copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.0975 - [Win][Linux][AIX] IBM Lotus Quickr for WebSphere Portal: Access confidential data - Remote/unauthenticated

Date: 13 June 2014
References: ASB-2013.0128  ESB-2013.1652  ESB-2013.1760  ASB-2013.0136  ESB-2014.0082  ESB-2014.0244  ESB-2014.0313  ASB-2014.0053  ASB-2014.0063  ESB-2014.1070  
ESB-2014.2173  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0975
 Security Bulletin: Multiple vulnerabilities in current IBM SDK for Java -
      April 2014 CPU update for Lotus Quickr 8.5 for WebSphere Portal
                               13 June 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Lotus Quickr for WebSphere Portal
Publisher:         IBM
Operating System:  Linux variants
                   Windows
                   AIX
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0878 CVE-2014-0460 CVE-2014-0453

Reference:         ASB-2014.0063
                   ASB-2014.0053
                   ESB-2014.0313
                   ESB-2014.0244
                   ESB-2014.0082
                   ASB-2013.0136
                   ASB-2013.0128
                   ESB-2013.1760
                   ESB-2013.1652

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21675588

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Multiple vulnerabilities in current IBM SDK for Java -
April 2014 CPU update for Lotus Quickr 8.5 for WebSphere Portal

Security Bulletin

Document information

More support for:
Lotus Quickr for WebSphere Portal
Security

Software version:
8.5

Operating system(s):
AIX, Linux, Windows

Reference #:
1675588

Modified date:
2014-06-09

Summary

Multiple vulnerabilities in current IBM SDK for Java - April 2014 CPU
update for Lotus Quickr 8.5 for WebSphere Portal

Vulnerability Details

Lotus Quickr 8.5 for WebSphere Portal is shipped with an IBM SDK for Java
that is based on the Oracle JDK. Oracle has released April 2014 critical
patch updates (CPU), which contain security vulnerability fixes. The IBM
SDK for Java has been updated to incorporate these fixes, including one
additional vulnerability (CVE-2014-0878).

CVEID: CVE-2014-0878
DESCRIPTION: A vulnerability in the IBMSecureRandom implementation of the
IBMJCE and IBMSecureRandom cryptographic providers potentially allows
an attacker to predict the output of the random number generator under
certain circumstances.
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/91084 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVEID: CVE-2014-0460
DESCRIPTION: An unspecified vulnerability related to the JNDI component
has partial confidentiality impact, partial integrity impact, and no
availability impact.
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92482 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVEID: CVE-2014-0453
DESCRIPTION: An unspecified vulnerability related to the Security component
has partial confidentiality impact, partial integrity impact, and no
availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92490 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

The following advisories are included in the SDK but Lotus Quickr 8.5 for
WebSphere Portal is not vulnerable to them. You must evaluate your own
code to determine if it is vulnerable.
CVE IDs: CVE-2014-0457 CVE-2014-2421 CVE-2014-0429 CVE-2014-0461
CVE-2014-0455 CVE-2014-2428 CVE-2014-0448 CVE-2014-0454 CVE-2014-0446
CVE-2014-0452 CVE-2014-0451 CVE-2014-2402 CVE-2014-2423 CVE-2014-2427
CVE-2014-0458 CVE-2014-2414 CVE-2014-2412 CVE-2014-2409 CVE-2013-6954
CVE-2013-6629 CVE-2014-2401 CVE-2014-0449 CVE-2014-0459 CVE-2014-2398
CVE-2014-1876 CVE-2014-2420

Affected Products and Versions

Lotus Quickr 8.5 for WebSphere Portal

Remediation/Fixes

Apply Interim Fix PI14306: Will upgrade you to SDK 5 SR16 FP6

References
Complete CVSS Guide
On-line Calculator V2

Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU54tfhLndAQH1ShLAQKRkw/+NjCkp3MEr5FY03nHE4C/a6NHdEC1P1uc
NsMA6RjXYN94U8WlM2U7ESj1FvDzxJJSCJFlbJmq2q5z8/VDGBncSWPAEhpLPliN
Hn29/mhJ0lTTWmgVj/FYQOVnIHkTL/+rlLR1LS3DRul82H5Ka1+iDve5hNv1rnVT
HoQ04fzuYek3U7F2QI48XkEs7Ce5JsVr/iu9f3rY0eTudZmo5xdwtuPdgmnhdOq0
McVyo6TrHiAfQ0sZvVGJCCv7pG8hvR2T7TAQUoqnVkbU4i3Z3/mt3CbgXbrSZw/d
sLzS4+pajmo/FsLFNvpdnIajEkDQk2od46IZmL5IMjw4xDNNmimjA1+uWLAYK5FZ
TVy+CHBRDC072R7LlZErPoZ7uYw1lnpfI29k3nxTbiLqP8jDnPhlwmFOWS00WWWF
K2vK8BjDIIJb2ukGw/6tyRHJjlGdT6ys2v3NDltuEJZP2TzhGlEw5Kj5WbEhWa3A
MIeKcFcDsZiX/cd5YQMwW1J7VF5EHxrXyKRH5vyvnbaMBYhZYoviP5xaJ3z7sJsW
BltQxRrBuCajWLVcnsPJpoSNesoWxkQ71Pvzn27ia3VXxtgJvN0THqVt7L9tdRDE
1C2mlH1p1vUzsJOiREZs8g7B78ecnEVgM3V8+hF6aef8NWTKCh5jXj4oOL98tS3u
J/NrahMrdYQ=
=bEJG
-----END PGP SIGNATURE-----