IBM Support

Security Bulletin: Security vulnerabilities in IBM SDK, Java™ Technology Edition (CVE-2014-0878, CVE-2014-0460, CVE-2014-0453, CVE-2014-2420) affect SmartCloud Provisioning

Security Bulletin


Summary

Multiple security vulnerabilities exist in the IBM SDK, Java™ Technology Edition shipped with IBM SmartCloud Provisioning (CVE-2014-0878, CVE-2014-0460, CVE-2014-0453, CVE-2014-2420).

IBM SDK, Java™ Technology Edition has released patch updates with security vulnerabilities fixes. SmartCloud Provisioning IBM SDK, Java™ Technology Edition has been updated to IBM SDK, Java™ Technology Edition to Version 6 Fix Pack 16.

Notice product software support discontinuance as per IBM Withdrawal Announcement 916-016

Contact IBM Support for latest updates about IBM Cloud Orchestrator.

Vulnerability Details

CVE ID: CVE-2014-0878
DESCRIPTION: Product applicability to say: vulnerability in the IBMSecureRandom implementation of the IBMJCE and IBMSecureRandom cryptographic providers. This flaw potentially allows an attacker to predict the output of the random number generator under certain circumstances.
CVSS Base Score: 5.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/91084
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVE ID: CVE-2014-0460
DESCRIPTION: Product applicability to say: the JNDI DNS service provider has several implementation flaws that make spoofing DNS responses much easier.
CVSS Base Score: 5.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/92482
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVE ID: CVE-2014-0453
DESCRIPTION: Product applicability to say: an Exception thrown by the Security component reveals information that an attacker could use to break RSA keys via a Bleichenbacher attack.
CVSS Base Score: 4
CVSS Temporal Score:See https://exchange.xforce.ibmcloud.com/vulnerabilities/92490
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVE ID: CVE-2014-2420
DESCRIPTION: Product applicability to say: Security decisions about applets are cached based on a non-cryptographic hash of the URL. An attacker can exploit collisions in these hashes to apply a user's previous security decision to a malicious site.
CVSS Base Score: 2.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/92493
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

Affected Products and Versions

SmartCloud Provisioning 1.2
SmartCloud Provisioning 2.1
SmartCloud Provisioning 2.1 including all fix packs up to FP4

Remediation/Fixes

The recommended solution is to apply the appropriate Interim Fix or Fix Pack from Fix Central (What is Fix Central?) as soon as practical.

SmartCloud Provisioning 2.1, 2.1 including all fix packs up to FP4
Fix:
Upgrade to IBM SmartCloud Provisioning 2.1 FixPack 5

SmartCloud Provisioning 1.2
Contact IBM Support

Notice product reached software support discontinuance as per IBM Withdrawal Announcement 916-016. See Reference section for information and Replacement Program.

Contact IBM Support for latest updates about IBM Cloud Orchestrator.

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

References

Complete CVSS v2 Guide
On-line Calculator v2
IBM SDK, Java™ Technology Edition Security Bulletin
IBM Withdrawal Announcement 916-016

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
IBM Cloud Orchestrator

Change History

4 August 2014: Original Copy published
26 May 2015: Updates about IBM Cloud Orchestrator
29 November 2016: Added Notice IBM Withdrawal Announcement 916-016

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: IBM SmartCloud Provisioning
Security

Software version: 2.1, 2.1.0.1, 2.1.0.2, 2.1.0.3

Operating system(s): Platform Independent

Reference #: 1677387

Modified date: 06 August 2014