漏洞关键信息 漏洞概述 影响产品: IBM WebSphere Cast Iron Security Bulletin: Multiple security vulnerabilities in IBM JRE 6 and IBM JRE 7 CVE IDs: - CVE-2014-0423 - CVE-2014-0416 - CVE-2014-0411 漏洞详情 1. CVE-2014-0423 - CVSS Base Score: 5.5 - Description: The DocumentHandler used by the java.beans.XMLDecoder implementation allows the use of external entities by default. This facilitates a variety of attacks via malicious XML data. 2. CVE-2014-0416 - CVSS Base Score: 5 - Description: javax.security.auth.Subject is serializable but does not validate deserialized data properly. Malicious code could exploit this to construct an invalid Subject instance with content that differs from the advertised properties. 3. CVE-2014-0411 - CVSS Base Score: 4 - Description: Timing differences based on validity of TLS messages can be exploited to decrypt the entire session. 影响平台 IBM WebSphere Cast Iron v6.0, v6.1 v6.3, v6.4 and v7.0 Studio, Virtual Appliance and Physical Appliance IBM WebSphere Cast Iron v6.3 and v7.0 Live SaaS offering 解决方案 WebSphere Cast Iron v6.0: Install the v6.0.0.6 interim fix WebSphere Cast Iron v6.1: Install the v6.1.0.15 interim fix WebSphere Cast Iron v6.3: Install the v6.3.0.2 interim fix WebSphere Cast Iron v6.4: Install the v6.4.0.1 interim fix WebSphere Cast Iron v7.0: Upgrade to v7.0.0.1 by applying the fixpack