IBM SECURITY ADVISORY First Issued: Fri Nov 14 15:40:48 CST 2014 The most recent version of this document is available here: http://aix.software.ibm.com/aix/efixes/security/java_oct2014_advisory.asc https://aix.software.ibm.com/aix/efixes/security/java_oct2014_advisory.asc ftp://aix.software.ibm.com/aix/efixes/security/java_oct2014_advisory.asc =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: Multiple vulnerabilities in current releases of the IBM® SDK, Java Technology Edition; issues disclosed in the Oracle October 2014 Critical Patch Update, plus the POODLE SSLv3 vulnerability and one additional vulnerability. PLATFORMS: AIX 5.3, 6.1 and 7.1. VIOS 2.2.x SOLUTION: Apply the fix as described below. THREAT: Varies threats described below. CVE Numbers: CVE-2014-6513 CVSS=10, CVE-2014-6503 CVSS=9.3, CVE-2014-6532 CVSS=9.3, CVE-2014-4288 CVSS=7.6, CVE-2014-6493 CVSS=7.6, CVE-2014-6492 CVSS=7.6, CVE-2014-6458 CVSS=6.9, CVE-2014-6466 CVSS=6.9, CVE-2014-6506 CVSS=6.8, CVE-2014-6476 CVSS=5, CVE-2014-6515 CVSS=5, CVE-2014-6511 CVSS=5, CVE-2014-6531 CVSS=4.3, CVE-2014-6512 CVSS=4.3, CVE-2014-6457 CVSS=4, CVE-2014-6527 CVSS=2.6, CVE-2014-6502 CVSS=2.6, CVE-2014-6558 CVSS=2.6, CVE-2014-3065 CVSS=6, CVE-2014-3566 CVSS=4.3 Reboot required? NO Workarounds? NO =============================================================================== DETAILED INFORMATION I. DESCRIPTION This bulletin covers all applicable IBM® Java SDK CVEs published by Oracle as part of their October 2014 Critical Patch Update. For more information please refer to Oracles's October 2014 CPU Advisory and the X-Force database entries referenced below. In addition, issues also disclosed here are the POODLE SSLv3 vulnerability and one additional vulnerability. II. CVSS CVEID: CVE-2014-6513 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97127 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2014-6503 CVSS Base Score: 9.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97129 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) CVEID: CVE-2014-6532 CVSS Base Score: 9.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97128 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) CVEID: CVE-2014-4288 CVSS Base Score: 7.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97135 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C) CVEID: CVE-2014-6493 CVSS Base Score: 7.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97134 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C) CVEID: CVE-2014-6492 CVSS Base Score: 7.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97133 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C) CVEID: CVE-2014-6458 CVSS Base Score: 6.9 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97137 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C) CVEID: CVE-2014-6466 CVSS Base Score: 6.9 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97136 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C) CVEID: CVE-2014-6506 CVSS Base Score: 6.8 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97139 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P) CVEID: CVE-2014-6476 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97141 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) CVEID: CVE-2014-6515 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97142 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) CVEID: CVE-2014-6511 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97140 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVEID: CVE-2014-6531 CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97146 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) CVEID: CVE-2014-6512 CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97147 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) CVEID: CVE-2014-6457 CVSS Base Score: 4 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97148 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) CVEID: CVE-2014-6527 CVSS Base Score: 2.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97149 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) CVEID: CVE-2014-6502 CVSS Base Score: 2.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97150 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) CVEID: CVE-2014-6558 CVSS Base Score: 2.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97151 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) Specific to IBM Java CVE(s): CVE-ID: CVE-2014-3065 CVSS Base Score: 6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93629 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:L/AC:H/Au:S/C:C/I:C/A:C) CVE-ID: CVE-2014-3566 CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97013 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) III. PLATFORM VULNERABILITY ASSESSMENT The following fileset levels (VRMF) are vulnerable, if the respective Java version is installed: For Java5: Less than 5.0.0.580 For Java6: Less than 6.0.0.460 For Java7: Less than 7.0.0.135 For Java7 Release 1: Less than 7.1.0.15 Note: To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user's guide. Example: lslpp -L | grep -i java IV. FIXES AFFECTED PRODUCTS AND VERSIONS: AIX 5.3 AIX 6.1 AIX 7.1 VIOS 2.2.x REMEDIATION: IBM SDK, Java Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 8 and later 32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j5b&S_TACT=105AGX05&S_CMP=JDK 64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j5b&S_TACT=105AGX05&S_CMP=JDK IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 2 and later 32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j6b&S_TACT=105AGX05&S_CMP=JDK 64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j6b&S_TACT=105AGX05&S_CMP=JDK IBM SDK, Java Technology Edition, Version 7, Service Refresh 8 and later 32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j7b&S_TACT=105AGX05&S_CMP=JDK 64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j7b&S_TACT=105AGX05&S_CMP=JDK IBM SDK, Java Technology Edition, Version 7 Release 1 Fix Pack 2 and later 32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j7r1&S_TACT=105AGX05&S_CMP=JDK 64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j7r1&S_TACT=105AGX05&S_CMP=JDK To learn more about AIX support levels and Java service releases, see the following: http://www.ibm.com/developerworks/java/jdk/aix/service.html#levels Published advisory OpenSSL signature file location: http://aix.software.ibm.com/aix/efixes/security/java_oct2014_advisory.asc.sig https://aix.software.ibm.com/aix/efixes/security/java_oct2014_advisory.asc.sig ftp://aix.software.ibm.com/aix/efixes/security/java_oct2014_advisory.asc.sig openssl dgst -sha1 -verify -signature .sig V. WORKAROUNDS None VI. CONTACT US If you would like to receive AIX Security Advisories via email, please visit "My Notifications": http://www.ibm.com/support/mynotifications To view previously issued advisories, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To obtain the OpenSSL public key that can be used to verify the signed advisories and ifixes: Download the key from our web page: http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt To obtain the PGP public key that can be used to communicate securely with the AIX Security Team via security-alert@austin.ibm.com you can either: A. Download the key from our web page: http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt B. Download the key from a PGP Public Key Server. The key ID is: 0x28BFAA12 Please contact your local IBM AIX support center for any assistance. VII. REFERENCES: Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html On-line Calculator V2: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE-2014-6513: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6513 CVE-2014-6503: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6503 CVE-2014-6532: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6532 CVE-2014-4288: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4288 CVE-2014-6493: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6493 CVE-2014-6492: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6492 CVE-2014-6458: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6458 CVE-2014-6466: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6466 CVE-2014-6506: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6506 CVE-2014-6476: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6476 CVE-2014-6515: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6515 CVE-2014-6511: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6511 CVE-2014-6531: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6531 CVE-2014-6512: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6512 CVE-2014-6457: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6457 CVE-2014-6527: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6527 CVE-2014-6502: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6502 CVE-2014-6558: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6558 CVE-2014-3065: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3065 CVE-2014-3566: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.