IBM SECURITY ADVISORY First Issued: Thu Feb 19 10:53:54 CST 2015 The most recent version of this document is available here: http://aix.software.ibm.com/aix/efixes/security/java_feb2015_advisory.asc https://aix.software.ibm.com/aix/efixes/security/java_feb2015_advisory.asc ftp://aix.software.ibm.com/aix/efixes/security/java_feb2015_advisory.asc =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: Multiple vulnerabilities in current releases of the IBM® SDK, Java Technology Edition; issues disclosed in the Oracle Feburary 2015 Critical Patch Update vulnerability and two additional vulnerability. PLATFORMS: AIX 5.3, 6.1 and 7.1. VIOS 2.2.x SOLUTION: Apply the fix as described below. THREAT: Varies threats described below. CVE Numbers: CVE-2014-6549 CVSS=10, CVE-2015-0408 CVSS=10, CVE-2015-0412 CVSS=10, CVE-2015-0403 CVSS=6.9, CVE-2015-0406 CVSS=5.8, CVE-2015-0410 VCSS=5, CVE-2015-0407 CVSS=5, CVE-2015-0400 CVSS=5, CVE-2014-3566 CVSS=4.3 CVE-2014-6587 CVSS=4.3, CVE-2014-6593 CVSS=4, CVE-2014-6591 CVSS=2.6, CVE-2014-6585 CVSS=2.6, CVE-2014-8891 CVSS=6.8 Reboot required? NO Workarounds? NO =============================================================================== DETAILED INFORMATION I. DESCRIPTION This bulletin covers all applicable IBM® Java SDK CVEs published by Oracle as part of their February 2015 Critical Patch Update. For more information please refer to Oracles's February 2015 CPU Advisory and the X-Force database entries referenced below. II. CVSS CVEID: CVE-2014-6549 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100141 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2015-0408 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100142 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2015-0412 CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100140 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2015-0403 CVSS Base Score: 6.9 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100145 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C) CVEID: CVE-2015-0406 CVSS Base Score: 5.8 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100147 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:P) CVEID: CVE-2015-0410 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100151 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVEID: CVE-2015-0407 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100150 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVEID: CVE-2015-0400 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100149 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVEID: CVE-2014-3566 CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97013 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) CVEID: CVE-2014-6587 CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100152 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:L/AC:L/Au:S/C:P/I:P/A:P) CVEID: CVE-2014-6593 CVSS Base Score: 4 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100153 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) CVEID: CVE-2014-6591 CVSS Base Score: 2.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100155 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) Specific to IBM Java CVE(s): CVEID: CVE-2014-6585 CVSS Base Score: 2.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100154 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) CVEID: CVE-2014-8891 CVSS Base Score: 6.8 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99010 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P) III. PLATFORM VULNERABILITY ASSESSMENT The following fileset levels (VRMF) are vulnerable, if the respective Java version is installed: For Java5: Less than 5.0.0.590 For Java6: Less than 6.0.0.470 For Java7: Less than 7.0.0.195 For Java7 Release 1: Less than 7.1.0.75 Note: To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user's guide. Example: lslpp -L | grep -i java IV. FIXES AFFECTED PRODUCTS AND VERSIONS: AIX 5.3 AIX 6.1 AIX 7.1 VIOS 2.2.x REMEDIATION: IBM SDK, Java Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 9 and later 32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j5b&S_TACT=105AGX05&S_CMP=JDK 64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j5b&S_TACT=105AGX05&S_CMP=JDK IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 3 and later 32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j6b&S_TACT=105AGX05&S_CMP=JDK 64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j6b&S_TACT=105AGX05&S_CMP=JDK IBM SDK, Java Technology Edition, Version 7, Service Refresh 8 Fix Pack 10 and later 32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j7b&S_TACT=105AGX05&S_CMP=JDK 64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j7b&S_TACT=105AGX05&S_CMP=JDK IBM SDK, Java Technology Edition, Version 7 Release 1 Service Refresh 2 Fix Pack 10 and later 32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j7r1&S_TACT=105AGX05&S_CMP=JDK 64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j7r1&S_TACT=105AGX05&S_CMP=JDK To learn more about AIX support levels and Java service releases, see the following: http://www.ibm.com/developerworks/java/jdk/aix/service.html#levels Published advisory OpenSSL signature file location: http://aix.software.ibm.com/aix/efixes/security/java_feb2015_advisory.asc.sig https://aix.software.ibm.com/aix/efixes/security/java_feb2015_advisory.asc.sig ftp://aix.software.ibm.com/aix/efixes/security/java_feb2015_advisory.asc.sig openssl dgst -sha1 -verify -signature .sig V. WORKAROUNDS None VI. CONTACT US If you would like to receive AIX Security Advisories via email, please visit "My Notifications": http://www.ibm.com/support/mynotifications To view previously issued advisories, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To obtain the OpenSSL public key that can be used to verify the signed advisories and ifixes: Download the key from our web page: http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt To obtain the PGP public key that can be used to communicate securely with the AIX Security Team via security-alert@austin.ibm.com you can either: A. Download the key from our web page: http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt B. Download the key from a PGP Public Key Server. The key ID is: 0x28BFAA12 Please contact your local IBM AIX support center for any assistance. VII. REFERENCES: Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html On-line Calculator V2: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE-2014-6549: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6549 CVE-2015-0408: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0408 CVE-2015-0412: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0412 CVE-2015-0403: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0403 CVE-2015-0406: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0406 CVE-2015-0410: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0410 CVE-2015-0407: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0407 CVE-2015-0400: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0400 CVE-2014-3566: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 CVE-2014-6587: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6587 CVE-2014-6593: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593 CVE-2014-6591: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6591 CVE-2014-6585: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6585 CVE-2014-8891: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8891 *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.