Security Bulletin
Summary
Potential security exposure when using JavaTM based applications due to vulnerabilities in Java Software Developer Kits. See Vulnerability Details for CVE IDs.
Vulnerability Details
Tivoli Network Manager is shipped with an IBM SDK Java Technology Edition that is based on the Oracle JDK. Oracle has released January 2014 critical patch updates (CPU) which contain security vulnerability fixes. The IBM SDK Java Technology Edition has been updated to incorporate these fixes.
Unspecified vulnerability in Java SE allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.
CVEID: CVE-2014-0411
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90357
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
Affected Products and Versions
- The 3.8.x versions of Tivoli Network Manager bundled the TIP version 1.1.1.x, IBM WebSphere version 6.1.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6.
- The 3.9.x and 4.1 versions of Tivoli Network Manager bundled the TIP version 2.1.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 7.
Remediation/Fixes
Upgrade your SDK to an interim fix level as determined below:
- Update Tivoli Integration Portal to latest Tivoli Network Manager supported fixpack level.
- Download and apply the interim fix APARs below for IBM WebSphere Application server
- For 3.8.x, IBM WebSphere Application server version 6.1.0.0 through 6.1.0.47:
- Contact IBM Support and apply Interim Fix PI08999: Will upgrade you to SDK 5 SR16 FP1
- For 3.9.x and 4.1, IBM WebSphere Application server version 7.0.0.0 through 7.0.0.31, download and apply the interim fix APARs below:
- Apply Interim Fix PI08996: Will upgrade you to SDK 6 SR15 FP1
- --OR--
- Apply the IBM SDK Java Technology Edition shipped with WebSphere Application Server Fix pack 33 (7.0.0.33) or later (targeted to be available 23 June 2014).
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21666387