ID CVE-2014-3068
Summary IBM Java Runtime Environment (JRE) 7 R1 before SR1 FP1 (7.1.1.1), 7 before SR7 FP1 (7.0.7.1), 6 R1 before SR8 FP1 (6.1.8.1), 6 before SR16 FP1 (6.0.16.1), and before 5.0 SR16 FP7 (5.0.16.7) allows attackers to obtain the private key from a Certificate Management System (CMS) keystore via a brute force attack.
References
Vulnerable Configurations
  • IBM Java 7.0.0.0
    cpe:2.3:a:ibm:java:7.0.0.0
  • IBM Java 7.0.1.0 Service Refresh 1
    cpe:2.3:a:ibm:java:7.0.1.0
  • IBM Java 7.0.2.0 Service Refresh 2
    cpe:2.3:a:ibm:java:7.0.2.0
  • IBM Java 7.0.3.0 Service Refresh 3
    cpe:2.3:a:ibm:java:7.0.3.0
  • IBM Java 7.0.4.0 Service Refresh 4
    cpe:2.3:a:ibm:java:7.0.4.0
  • IBM Java 7.0.4.1 Service Refresh 4 (Fix Pack 1)
    cpe:2.3:a:ibm:java:7.0.4.1
  • IBM Java 7.0.4.2 Service Refresh 4 (Fix Pack 2)
    cpe:2.3:a:ibm:java:7.0.4.2
  • IBM Java 7.0.5.0 Serice Refresh 5
    cpe:2.3:a:ibm:java:7.0.5.0
  • IBM Java 6.0.9.2 Service Refresh 9 (FixPack 2)
    cpe:2.3:a:ibm:java:6.0.9.2
  • IBM Java 6.0.9.1 Service Refresh 9 (FixPack 1)
    cpe:2.3:a:ibm:java:6.0.9.1
  • IBM Java 6.0.9.0 Service Refresh 9
    cpe:2.3:a:ibm:java:6.0.9.0
  • IBM Java 6.0.8.1 Service Refresh 8 (FixPack 1)
    cpe:2.3:a:ibm:java:6.0.8.1
  • IBM Java 6.0.8.0 Service Refresh 8
    cpe:2.3:a:ibm:java:6.0.8.0
  • IBM Java 6.0.7.0 Service Refresh 7
    cpe:2.3:a:ibm:java:6.0.7.0
  • IBM Java 6.0.6.0 Service Refresh 6
    cpe:2.3:a:ibm:java:6.0.6.0
  • IBM Java 6.0.5.0 Service Refresh 5
    cpe:2.3:a:ibm:java:6.0.5.0
  • IBM Java 6.0.4.0 Service Refresh 4
    cpe:2.3:a:ibm:java:6.0.4.0
  • IBM Java 6.0.3.0 Service Refresh 3
    cpe:2.3:a:ibm:java:6.0.3.0
  • IBM Java 6.0.2.0 Service Refresh 2
    cpe:2.3:a:ibm:java:6.0.2.0
  • IBM Java 6.0.14.0 Service Refresh 14
    cpe:2.3:a:ibm:java:6.0.14.0
  • IBM Java 6.0.13.2 Service Refresh 13 (Fix Pack 2)
    cpe:2.3:a:ibm:java:6.0.13.2
  • IBM Java 6.0.13.1 Service Refresh 13 (Fix Pack 1)
    cpe:2.3:a:ibm:java:6.0.13.1
  • IBM Java 6.0.13.0 Service Refresh 13
    cpe:2.3:a:ibm:java:6.0.13.0
  • IBM Java 6.0.12.0 Service Refresh 12
    cpe:2.3:a:ibm:java:6.0.12.0
  • IBM Java 6.0.11.0 Service Refresh 11
    cpe:2.3:a:ibm:java:6.0.11.0
  • IBM Java 6.0.10.1 Service Refresh 10 (FixPack 1)
    cpe:2.3:a:ibm:java:6.0.10.1
  • IBM Java 6.0.10.0 Service Refresh 10
    cpe:2.3:a:ibm:java:6.0.10.0
  • IBM Java 6.0.1.0 Service Refresh 1
    cpe:2.3:a:ibm:java:6.0.1.0
  • IBM Java 6.0.0.0
    cpe:2.3:a:ibm:java:6.0.0.0
  • IBM Java 5.0.16.3 Service Refresh 16 (Fix Pack 3)
    cpe:2.3:a:ibm:java:5.0.16.3
  • IBM Java 5.0.16.2 Service Refresh 16 (Fix Pack 2)
    cpe:2.3:a:ibm:java:5.0.16.2
  • IBM Java 5.0.16.1 Service Refresh 16 (Fix Pack 1)
    cpe:2.3:a:ibm:java:5.0.16.1
  • IBM Java 5.0.16.0 Service Refresh 16
    cpe:2.3:a:ibm:java:5.0.16.0
  • IBM Java 5.0.15.0 Service Refresh 15
    cpe:2.3:a:ibm:java:5.0.15.0
  • IBM Java 5.0.14.0 Service Refresh 14
    cpe:2.3:a:ibm:java:5.0.14.0
  • IBM Java 5.0.13.0 Service Refresh 13
    cpe:2.3:a:ibm:java:5.0.13.0
  • IBM Java 5.0.12.5 Service Refresh 12 (FixPack 5)
    cpe:2.3:a:ibm:java:5.0.12.5
  • IBM Java 5.0.12.4 Service Refresh 12 (FixPack 4)
    cpe:2.3:a:ibm:java:5.0.12.4
  • IBM Java 5.0.12.3 Service Refresh 12 (FixPack 3)
    cpe:2.3:a:ibm:java:5.0.12.3
  • IBM Java 5.0.12.2 Service Refresh 12 (FixPack 2)
    cpe:2.3:a:ibm:java:5.0.12.2
  • IBM Java 5.0.12.1 Service Refresh 12 (FixPack 1)
    cpe:2.3:a:ibm:java:5.0.12.1
  • IBM Java 5.0.12.0 Service Refresh 12
    cpe:2.3:a:ibm:java:5.0.12.0
  • IBM Java 5.0.11.2 Service Refresh 11 (FixPack 2)
    cpe:2.3:a:ibm:java:5.0.11.2
  • IBM Java 5.0.11.1 Service Refresh 11 (FixPack 1)
    cpe:2.3:a:ibm:java:5.0.11.1
  • IBM Java 5.0.11.0 Service Refresh 11
    cpe:2.3:a:ibm:java:5.0.11.0
  • IBM Java 5.0.0.0
    cpe:2.3:a:ibm:java:5.0.0.0
CVSS
Base: 6.4 (as of 31-12-2014 - 14:49)
Impact:
Exploitability:
CWE CWE-255
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-1036.NASL
    description Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2014-4209, CVE-2014-4218, CVE-2014-4219, CVE-2014-4244, CVE-2014-4252, CVE-2014-4262, CVE-2014-4263) The CVE-2014-4262 issue was discovered by Florian Weimer of Red Hat Product Security. All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM J2SE 5.0 SR16-FP7 release. All running instances of IBM Java must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 77083
