Vulnerability Name:

CVE-2014-3068 (CCN-93756)

Assigned:2014-11-13
Published:2014-11-13
Updated:2017-08-29
Summary:IBM Java Runtime Environment (JRE) 7 R1 before SR1 FP1 (7.1.1.1), 7 before SR7 FP1 (7.0.7.1), 6 R1 before SR8 FP1 (6.1.8.1), 6 before SR16 FP1 (6.0.16.1), and before 5.0 SR16 FP7 (5.0.16.7) allows attackers to obtain the private key from a Certificate Management System (CMS) keystore via a brute force attack.
CVSS v3 Severity:3.3 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:6.4 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)
4.7 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
2.4 Low (CCN CVSS v2 Vector: AV:L/AC:H/Au:S/C:P/I:P/A:N)
1.8 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:H/Au:S/C:P/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): High
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
2.4 Low (REDHAT CVSS v2 Vector: AV:L/AC:H/Au:S/C:P/I:P/A:N)
1.8 Low (REDHAT Temporal CVSS v2 Vector: AV:L/AC:H/Au:S/C:P/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): High
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-255
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2014-3068

Source: CCN
Type: RHSA-2014-1042
Critical: java-1.7.1-ibm security update

Source: REDHAT
Type: UNKNOWN
RHSA-2015:0264

Source: AIXAPAR
Type: Vendor Advisory
IV66876

Source: AIXAPAR
Type: Vendor Advisory
IV66894

Source: CCN
Type: IBM Security Bulletin 1691089
Vulnerabilities exists in components of IMS Enterprise Suite: Connect API for Java and Explorer for Development (CVE-2014-4263)

Source: CONFIRM
Type: Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21691089

Source: CCN
Type: IBM Security Bulletin 1680333
Multiple vulnerabilities in current releases of the IBM WebSphere Real Time

Source: CCN
Type: IBM Security Bulletin 1680418
Multiple vulnerabilities in IBM Java SDK affect WebSphere Application Server July 2014 CPU

Source: CCN
Type: IBM Security Bulletin 1681371
Multiple vulnerabilities in IBM Java SDK affect IBM Support Assistant Team Server July 2014 CPU

Source: CCN
Type: IBM Security Bulletin 1682038
Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime, affect IBM Endpoint Manager for Remote Control

Source: CCN
Type: IBM Security Bulletin 1682102
Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime, affect Tivoli Endpoint Manager for Remote Control

Source: CCN
Type: IBM Security Bulletin 1682188
Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Portal (CVE-2014-4244, CVE-2014-4263, CVE-2014-3068)

Source: CCN
Type: IBM Security Bulletin 1682315
Multiple vulnerabilities in IBM Java SDK affect WebSphere Process Server and IBM Business Process Manager (CVE-2014-4263, CVE-2014-4244, CVE-2014-3068)

Source: CCN
Type: IBM Security Bulletin 1682339
Multiple vulnerabilities in IBM Java SDK affect WebSphere Dynamic Process Edition (CVE-2014-4263, CVE-2014-4244, CVE-2014-3068)

Source: CCN
Type: IBM Security Bulletin 1682340
Multiple vulnerabilities in IBM Java SDK affect WebSphere Lombardi Edition (CVE-2014-4263, CVE-2014-4244, CVE-2014-3068)

Source: CCN
Type: IBM Security Bulletin 1682347
Multiple vulnerabilities in IBM Java SDK affect WebSphere Business Services Fabric (CVE-2014-4263, CVE-2014-4244, CVE-2014-3068)

Source: CCN
Type: IBM Security Bulletin 1684622
Vulnerabilities in IBM Runtime Environments, Java Technology Edition affect IBM InfoSphere Optim Performance Manager (CVE-2014-4263, CVE-2014-3068)

Source: CCN
Type: IBM Security Bulletin 1684704
A vulnerability in IBM Java SDK affects Rational Application Developer for WebSphere (CVE-2014-4263)

