IBM Connections vulnerability – fixes for CVE-2014-3004 / CSVV in detail

Security Bulletin: IBM Connections Security Update for CVE-2014-3004

IBM released a security update for IBM Connections today –> LINK

IBM Connections makes use of libraries from the open source  “Castor Project“ (data binding framework for Java that provides Java-to-XML bindings, Java-to-SQL persistence and more).

There are several fixes available for each of the current IBM Connections versions:

This security update is very important, as its CVSS (Common vulnerability score system) Scores are even above the Poodle SSLv3 security issues.

By the way… This CVSS Score system is really an interesting project!
Here is a description of CVSS (taken from http://www.first.org/cvss/cvss-guide.html)

If you now take a look at the security bulletin of IBM you find the scoring information in the description:

Which means:

CVE-ID – Common Vulnerabilities and Exposures ID – this is the ID of the CVE project, a dictionary of publicly known information security vulnerabilities and exposures

Description – A short description of the security issue

CVSS Base Score – represents the intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments

CVSS Temporal Score – represents the characteristics of a vulnerability that change over time but not among user environments

CVSS Environmental Score – represents the characteristics of a vulnerability that are relevant and unique to a particular user’s environment

CVSS Vector – characteristics of a vulnerability that are constant with time and across user environments

  • AV: Access Vector: Local (L), Network (A), Network (N) means which access is needed to exploit the vulnerability
  • AC: Access Complexity: High, Medium, Low means how easy or not easy it is to run the attack
  • Au: Authentication: Multiple (M), Single (S), None (N) means how often the attacker has to authenticate
  • C: Confidentiality Impact: None (N), Partial (P), Complete (C) means how much access to data the attacker might be able to get
  • I: Integrity Impact: None (N), Partial (P), Complete (C) means how the system migh get compromised
  • A: Availability Impact: None (N), Partial (P), Complete (C) means if the attacker might be able to shut down the environment

If you now take a look at the CVE-2014-3004 CSVV vector:

  • AV:N –> Remote exploitable vulnerability so that a remote attack can be driven without further local network access
  • AC:L –> Low access complexity – it is rather easy to get access to the environment and the attack requires little skill
  • Au:N –> No authentication is needed to drive such an attack
  • C:P –> Partial access to confidential information is possible
  • I:N –> No impact on integrity of data
  • A:N –> No impact no availability of the environment

There are much more indicators used by CSVV to generate a scoring for such a vulnerability.

CVE-2014-3004 has a base score of 5 out of 10 that is medium impact… If you take a look at the CSVV vector, I think this is quite scary what might happen to your data (C:P – partial access to your data…).

So do not wait, update your IBM Connections environment to the correct version and you are out of danger 😉

Leave a Reply

Your email address will not be published. Required fields are marked *