IBM Support

Security Bulletin: Potential security vulnerabilities in current IBM SDK Java Technology Edition for IBM Tivoli Network Manager January 2014 CPU

Security Bulletin


Summary

Potential security exposure when using JavaTM based applications due to vulnerabilities in Java Software Developer Kits. See Vulnerability Details for CVE IDs.

Vulnerability Details

Tivoli Network Manager is shipped with an IBM SDK Java Technology Edition that is based on the Oracle JDK. Oracle has released January 2014 critical patch updates (CPU) which contain security vulnerability fixes. The IBM SDK Java Technology Edition has been updated to incorporate these fixes.

Unspecified vulnerability in Java SE allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.
CVEID: CVE-2014-0411
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90357
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

Affected Products and Versions

  • The 3.8.x versions of Tivoli Network Manager bundled the TIP version 1.1.1.x, IBM WebSphere version 6.1.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6.
  • The 3.9.x and 4.1 versions of Tivoli Network Manager bundled the TIP version 2.1.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 7.

Remediation/Fixes

Upgrade your SDK to an interim fix level as determined below:

  1. Update Tivoli Integration Portal to latest Tivoli Network Manager supported fixpack level.
  2. Download and apply the interim fix APARs below for IBM WebSphere Application server
https://www-304.ibm.com/support/docview.wss?uid=swg21663938
  • For 3.8.x, IBM WebSphere Application server version 6.1.0.0 through 6.1.0.47:
  • Contact IBM Support and apply Interim Fix PI08999: Will upgrade you to SDK 5 SR16 FP1
  • For 3.9.x and 4.1, IBM WebSphere Application server version 7.0.0.0 through 7.0.0.31, download and apply the interim fix APARs below:
  • Apply Interim Fix PI08996: Will upgrade you to SDK 6 SR15 FP1
  • --OR--
  • Apply the IBM SDK Java Technology Edition shipped with WebSphere Application Server Fix pack 33 (7.0.0.33) or later (targeted to be available 23 June 2014).

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSSHRK","label":"Tivoli Network Manager IP Edition"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"3.8;3.9;4.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
17 June 2018

UID

swg21666387