    published 2014-08-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77083
    title RHEL 5 / 6 : java-1.5.0-ibm (RHSA-2014:1036)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-0264.NASL
    description Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Satellite 5.6. Red Hat Product Security has rated this update as having Low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. This update corrects several security vulnerabilities in the IBM Java Runtime Environment shipped as part of Red Hat Satellite 5.6. In a typical operating environment, these are of low security risk as the runtime is not used on untrusted applets. Several flaws were fixed in the IBM Java 2 Runtime Environment. (CVE-2014-3065, CVE-2014-3068, CVE-2014-3566, CVE-2014-4209, CVE-2014-4218, CVE-2014-4219, CVE-2014-4227, CVE-2014-4244, CVE-2014-4252, CVE-2014-4262, CVE-2014-4263, CVE-2014-4265, CVE-2014-4288, CVE-2014-6457, CVE-2014-6458, CVE-2014-6492, CVE-2014-6493, CVE-2014-6502, CVE-2014-6503, CVE-2014-6506, CVE-2014-6511, CVE-2014-6512, CVE-2014-6515, CVE-2014-6531, CVE-2014-6532, CVE-2014-6558, CVE-2014-6585, CVE-2014-6587, CVE-2014-6591, CVE-2014-6593, CVE-2014-8891, CVE-2014-8892, CVE-2015-0395, CVE-2015-0403, CVE-2015-0406, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410, CVE-2015-0412) The CVE-2014-4262 and CVE-2014-6512 issues were discovered by Florian Weimer of Red Hat Product Security. Users of Red Hat Satellite 5.6 are advised to upgrade to these updated packages, which contain the IBM Java SE 6 SR16-FP3 release. For this update to take effect, Red Hat Satellite must be restarted ('/usr/sbin/rhn-satellite restart'), as well as all running instances of IBM Java.
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 81505
    published 2015-02-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81505
    title RHEL 5 / 6 : Red Hat Satellite IBM Java Runtime (RHSA-2015:0264) (POODLE)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-1042.NASL
    description Updated java-1.7.1-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 7 Supplementary. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2014-4208, CVE-2014-4209, CVE-2014-4218, CVE-2014-4219, CVE-2014-4220, CVE-2014-4221, CVE-2014-4227, CVE-2014-4244, CVE-2014-4252, CVE-2014-4262, CVE-2014-4263, CVE-2014-4265, CVE-2014-4266) The CVE-2014-4262 issue was discovered by Florian Weimer of Red Hat Product Security. All users of java-1.7.1-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7R1 SR1-FP1 release. All running instances of IBM Java must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 77143
    published 2014-08-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77143
    title RHEL 7 : java-1.7.1-ibm (RHSA-2014:1042)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-1041.NASL
    description Updated java-1.7.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2014-4208, CVE-2014-4209, CVE-2014-4218, CVE-2014-4219, CVE-2014-4220, CVE-2014-4221, CVE-2014-4227, CVE-2014-4244, CVE-2014-4252, CVE-2014-4262, CVE-2014-4263, CVE-2014-4265, CVE-2014-4266) The CVE-2014-4262 issue was discovered by Florian Weimer of Red Hat Product Security. All users of java-1.7.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7 SR7-FP1 release. All running instances of IBM Java must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 77142
    published 2014-08-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77142
    title RHEL 5 / 6 : java-1.7.0-ibm (RHSA-2014:1041)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-1033.NASL
    description Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2014-4209, CVE-2014-4218, CVE-2014-4219, CVE-2014-4227, CVE-2014-4244, CVE-2014-4252, CVE-2014-4262, CVE-2014-4263, CVE-2014-4265) The CVE-2014-4262 issue was discovered by Florian Weimer of Red Hat Product Security. All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 6 SR16-FP1 release. All running instances of IBM Java must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 77081
    published 2014-08-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77081
    title RHEL 5 / 6 : java-1.6.0-ibm (RHSA-2014:1033)
redhat via4
advisories
rhsa
id RHSA-2015:0264
refmap via4
aixapar
  • IV66876
  • IV66894
confirm
xf ibm-ikeyman-cve20143068-info-disc(93756)
Last major update 17-03-2015 - 22:00
Published 01-12-2014 - 20:59
Last modified 28-08-2017 - 21:34
Back to Top