Source: CCN
Type: IBM Security Bulletin 1685312
IBM Tivoli Composite Application Manager for Transactions affected by multiple vulnerabilities in IBM JRE (Multiple CVEs)

Source: CCN
Type: IBM Security Bulletin 1685324
A vulnerability in IBM Java SDK affects Rational Software Architect for WebSphere Software (CVE-2014-4263)

Source: CCN
Type: IBM Security Bulletin 1685508
WebSphere Partner Gateway Advanced/Enterprise is affected by vulnerabilities that exist in the IBM SDK Java Technology Edition (CVE-2014-4263, CVE-2014-3068 )

Source: CCN
Type: IBM Security Bulletin 1691139
Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime, affect IBM Endpoint Manager for Remote Control.

Source: CCN
Type: IBM Security Bulletin 1691809
Multiple vulnerabilities in IBM Java SDK affect various Optim data server tools desktop products (CVE-2014-6558, CVE-2014-3068)

Source: CCN
Type: IBM Security Bulletin 1692842
Rational Synergy vulnerability (CVE-2014-4263, CVE-2014-3068,CVE-2014-3566,CVE-2014-6457)

Source: CCN
Type: IBM Security Bulletin 1693145
IBM WebSphere MQ Internet Pass-Thru is affected by multiple vulnerabilities in IBM SDK, Java Technology Edition, Version 7 (CVE-2014-4263, CVE-2014-4244, CVE-2014-3068)

Source: CCN
Type: IBM Security Bulletin 1694020
Vulnerability fixes for Rational Lifecycle Integration Adapter for HP ALM (CVE-2014-3065, CVE-2014-3566, CVE-2014-6457, CVE-2014-4208, CVE-2014-2490, CVE-2014-4263)

Source: CCN
Type: IBM Security Bulletin 1695111
IBM License Metric Tool, IBM Endpoint Manager for Software Use Analysis and IBM Tivoli Asset Discovery for Distributed Java-related vulnerabilities - July 2014

Source: CCN
Type: IBM Security Bulletin 1699217
There are multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Versions 6 that is used by IBM Tivoli Netcool Configuration Manager. (CVE-2014-4263) (CVE-2014-3068) (CVE-2014-4244)

Source: CCN
Type: BID-71408
IBM SDK Java CMS Keystore Local Information Disclosure Vulnerability

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=1164201

Source: XF
Type: UNKNOWN
ibm-ikeyman-cve20143068-info-disc(93756)

Source: XF
Type: UNKNOWN
ibm-ikeyman-cve20143068-info-disc(93756)

Source: CCN
Type: IBM Security Bulletin 1680334
Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Edition

