Vulnerability Name:

CVE-2014-3086 (CCN-94097)

Assigned:2014-07-31
Published:2014-07-31
Updated:2017-08-29
Summary:Unspecified vulnerability in the IBM Java Virtual Machine, as used in IBM WebSphere Real Time 3 before Service Refresh 7 FP1 and other products, allows remote attackers to gain privileges by leveraging the ability to execute code in the context of a security manager.
CVSS v3 Severity:10.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
9.3 High (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
6.9 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
5.1 Medium (REDHAT CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P)
3.8 Low (REDHAT Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-noinfo
Vulnerability Consequences:Gain Privileges
References:Source: MITRE
Type: CNA
CVE-2014-3086

Source: SECUNIA
Type: UNKNOWN
59680

Source: SECUNIA
Type: UNKNOWN
60081

Source: SECUNIA
Type: UNKNOWN
60317

Source: SECUNIA
Type: UNKNOWN
60622

Source: SECUNIA
Type: UNKNOWN
61577

Source: SECUNIA
Type: UNKNOWN
61640

Source: AIXAPAR
Type: Vendor Advisory
IV62634

Source: CONFIRM
Type: Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21680333

Source: CCN
Type: IBM Security Bulletin 1680334
Multiple vulnerabilities in current releases of the IBM SDK, Java™ Technology Edition

Source: CONFIRM
Type: UNKNOWN
http://www-01.ibm.com/support/docview.wss?uid=swg21680334

Source: CONFIRM
Type: UNKNOWN
http://www-01.ibm.com/support/docview.wss?uid=swg21686383

Source: CONFIRM
Type: UNKNOWN
http://www-01.ibm.com/support/docview.wss?uid=swg21686824

Source: CCN
Type: IBM Security Bulletin 1691846
Multiple vulnerabilities in IBM Java SDK affect IBM FileNet System Monitor/IBM Enterprise Content Management System Monitor (CVE-2014-3086, CVE-2014-4227, CVE-2014-4262, CVE-2014-4219, CVE-2014-4268, CVE-2014-4218, CVE-2014-4252, CVE-2

Source: CCN
Type: IBM Security Bulletin 1020258
Multiple vulnerabilities in the IBM SDK Java Technology for IBM i

Source: CCN
Type: IBM Security Bulletin 1680333
Multiple vulnerabilities in current releases of the IBM WebSphere Real Time

Source: CCN
Type: IBM Security Bulletin 1681102
Vulnerability in IBM Java SDKs and IBM Java Runtime Technology Edition affecting Rational Functional Tester (CVE-2014-3086)

Source: CCN
Type: IBM Security Bulletin 1682038
Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime, affect IBM Endpoint Manager for Remote Control

Source: CCN
Type: IBM Security Bulletin 1682102
Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime, affect Tivoli Endpoint Manager for Remote Control

Source: CCN
Type: IBM Security Bulletin 1684695
IBM Pure Application System - Java SE issues disclosed in the Oracle July 2014 Critical Patch Update, plus 1 additional vulnerability

Source: CCN
Type: IBM Security Bulletin 1685312
IBM Tivoli Composite Application Manager for Transactions affected by multiple vulnerabilities in IBM JRE (Multiple CVEs)

Source: CCN
Type: IBM Security Bulletin 1685333
Multiple vulnerabilities in IBM Java SDK affect Asset and Service Management

Source: CCN
Type: IBM Security Bulletin 1685866
Vulnerabilities in IBM Tivoli System Automation for Integrated Operations Management (Several CVE's)

Source: CCN
Type: IBM Security Bulletin 1686194
Multiple vulnerabilities in IBM Java Runtime affect IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2014-4227, CVE-2014-4262, CVE-2014-4219, CVE-2014-4209, CVE-2014-4220, CVE-2014-4268, CVE-2014-4218, CVE-2014-4252, C

Source: CCN
Type: IBM Security Bulletin 1686383
CICS Transaction Gateway for Multiplatforms

Source: CCN
Type: IBM Security Bulletin 1686824
IBM Notes and Domino - Multiple vulnerabilities in IBM Java (Oracle July 2014 Critical Patch Update)

Source: CCN
Type: IBM Security Bulletin 1687297
Security Bulletin: IBM Tivoli Monitoring clients affected by vulnerabilities in IBM SDK, Java Technology Edition

Source: CCN
Type: IBM Security Bulletin 1688312
Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Business Viewpoint (CVE-2014-3086, CVE-2014-4227, CVE-2014-4262, CVE-2014-4220, CVE-2014-4218, CVE-2014-4252, CVE-2014-4265, CVE-2014-4221, CVE-2014-4263, CVE-2014-4244)

Source: CCN
Type: IBM Security Bulletin 1688343
IBM Smart Analytics System 5600 is affected by multiple vulnerabilities in the IBM SDK Java Technology Edition, Version 6

Source: BID
Type: UNKNOWN
69183

Source: CCN
Type: BID-69183
IBM WebSphere Real Time CVE-2014-3086 Unspecified Privilege Escalation Vulnerability

Source: XF
Type: UNKNOWN
ibm-java-cve20143086-code-exec(94097)

Source: XF
Type: UNKNOWN
ibm-java-cve20143086-code-exec(94097)

