IBM Support

IBM WebSphere Cast Iron Security Bulletin: Security vulnerability in IBM JRE 6 and IBM JRE 7

Flash (Alert)


Abstract

Security vulnerability exist in the IBM Java Runtime Environment component of WebSphere Cast Iron in IBM JRE 6.0 SR15 FP1 (and earlier) and IBM JRE 7.0 SR6 FP1 (and earlier)

Content

VULNERABILITY DETAILS
There is a security vulnerability in the IBM Java Runtime Environment used in WebSphere Cast Iron.

CVEID: CVE-2014-0453


DESCRIPTION: An unspecified vulnerability related to the Security component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/92490 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)


*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

AFFECTED PLATFORMS:
IBM WebSphere Cast Iron v6.0, v6.1 v6.3, v6.4 and v7.0 Studio, Virtual Appliance and Physical Appliance
IBM WebSphere Cast Iron v6.3 and v7.0 Live SaaS offering.

WORKAROUND:
None available; Apply the fix detailed below.

REMEDIATION:
Apply the fix detailed below.

FIX:
For WebSphere Cast Iron version v6.0 :
Install the v6.0.0.6 interim fix or upgrade to v6.1.0.15/v6.3.0.2/v6.4.0.1 by applying the relevant interim fix.

For WebSphere Cast Iron version v6.1 *:
Install the v6.1.0.15 interim fix or upgrade to v6.3.0.2/v6.4.0.1/v7.0.0.1 by applying the relevant interim fix.

For IBM WebSphere Cast Iron v6.3 *:
Install the v6.3.0.2 interim fix or upgrade to v6.4.0.1/v7.0.0.1 by applying the relevant interim fix.

For IBM WebSphere Cast Iron v6.4 *:
Install the v6.4.0.1 interim fix or upgrade to v7.0.0.1 by applying the relevant interim fix..

For IBM WebSphere Cast Iron v7.0:
Install the v7.0.0.1 interim fix.

* Upgrade to v7 should not be attempted on v6.1, v6.3, v6.4 virtual appliance if the appliance was originally a fresh install of v6.0 and later upgraded to a higher version. Please refer to this link.

The WebSphere Cast Iron V6.0 interim fix can be obtained via this link
The WebSphere Cast Iron V6.1 interim fix can be obtained via this link
The WebSphere Cast Iron V6.3 interim fix can be obtained via this link
The WebSphere Cast Iron V6.4 interim fix can be obtained via this link
The WebSphere Cast Iron V7.0 interim fix can be obtained via this link

SaaS offering (WebSphere Cast Iron Live v6.3):
The WebSphere Cast Iron V6.3 SaaS offering is scheduled to be updated during Aug 2014's maintenance window to address the IBM Java Security Vulnerability.

SaaS offering (WebSphere Cast Iron Live v7.0):
The WebSphere Cast Iron V7.0 SaaS offering is scheduled to be updated during Aug 2014's maintenance window to address the IBM Java Security Vulnerability.

APAR LI78037 is targeted for availability in IBM WebSphere Cast Iron v6.0.0.7, v6.1.0.16, v6.3.0.3, v6.4.0.2 and v7.0.0.2

MITIGATION:
None known

REFERENCES:
Complete CVSS Guide (http://www.first.org/cvss/v2/guide)
On-line Calculator V2 (http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2)

CVE-2014-0453 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0453)

CHANGE HISTORY:
<2014/08/07>: Original Copy Published

Document information

More support for: WebSphere Cast Iron Cloud integration

Software version: 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.0.0.6, 6.1, 6.1.0.1, 6.1.0.2, 6.1.0.3, 6.1.0.4, 6.1.0.6, 6.1.0.7, 6.1.0.8, 6.1.0.9, 6.1.0.10, 6.1.0.12, 6.1.0.15, 6.2, 6.3, 6.3.0.1, 6.3.0.2, 6.4.0.0, 6.4.0.1, 7.0.0, 7.0.0.1

Operating system(s): Firmware

Software edition: Cloud, Physical, Virtual

Reference #: 1681047

Modified date: 16 May 2017