Vulnerability CVE-2014-0963 - CERT Civis.Net

Vulnerability Name:

CVE-2014-0963 (CCN-92844)

Assigned:

2014-05-06

Published:

2014-05-06

Updated:

2017-08-29

Summary:

The Reverse Proxy feature in IBM Global Security Kit (aka GSKit) in IBM Security Access Manager (ISAM) for Web 7.0 before 7.0.0-ISS-SAM-IF0006 and 8.0 before 8.0.0.3-ISS-WGA-IF0002 allows remote attackers to cause a denial of service (infinite loop) via crafted SSL messages.
Per: http://www-01.ibm.com/support/docview.wss?uid=swg21672192

"Affected Products and Versions

All versions of IBM Security Access Manager for Web, both software and appliance: 7.0, 8.0"

CVSS v3 Severity:

7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

7.1 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C)
5.3 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

7.1 High (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C)
5.3 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2014-0963

Source: SECUNIA
Type: UNKNOWN
58845

Source: SECUNIA
Type: UNKNOWN
59245

Source: SECUNIA
Type: UNKNOWN
59249

Source: AIXAPAR
Type: UNKNOWN
IV59660

Source: CCN
Type: IBM Security Bulletin 1672189
IBM Tivoli Access Manager High CPU utilization (CVE-2014-0963)

Source: CCN
Type: IBM Security Bulletin 1672192
IBM Security Access Manager for Web High CPU utilization (CVE-2014-0963)

Source: CONFIRM
Type: Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21672192

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21676091

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21676092

Source: CONFIRM
Type: UNKNOWN
http://www-304.ibm.com/support/docview.wss?uid=swg21680803

Source: CCN
Type: IBM Security Bulletin 1672397
GSKit CPU utilization vulnerability in TPM for OS Deployment and TPM for Images (CVE-2014-0963)

Source: CCN
Type: IBM Security Bulletin 1671732
IBM DB2 is impacted by multiple TLS/SSL security vulnerabilities (CVE-2013-6747, CVE-2014-0963)

Source: CCN
Type: IBM Security Bulletin 1672724
IBM Security Directory Server CPU utilization (CVE-2014-0963)

Source: CCN
Type: IBM Security Bulletin 1672843
IBM HTTP Server CPU utilization (CVE-2014-0963)

Source: CCN
Type: IBM Security Bulletin 1672869
Content Manager OnDemand for Multiplatform CPU utilization (CVE-2014-0963)

Source: CCN
Type: IBM Security Bulletin 1673008
IBM Informix Server CPU utilization (CVE-2014-0963)

Source: CCN
Type: IBM Security Bulletin 1673018
IBM Informix Client SDK CPU utilization (CVE-2014-0963)

Source: CCN
Type: IBM Security Bulletin 1673040
IBM Content Collector for SAP Applications V3.0 CPU utilization (CVE-2014-0963) and obtaining security information (CVE-2014-0076)

Source: CCN
Type: IBM Security Bulletin 1673245
WebSphere Voice Response CPU utilization (CVE-2014-0963)

Source: CCN
Type: IBM Security Bulletin 1673259
Rational Developer for System z CPU utilization (CVE-2014-0963)

Source: CCN
Type: IBM Security Bulletin 1673282
IBM Security Network Intrusion Prevention System CPU utilization (CVE-2014-0963)

Source: CCN
Type: IBM Security Bulletin 1673418
Vulnerabilities in RequisitePro GSKit Component (CVE-2014-0963)

Source: CCN
Type: IBM Security Bulletin 1673566
IBM Tivoli NetView for z/OS (NetView Management Console Topology Server component) CPU utilization (CVE-2014-0963)

Source: CCN
Type: IBM Security Bulletin 1673600
IBM WebSphere Transformation Extender Secure Adapter Collection 8.4.1.1 CPU utilization and insecure Elliptic Curve Digital Signature Algorithm (CVE-2014-0963, CVE-2014-0076)

Source: CCN
Type: IBM Security Bulletin 1673666
IBM SPSS Modeler CPU utilization (CVE-2014-0963)

Source: CCN
Type: IBM Security Bulletin 1673689
Tivoli Netcool Service Quality Manager CPU utilization (CVE-2014-0963)

Source: CCN
Type: IBM Security Bulletin 1673715
IBM Tivoli Monitoring CPU utilization (CVE-2014-0963)

Source: CCN
Type: IBM Security Bulletin 1673717
Content Manager Enterprise Edition CPU utilization (CVE-2014-0963)

Source: CCN
Type: IBM Security Bulletin 1673847
IBM Sterling Connect:Direct for UNIX CPU utilization (CVE-2014-0963)

Source: CCN
Type: IBM Security Bulletin 1673849
IBM Sterling Connect:Direct for Microsoft Windows CPU utilization (CVE-2014-0963)

Source: CCN
Type: IBM Security Bulletin 1674200
IBM Smart Analytics System 7700 CPU utilization (CVE-2014-0963)

Source: CCN
Type: IBM Security Bulletin 1674493
IBM Algo One CPU utilization (CVE-2014-0963)