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ibm:java:5.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:5.0.11.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:5.0.11.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:5.0.11.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:5.0.12.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:5.0.12.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:5.0.12.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:5.0.12.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:5.0.12.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:5.0.12.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:5.0.13.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:5.0.14.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:5.0.15.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:5.0.16.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:5.0.16.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:5.0.16.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:5.0.16.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:6.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:6.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:6.0.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:6.0.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:6.0.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:6.0.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:6.0.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:6.0.7.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:6.0.8.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:6.0.8.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:6.0.9.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:6.0.9.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:6.0.9.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:6.0.10.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:6.0.10.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:6.0.11.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:6.0.12.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:6.0.13.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:6.0.13.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:6.0.13.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:6.0.14.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:7.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:7.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:7.0.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:7.0.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:7.0.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:7.0.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:7.0.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:7.0.5.0:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/a:redhat:rhel_extras:6:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/a:redhat:rhel_extras:5:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:java_sdk:5.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java_sdk:6.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java_sdk:7.0.0.0:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:websphere_application_server:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_portal:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_portal:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_studio:3.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_studio:3.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_optim_performance_manager:5.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_optim_performance_manager:5.1.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_optim_performance_manager:5.2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_optim_performance_manager:5.1.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:8.5.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_asset_discovery_for_distributed:7.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_portal:8.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:ims_enterprise_suite:2.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_portal:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_endpoint_manager:*:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_software_architect:8.5.0:*:*:*:websphere:*:*:*
  • OR cpe:/a:ibm:rational_software_architect:8.5.1:*:*:*:websphere:*:*:*
  • OR cpe:/a:ibm:rational_software_architect:8.5.5:*:*:*:websphere:*:*:*
  • OR cpe:/a:ibm:rational_software_architect:9.0.0:*:*:*:websphere:*:*:*
  • OR cpe:/a:ibm:rational_software_architect:9.0.0.1:*:*:*:websphere:*:*:*
  • OR cpe:/a:ibm:rational_software_architect:9.1.0:*:*:*:websphere:*:*:*
  • OR cpe:/a:ibm:websphere_real_time:3.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.redhat.rhsa:def:20141041
    P
    		RHSA-2014:1041: java-1.7.0-ibm security update (Critical)
    2014-08-11
    oval:com.redhat.rhsa:def:20141033
    P
    		RHSA-2014:1033: java-1.6.0-ibm security update (Critical)
    2014-08-07
    oval:com.redhat.rhsa:def:20141036
    P
    		RHSA-2014:1036: java-1.5.0-ibm security update (Important)
    2014-08-07
    BACK
    ibm java 5.0.0.0
    ibm java 5.0.11.0
    ibm java 5.0.11.1
    ibm java 5.0.11.2
    ibm java 5.0.12.0
    ibm java 5.0.12.1
    ibm java 5.0.12.2
    ibm java 5.0.12.3
    ibm java 5.0.12.4
    ibm java 5.0.12.5
    ibm java 5.0.13.0
    ibm java 5.0.14.0
    ibm java 5.0.15.0
    ibm java 5.0.16.0
    ibm java 5.0.16.1
    ibm java 5.0.16.2
    ibm java 5.0.16.3
    ibm java 6.0.0.0
    ibm java 6.0.1.0
    ibm java 6.0.2.0
    ibm java 6.0.3.0
    ibm java 6.0.4.0
    ibm java 6.0.5.0
    ibm java 6.0.6.0
    ibm java 6.0.7.0
    ibm java 6.0.8.0
    ibm java 6.0.8.1
    ibm java 6.0.9.0
    ibm java 6.0.9.1
    ibm java 6.0.9.2
    ibm java 6.0.10.0
    ibm java 6.0.10.1
    ibm java 6.0.11.0
    ibm java 6.0.12.0
    ibm java 6.0.13.0
    ibm java 6.0.13.1
    ibm java 6.0.13.2
    ibm java 6.0.14.0
    ibm java 7.0.0.0
    ibm java 7.0.1.0
    ibm java 7.0.2.0
    ibm java 7.0.3.0
    ibm java 7.0.4.0
    ibm java 7.0.4.1
    ibm java 7.0.4.2
    ibm java 7.0.5.0
    ibm java sdk 5.0.0.0
    ibm java sdk 6.0.0.0
    ibm java sdk 7.0.0.0
    ibm websphere application server 6.1
    ibm websphere application server 7.0
    ibm websphere portal 7.0
    ibm websphere application server 8.0
    ibm websphere portal 8.0
    ibm websphere application server 8.5
    ibm data studio 3.1.0
    ibm data studio 3.1.1
    ibm infosphere optim performance manager 5.1.0
    ibm infosphere optim performance manager 5.1.1.1
    ibm infosphere optim performance manager 5.2.0.0
    ibm infosphere optim performance manager 5.1.1.0
    ibm websphere application server 8.5.5
    ibm tivoli asset discovery for distributed 7.2.2
    ibm websphere portal 8.5
    ibm ims enterprise suite 2.2
    ibm websphere portal 6.1
    ibm tivoli endpoint manager *
    ibm rational software architect for websphere software 8.5.0
    ibm rational software architect for websphere software 8.5.1
    ibm rational software architect for websphere software 8.5.5
    ibm rational software architect for websphere software 9.0.0
    ibm rational software architect for websphere software 9.0.0.1
    ibm rational software architect for websphere software 9.1.0
    ibm websphere real time 3.0