Security Bulletin
Summary
Multiple security vulnerabilities exist in the IBM Java™ Runtime Environment component of WebSphere Message Broker for IBM JRE 6 SR16 (and earlier) and the IBM Java Runtime Environment component of IBM Integration Bus for JRE 7.0 SR7 (and earlier). These issues were disclosed as part of the IBM Java SDK updates in July 2014.
Vulnerability Details
The IBM Integration Bus and WebSphere Message Broker are shipped with an IBM SDK for Java that is based on the Oracle JDK. Oracle has released critical patch updates which contain security vulnerability fixes and the IBM SDK for Java has been updated to incorporate those updates.
Vulnerabilities affecting WebSphere Message Broker/IBM Integration Bus
The vulnerability that is affecting IBM Integration Bus and WebSphere Message Broker is CVE-2014-4263
CVEID: CVE-2014-4263
DESCRIPTION: An unspecified vulnerability related to the Security component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/94606 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
Vulnerabilities included in the IBM SDK
The following are the full list of vulnerabilities included in IBM SDK. You will need to evaluate your own code to determine if you are vulnerable. Please refer to the Reference section for more information on these advisories
CVE IDs:
The vulnerabilities that are applicable to both IBM JRE 6.0 and IBM JRE 7.0 are
CVE-2014-4227, CVE-2014-4262, CVE-2014-4219, CVE-2014-4209, CVE-2014-4268, CVE-2014-4218, CVE-2014-4252, CVE-2014-4265, CVE-2014-4263, CVE-2014-4244, CVE-2014-3086
The vulnerabilities that are applicable only to IBM JRE 7.0 are
CVE-2014-4220, CVE-2014-4266, CVE-2014-4221, CVE-2014-4208
Affected Products and Versions
WebSphere Message Broker V7.0 and V8.0 & IBM Integration Bus V9.0 are affected on all platforms except IBM z/OS.
Remediation/Fixes
For WebSphere Message Broker V7.0 and V8.0 an interim fix for APAR IT03753 is available from IBM Fix Central:
http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Message+Broker&release=All&platform=All&function=aparId&apars=IT03753
APAR IT03753 is targeted for availability in WebSphere Message Broker V7.0.0.8 and V8.0.0.6
For IBM Integration Bus V9.0 an interim fix for APAR IT03751 is available from IBM Fix Central:
http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/Integration+Bus&release=All&platform=All&function=aparId&apars=IT03751
APAR IT03751 is targeted for availability in IBM Integration Bus V 9.0.0.3 for all platforms except HP. The fix for HP Platform is targeted for availability in IBM Integration Bus V 9.0.0.4
Workarounds and Mitigations
None known
Get Notified about Future Security Bulletins
Important Note
IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
References
Change History
23 September 2014: Original Copy Published
15 October 2014 : Information on CVEs that impact WMB/IIB
24 July 2015 : Revised expiration date
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Product Synonym
WMB IIB
Was this topic helpful?
Document Information
Modified date:
23 March 2020
UID
swg21682567