3603 affects
 Websphere Liberty and OpenLiberty used by MobileFirst Platform Foundation
                             28 February 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM MobileFirst Platform Foundation
Publisher:         IBM
Operating System:  Linux variants
Impact/Access:     Provide Misleading Information -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-3603  

Reference:         ESB-2020.0527
                   ESB-2020.0007
                   ESB-2019.4787
                   ESB-2019.4664

Original Bulletin: 
   https://www.ibm.com/support/pages/node/3605895

- --------------------------BEGIN INCLUDED TEXT--------------------

Man in the middle vulnerability CVE-2014-3603 affects Websphere Liberty and
OpenLiberty used by MobileFirst Platform Foundation

Security Bulletin

Document number: 3605895
Modified date: 27 February 2020 


Summary

IBM MobileFirst Platform Foundation has addressed the following
vulnerability.Man in the middle vulnerability CVE-2014-3603 affects Websphere
Liberty and OpenLiberty

Vulnerability Details

CVEID: CVE-2014-3603
DESCRIPTION: Shibboleth Identity Provider (IdP) and OpenSAML Java could allow a
remote attacker to conduct spoofing attacks, caused by the failure to verify
that the server hostname matches a domain name in the subject's Common Name
(CN) or subjectAltName field of the X.509 certificate. A man-in-the-middle
attacker could exploit this vulnerability using an arbitrary valid
certificate.to spoof SSL servers.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
164271 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

Affected Products and Versions

+---------------------------------+-------------------------------------------+
|Affected Product(s)              |Version(s)                                 |
+---------------------------------+-------------------------------------------+
|IBM MobileFirst Platform         |7.1.0.0 - using the scripts (BYOL)         |
|Foundation                       |                                           |
+---------------------------------+-------------------------------------------+
|IBM MobileFirst Foundation       |8.0.0.0 - ICP, IKS or using the scripts    |
|                                 |(BYOL)                                     |
+---------------------------------+-------------------------------------------+

Remediation/Fixes

+----------------------+-------+----------------------------------------------+
|Product               |VRMF   |Remediation/First Fix                         |
+----------------------+-------+----------------------------------------------+
|IBM MobileFirst       |7.1.0.0|Download the iFix from IBM MobileFirst        |
|Platform Foundation   |       |Platform Foundation on FixCentral             |
+----------------------+-------+----------------------------------------------+
|IBM MobileFirst       |8.0.0.0|Download the iFix from IBM MobileFirst        |
|Platform Foundation   |       |Platform Foundation on FixCentral             |
+----------------------+-------+----------------------------------------------+

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXliefGaOgq3Tt24GAQhvjQ//eWvo0r52PCixIoeSdO/+FXZZ2ri8q96C
Ft2unJq1rjtj8byMIBT9XeDNEilNl3l+KTmHUoykxs/SYwuQ/zZ40QhyZlXFOdpm
h800aFr4nXWE/sBPLcGL0o74g4lX7gROy/VRoiTL67r8/qsu7Ntu/DV1nuTomiLM
XmE4Lz9PfneShpGcNf9Jv/B661YtZuRnxE1tDYQQpbVsR0VJ/jHiC4E7tfjt5OUg
SO96glXCvdBxuwhwQbavEFU4i5E8+7Slqh3rPWuV7HBpM2Cz1KtFLj5b2w99992Q
8TekioV7bL6K7qvkXdENanU3F7dBHJabemV9vQrK9Kp4ArE8Hh2aFqXWpKxYn+fN
1iQB0KrAI90a+UIPu6+SS7kTw9WE0TjmWmEhqeHhtKtmdmZ/vzQIQgkZU9z6SQw/
TApvEVr2cWdLEMtLAroTdoH4tOZRuJHQIoZKwdgizYcGdhKjbmMbTZafdU9aaAsJ
mAjTPsSUHpxkoJ9CwXgGYRQLwRb3mAWZ3RnSYsmZj+dIHe4nNrEBevxxj3iZwR8l
0hs/ePCur6a6QFz9W+JnKmP6Jl5aVBsViUUa4JhKCm6TW+Smh30gzWb/5uWQXC2Z
/F2Jo1dp4q+fTq1PmbNwMFqOpuDVbW4Ljj3OVdkj/dKqQWPtoUBpB7giAb28dj+U
aYRvceD5zGY=
=4tan
-----END PGP SIGNATURE-----