-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IBM SECURITY ADVISORY First Issued: Thu Jun 19 09:10:49 CDT 2014 The most recent version of this document is available here: http://aix.software.ibm.com/aix/efixes/security/java_apr2014_advisory.asc https://aix.software.ibm.com/aix/efixes/security/java_apr2014_advisory.asc ftp://aix.software.ibm.com/aix/efixes/security/java_apr2014_advisory.asc =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: Multiple vulnerabilities in current releases of the IBM® SDK, Java Technology Edition. PLATFORMS: AIX 5.3, 6.1 and 7.1. VIOS 2.2.x SOLUTION: Apply the fix as described below. THREAT: Varies threats described below. CVE Numbers: CVE-2014-0457, CVE-2014-2421, CVE-2014-0429, CVE-2014-0461, CVE-2014-0455, CVE-2014-2428, CVE-2014-0448, CVE-2014-0454, CVE-2014-0446, CVE-2014-0452, CVE-2014-0451, CVE-2014-2402, CVE-2014-2423, CVE-2014-2427, CVE-2014-0458, CVE-2014-2414, CVE-2014-2412, CVE-2014-2409, CVE-2014-0460, CVE-2013-6954, CVE-2013-6629, CVE-2014-2401, CVE-2014-0449, CVE-2014-0459, CVE-2014-0453, CVE-2014-2398, CVE-2014-1876, CVE-2014-2420, CVE-2014-0878 Reboot required? NO Workarounds? NO =============================================================================== DETAILED INFORMATION I. DESCRIPTION This bulletin covers all applicable Java SE CVEs published by Oracle as part of their April 2014 Critical Patch Update. For more information please refer to Oracle's April 2014 CPU Advisory and the X-Force database entries referenced below. II. CVSS CVEID: CVE-2014-0457 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92460 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2014-2421 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92462 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2014-0429 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92459 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2014-0461 CVSS Base Score: 9.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92467 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) CVEID: CVE-2014-0455 CVSS Base Score: 9.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92466 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) CVEID: CVE-2014-2428 CVSS Base Score: 7.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92469 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C) CVEID: CVE-2014-0448 CVSS Base Score: 7.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92468 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C) CVEID: CVE-2014-0454 CVSS Base Score: 7.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92478 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVEID: CVE-2014-0446 CVSS Base Score: 7.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92477 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVEID: CVE-2014-0452 CVSS Base Score: 7.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92474 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVEID: CVE-2014-0451 CVSS Base Score: 7.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92471 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVEID: CVE-2014-2402 CVSS Base Score: 7.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92476 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVEID: CVE-2014-2423 CVSS Base Score: 7.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92473 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVEID: CVE-2014-2427 CVSS Base Score: 7.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92479 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVEID: CVE-2014-0458 CVSS Base Score: 7.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92472 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVEID: CVE-2014-2414 CVSS Base Score: 7.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92475 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVEID: CVE-2014-2412 CVSS Base Score: 7.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92470 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVEID: CVE-2014-2409 CVSS Base Score: 6.4 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92481 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N) CVEID: CVE-2014-0460 CVSS Base Score: 5.8 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92482 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N) CVEID: CVE-2013-6954 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/89917 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVEID: CVE-2013-6629 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88783 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVEID: CVE-2014-2401 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92485 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVEID: CVE-2014-0449 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92483 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVEID: CVE-2014-0459 CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92488 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) CVEID: CVE-2014-0453 CVSS Base Score: 4 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92490 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) CVEID: CVE-2014-2398 CVSS Base Score: 3.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92491 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N) CVEID: CVE-2014-1876 CVSS Base Score: 2.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92492 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:P) CVEID: CVE-2014-2420 CVSS Base Score: 2.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92493 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) Specific to IBM Java CVE(s): CVEID: CVE-2014-0878 CVSS Base Score: 5.8 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/91084 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N) III. PLATFORM VULNERABILITY ASSESSMENT The following fileset levels (VRMF) are vulnerable, if the respective Java version is installed: For Java5: Less than 5.0.0.575 For Java6: Less than 6.0.0.455 For Java7: Less than 7.0.0.130 For Java7 Release 1: Less than 7.1.0.10 Note: To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user's guide. Example: lslpp -L | grep -i java IV. FIXES AFFECTED PRODUCTS AND VERSIONS: AIX 5.3 AIX 6.1 AIX 7.1 VIOS 2.2.x REMEDIATION: IBM SDK, Java Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 6 and later 32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j5b&S_TACT=105AGX05&S_CMP=JDK 64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j5b&S_TACT=105AGX05&S_CMP=JDK IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 and later 32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j6b&S_TACT=105AGX05&S_CMP=JDK 64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j6b&S_TACT=105AGX05&S_CMP=JDK IBM SDK, Java Technology Edition, Version 7, Service Refresh 7 and later 32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j7b&S_TACT=105AGX05&S_CMP=JDK 64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j7b&S_TACT=105AGX05&S_CMP=JDK IBM SDK, Java Technology Edition, Version 7 Release 1 and later 32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j7r1&S_TACT=105AGX05&S_CMP=JDK 64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j7r1&S_TACT=105AGX05&S_CMP=JDK To learn more about AIX support levels and Java service releases, see the following: http://www.ibm.com/developerworks/java/jdk/aix/service.html#levels V. WORKAROUNDS None VI. CONTACT INFORMATION If you would like to receive AIX Security Advisories via email, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To request the PGP public key that can be used to communicate securely with the AIX Security Team you can either: A. Send an email with "get key" in the subject line to: security-alert@austin.ibm.com B. Download the key from a PGP Public Key Server. The key ID is: 0x28BFAA12 Please contact your local IBM AIX support center for any assistance. eServer is a trademark of International Business Machines Corporation. IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders. VII. REFERENCES: Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html On-line Calculator V2: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE-2014-0457: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0457 CVE-2014-2421: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2421 CVE-2014-0429: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0429 CVE-2014-0461: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0461 CVE-2014-0455: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0455 CVE-2014-2428: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2428 CVE-2014-0448: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0448 CVE-2014-0454: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0454 CVE-2014-0446: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0446 CVE-2014-0452: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0452 CVE-2014-0451: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0451 CVE-2014-2402: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2402 CVE-2014-2423: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2423 CVE-2014-2427: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2427 CVE-2014-0458: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0458 CVE-2014-2414: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2414 CVE-2014-2412: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2412 CVE-2014-2409: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2409 CVE-2014-0460: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0460 CVE-2013-6954: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6954 CVE-2013-6629: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6629 CVE-2014-2401: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2401 CVE-2014-0449: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0449 CVE-2014-0459: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0459 CVE-2014-0453: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0453 CVE-2014-2398: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2398 CVE-2014-1876: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1876 CVE-2014-2420: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2420 CVE-2014-0878: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0878 *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System ( CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (AIX) iEYEARECAAYFAlOp1XUACgkQ4fmd+Ci/qhLI5wCePiCcg7+KKbbNu4xno/na0j7w +SsAoIC3KSxpTPpItj9j29oKdzJh11mV =7yrW -----END PGP SIGNATURE-----