Security Bulletin: IBM Lotus Expeditor fixes for multiple vulnerabilities in IBM JRE

Security Bulletin


Summary

IBM Lotus Expeditor is shipped with an IBM SDK for Java that is based on the Oracle JDK. Oracle has released April 2014 critical patch updates (CPU) which contain security vulnerability fixes. The IBM SDK for Java has been updated to incorporate these fixes.

Vulnerability Details

CVEID: CVE-2014-0457
DESCRIPTION: A vulnerability allows remote attackers to affect confidentiality, integrity and availability via unknown vectors related to Libraries component.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92460 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-2421
DESCRIPTION: A vulnerability allows remote attackers to affect confidentiality, integrity and availability via unknown vectors related to 2D component.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92462 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-0429
DESCRIPTION: A vulnerability allows remote attackers to affect confidentiality, integrity and availability via unknown vectors related to 2D component.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92459 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-0461
DESCRIPTION: A vulnerability allows remote attackers to affect confidentiality, integrity and availability via unknown vectors related to Libraries component.
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92467 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-0446
DESCRIPTION: A vulnerability allows remote attackers to affect confidentiality, integrity and availability via unknown vectors related to Libraries component.
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92477 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2014-0460
DESCRIPTION: A vulnerability allows remote attackers to affect confidentiality and integrity via unknown vectors related to JNDI component.
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92482 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVEID: CVE-2013-6954
DESCRIPTION: A vulnerability allows remote attackers to cause the application to crash.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/89917 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2013-6629
DESCRIPTION: A vulnerability allows remote attackers to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88783 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2014-2401
DESCRIPTION: A vulnerability allows remote attackers to affect confidentiality via unknown vectors related to 2D component.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92485 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2014-2398
DESCRIPTION: A vulnerability allows remote attackers to affect integrity via unknown vectors related to Javadoc component.
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92491 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVEID: CVE-2014-1876
DESCRIPTION: A vulnerability allows remote attackers to affect integrity and availability via unknown vectors related to Libraries component.
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92492 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:P)

CVEID: CVE-2014-0878
DESCRIPTION: A vulnerability allows remote attackers to predict the output of the random number generator under certain circumstances.
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/91084 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

The following CVEs are included in the SDK but IBM Lotus Expeditor is not vulnerable to them. You will need to evaluate your own code to determine if you are vulnerable. Refer to the Reference section for more information on the advisories not applicable to IBM Lotus Expeditor:

CVE-2014-0456
CVE-2014-2397
CVE-2014-0432
CVE-2014-0455
CVE-2014-0448
CVE-2014-0454
CVE-2014-2402
CVE-2014-2403
CVE-2014-0464
CVE-2014-0463
CVE-2014-2413
CVE-2014-0459
CVE-2014-2428
CVE-2014-0452
CVE-2014-0451
CVE-2014-2423
CVE-2014-2427
CVE-2014-0458
CVE-2014-2414
CVE-2014-2412
CVE-2014-2409
CVE-2014-0449
CVE-2014-2420
CVE-2014-0453

Affected Products and Versions

IBM Lotus Expeditor 6.2.x

Remediation/Fixes

A fix for the issue is introduced in the following releases.


-- Interim Fix 1 for IBM Lotus Expeditor 6.2.3

Fix Central ID
File name & download link
XPD-6.2.3.0-Client-IFix4


-- Interim Fix 1 for IBM Lotus Expeditor 6.2.2
Fix Central ID
File name & download link
XPD-6.2.2.0-Client-IFix4
-- Interim Fix 1 for IBM Lotus Expeditor 6.2.1
Fix Central ID
File name & download link
XPD-6.2.1.0-Client-IFix4

Workarounds and Mitigations

None

References

Related information

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Document information


More support for:

Lotus Expeditor
Client for Desktop

Software version:

6.2.1, 6.2.2, 6.2.3

Operating system(s):

Linux, Windows

Reference #:

1676746

Modified date:

2014-06-25

Translate my page

Machine Translation

Content navigation