Security Bulletin
Summary
Multiple security vulnerabilities exist in the IBM SDK, Java™ Technology Edition shipped with IBM SmartCloud Provisioning (CVE-2014-0878, CVE-2014-0460, CVE-2014-0453, CVE-2014-2420).
IBM SDK, Java™ Technology Edition has released patch updates with security vulnerabilities fixes. SmartCloud Provisioning IBM SDK, Java™ Technology Edition has been updated to IBM SDK, Java™ Technology Edition to Version 6 Fix Pack 16.
Notice product software support discontinuance as per IBM Withdrawal Announcement 916-016
Contact IBM Support for latest updates about IBM Cloud Orchestrator.
Vulnerability Details
CVE ID: CVE-2014-0878
DESCRIPTION: Product applicability to say: vulnerability in the IBMSecureRandom implementation of the IBMJCE and IBMSecureRandom cryptographic providers. This flaw potentially allows an attacker to predict the output of the random number generator under certain circumstances.
CVSS Base Score: 5.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/91084
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVE ID: CVE-2014-0460
DESCRIPTION: Product applicability to say: the JNDI DNS service provider has several implementation flaws that make spoofing DNS responses much easier.
CVSS Base Score: 5.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/92482
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVE ID: CVE-2014-0453
DESCRIPTION: Product applicability to say: an Exception thrown by the Security component reveals information that an attacker could use to break RSA keys via a Bleichenbacher attack.
CVSS Base Score: 4
CVSS Temporal Score:See https://exchange.xforce.ibmcloud.com/vulnerabilities/92490
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVE ID: CVE-2014-2420
DESCRIPTION: Product applicability to say: Security decisions about applets are cached based on a non-cryptographic hash of the URL. An attacker can exploit collisions in these hashes to apply a user's previous security decision to a malicious site.
CVSS Base Score: 2.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/92493
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Affected Products and Versions
SmartCloud Provisioning 1.2
SmartCloud Provisioning 2.1
SmartCloud Provisioning 2.1 including all fix packs up to FP4
Remediation/Fixes
The recommended solution is to apply the appropriate Interim Fix or Fix Pack from Fix Central (What is Fix Central?) as soon as practical.
SmartCloud Provisioning 2.1, 2.1 including all fix packs up to FP4
Fix:
Upgrade to IBM SmartCloud Provisioning 2.1 FixPack 5
SmartCloud Provisioning 1.2
Contact IBM Support
Notice product reached software support discontinuance as per IBM Withdrawal Announcement 916-016. See Reference section for information and Replacement Program.
Contact IBM Support for latest updates about IBM Cloud Orchestrator.
Workarounds and Mitigations
None.
Get Notified about Future Security Bulletins
References
IBM Withdrawal Announcement 916-016
Change History
4 August 2014: Original Copy published
26 May 2015: Updates about IBM Cloud Orchestrator
29 November 2016: Added Notice IBM Withdrawal Announcement 916-016
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21677387