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2014-3086

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ibm:lotus_notes:8.5.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:lotus_notes:9.0.1.0:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/a:ibm:lotus_domino:8.5.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:lotus_domino:9.0.1.0:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/a:ibm:websphere_real_time:3.0:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/a:redhat:rhel_extras:6:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/a:redhat:rhel_extras:5:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:java_sdk:*:*:*:*:technology:*:*:*
  • AND
  • cpe:/a:ibm:sdk:5.0:*:*:*:java:*:*:*
  • OR cpe:/a:ibm:sdk:6.0:*:*:*:java:*:*:*
  • OR cpe:/a:ibm:cics_transaction_gateway:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:maximo_asset_management:7.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_functional_tester:8.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cics_transaction_gateway:8.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cics_transaction_gateway:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:filenet_system_monitor:4.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:filenet_system_monitor:5.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_composite_application_manager:7.3:*:*:*:transactions:*:*:*
  • OR cpe:/a:ibm:maximo_asset_management:7.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_functional_tester:8.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_functional_tester:8.5.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_functional_tester:8.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_functional_tester:8.5.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_composite_application_manager:7.4:*:*:*:transactions:*:*:*
  • OR cpe:/a:ibm:cognos_business_viewpoint:10.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_business_viewpoint:10.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:domino:8.5.3.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:domino:8.5.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:domino:9.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_endpoint_manager:*:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:i:6.1:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:i:7.1:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:i:7.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:pureapplication_system:1.0.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:pureapplication_system:1.0.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:pureapplication_system:1.0.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:pureapplication_system:1.0.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:pureapplication_system:1.1.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:pureapplication_system:1.1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:pureapplication_system:1.1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:pureapplication_system:1.1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:pureapplication_system:1.1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_functional_tester:8.3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_functional_tester:8.3.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_functional_tester:8.5.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_functional_tester:8.5.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_application_dependency_discovery_manager:7.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_application_dependency_discovery_manager:7.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_application_dependency_discovery_manager:7.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cics_transaction_gateway:9.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sdk:6.1:*:*:*:java:*:*:*
  • OR cpe:/a:ibm:sdk:7.0:*:*:*:java:*:*:*
  • OR cpe:/a:ibm:sdk:7.1:*:*:*:java:*:*:*
  • OR cpe:/a:ibm:rational_functional_tester:8.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:pureapplication_system:2.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.redhat.rhsa:def:20141041
    P
    		RHSA-2014:1041: java-1.7.0-ibm security update (Critical)
    2014-08-11
    oval:com.redhat.rhsa:def:20141033
    P
    		RHSA-2014:1033: java-1.6.0-ibm security update (Critical)
    2014-08-07
    oval:com.redhat.rhsa:def:20141036
    P
    		RHSA-2014:1036: java-1.5.0-ibm security update (Important)
    2014-08-07
    BACK
    ibm lotus notes 8.5.3.0
    ibm lotus notes 9.0.1.0
    ibm lotus domino 8.5.3.0
    ibm lotus domino 9.0.1.0
    ibm websphere real time 3.0
    ibm java sdk *
    ibm sdk 5.0
    ibm sdk 6.0
    ibm cics transaction gateway 8.0
    ibm maximo asset management 7.5
    ibm rational functional tester 8.3
    ibm cics transaction gateway 8.1
    ibm cics transaction gateway 9.0
    ibm filenet system monitor 4.5.0
    ibm filenet system monitor 5.1
    ibm tivoli composite application manager 7.3
    ibm maximo asset management 7.1.1
    ibm rational functional tester 8.5
    ibm rational functional tester 8.5.0.1
    ibm rational functional tester 8.5.1
    ibm rational functional tester 8.5.1.1
    ibm tivoli composite application manager 7.4
    ibm cognos business viewpoint 10.1
    ibm cognos business viewpoint 10.1.1
    ibm domino 8.5.3.5
    ibm domino 8.5.3.6
    ibm domino 9.0.1
    ibm tivoli endpoint manager *
    ibm i 6.1
    ibm i 7.1
    ibm i 7.2
    ibm pureapplication system 1.0.0.1
    ibm pureapplication system 1.0.0.2
    ibm pureapplication system 1.0.0.3
    ibm pureapplication system 1.0.0.4
    ibm pureapplication system 1.1.0.0
    ibm pureapplication system 1.1.0.1
    ibm pureapplication system 1.1.0.2
    ibm pureapplication system 1.1.0.3
    ibm pureapplication system 1.1.0.4
    ibm tivoli monitoring 6.2.2
    ibm tivoli monitoring 6.2.3
    ibm tivoli monitoring 6.3.0
    ibm tivoli monitoring 6.2.0
    ibm tivoli monitoring 6.2.1
    ibm rational functional tester 8.3.0.1
    ibm rational functional tester 8.3.0.2
    ibm rational functional tester 8.5.1.2
    ibm rational functional tester 8.5.1.3
    ibm tivoli application dependency discovery manager 7.2
    ibm tivoli application dependency discovery manager 7.2.1
    ibm tivoli application dependency discovery manager 7.2.2
    ibm cics transaction gateway 9.1
    ibm sdk 6.1
    ibm sdk 7.0
    ibm sdk 7.1
    ibm rational functional tester 8.6
    ibm pureapplication system 2.0