Source: CCN
Type: IBM Security Bulletin 1674825
TSM Server CPU Utilization (CVE-2014-0963)

Source: CCN
Type: IBM Security Bulletin 1675355
IBM Security Network Protection System CPU utilization (CVE-2014-0963)

Source: CCN
Type: IBM Security Bulletin 1675392
IBM PureApplication System is impacted by the TLS/SSL security vulnerability

Source: CCN
Type: IBM Security Bulletin 1675496
IBM Security SiteProtector System can be affected by a vulnerability in IBM Global Security Kit (CVE-2014-0963) and in Apache Struts V1.x (CVE-2014-0114)

Source: CONFIRM
Type: UNKNOWN
http://www.ibm.com/support/docview.wss?uid=swg21675496

Source: CCN
Type: IBM Security Bulletin 1676091
Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 7.0.0.33

Source: CCN
Type: IBM Security Bulletin 1676092
Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 8.0.0.9

Source: CCN
Type: IBM Security Bulletin 1680803
IBM Security Network Protection System CPU Utilization (CVE-2014-0963)

Source: CCN
Type: IBM Security Bulletin 1681114
IBM Notes and Domino - Multiple vulnerabilities in IBM Java (Oracle April 2014 Critical Patch Update) and IBM HTTP Server for Domino (CVE-2014-0963)

Source: CCN
Type: IBM Security Bulletin 1681249
Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 8.5.5.3

Source: CCN
Type: IBM Security Bulletin 1681476
IBM Tivoli Monitoring (CVE-2014-0963)

Source: CCN
Type: IBM Security Bulletin 1689786
IBM WebSphere Transformation Extender Secure Adapter Collection vulnerabilities: RSA BSAFE-C (CVE-2014-4191, CVE-2014-4192) and SSLv3 (CVE-2014-3566)

Source: BID
Type: UNKNOWN
67238

Source: CCN
Type: BID-67238
IBM Security Access Manager for Web CVE-2014-0963 Remote Denial of Service Vulnerability

Source: SECTRACK
Type: UNKNOWN
1030707

Source: XF
Type: UNKNOWN
ibm-gskit-cve20140963-dos(92844)

Source: XF
Type: UNKNOWN
ibm-gskit-cve20140963-dos(92844)

Vulnerable Configuration:

Configuration 1:

cpe:/o:ibm:security_access_manager_firmware:7.0:*:web:*:*:*:*:*

OR cpe:/o:ibm:security_access_manager_firmware:8.0:*:web:*:*:*:*:*

OR cpe:/h:ibm:security_access_manager_appliance:-:*:web:*:*:*:*:*

OR cpe:/h:ibm:security_access_manager_appliance:-:*:web:*:*:*:*:*

Configuration CCN 1:

cpe:/a:ibm:tivoli_access_manager:5.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_access_manager:6.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_access_manager:6.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_access_manager:6.1.1:*:*:*:*:*:*:*

OR cpe:/o:ibm:security_access_manager:7.0:*:web:*:*:*:*:*

OR cpe:/o:ibm:security_access_manager:8.0:*:web:*:*:*:*:*

AND

cpe:/a:ibm:websphere_application_server:6.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_storage_manager:5.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_storage_manager:6.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_storage_manager:6.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:8.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_storage_manager:6.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_storage_manager:6.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:8.5.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:content_manager_ondemand_for_multiplatforms:8.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:content_manager_ondemand_for_multiplatforms:9.0:*:*:*:*:*:*:*

OR cpe:/o:ibm:security_access_manager:6.0:*:web:*:*:*:*:*

OR cpe:/o:ibm:security_access_manager:6.1:*:web:*:*:*:*:*

OR cpe:/o:ibm:security_access_manager:6.1.1:*:web:*:*:*:*:*

OR cpe:/a:ibm:pureapplication_system:1.0.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_directory_server:6.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_directory_server:6.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_directory_server:6.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_directory_server:6.3.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_siteprotector_system:3.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_storage_manager:7.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:algo_one:5.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:domino:8.5.3.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:domino:9.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:domino:8.5.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:domino:9.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:sterling_connect:direct:4.2.0::~~~unix~~:*:*:*:*:*

OR cpe:/a:ibm:pureapplication_system:1.0.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:pureapplication_system:1.0.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:pureapplication_system:1.0.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:pureapplication_system:1.0.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:pureapplication_system:1.1.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:pureapplication_system:1.1.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:pureapplication_system:1.1.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:pureapplication_system:1.1.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_siteprotector_system:3.1.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_transformation_extender:8.3.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_transformation_extender:8.3.0.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_transformation_extender:8.4.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_transformation_extender:8.4.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_transformation_extender:8.4.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_transformation_extender:8.4.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_transformation_extender:8.4.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_transformation_extender:8.4.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_transformation_extender:8.4.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:domino:8.5.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:domino:8.5.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:domino:8.5.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:domino:9.0.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:spss_modeler:16.0.0.0:*:*:*:*:*:*:*

Denotes that component is vulnerable