Summary

Java SE issues disclosed in the Oracle April 2018 Critical Patch Update was addressed by IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, Platform HPC, and Spectrum Cluster Foundation.

Vulnerability Details

CVE Descriptions

CVE-2018-2826 (CVSS 8.3)

Description
A flaw in the VM causes type confusion and potentially allows an untrusted code running under a security manager to elevate its privileges.
The fix corrects the flaw.
Product Applicability
This issue is exploitable if the JRE is running untrusted code under a security manager (including untrusted applets or Web Start applications).
Mitigation
The only solution is to upgrade the JRE.

CVE-2018-2825 (CVSS 8.3) Description
A flaw in the VM causes type confusion and potentially allows an untrusted code running under a security manager to elevate its privileges.
The fix corrects the flaw.
Product Applicability
This issue is exploitable if the JRE is running untrusted code under a security manager (including untrusted applets or Web Start applications).
Mitigation
The only solution is to upgrade the JRE.

CVE-2018-2814 (CVSS 8.3) Description
A flaw in the Oracle HotSpot VM exposes reclaimed memory which may cause JVM crashes, expose sensitive information, or allow untrusted code to elevate its privileges.
The fix addresses the flaw.
Product Applicability
This issue applies to Solaris, HP-UX and Mac OS only.
This issue is exploitable if the JRE is running untrusted code under a security manager (including untrusted applets or Web Start applications).
Mitigation
The only solution is to upgrade the JRE.

CVE-2018-2794 (CVSS 7.7) Description
A flaw in the JCE component may allow arbitrary code execution via malicious serialized data in keystores.
The fix ensures that this type of malicious data is detected and handled gracefully.
Product Applicability
This issue is applicable if keytool is used on a keystore from an untrusted source.
Mitigation
The only solution is to upgrade the JRE.

CVE-2018-2783 (CVSS 7.4) Description
A flaw in TLS handshaking related to previously implemented 3Shake countermeasures.
The fix addresses the vulnerability by implementing RFC 7627.
Product Applicability
This issue affects applications that use TLS.
Mitigation
The only solution is to upgrade the JRE.

CVE-2018-2815 (CVSS 5.3) Description
A flaw in the ORB component allows an attacker to inflict a DoS via malicious serialized data which triggers an OutOfMemoryError.
The fix ensures that this type of malicious data is detected and handled gracefully.
Product Applicability
This issue does not apply to the IBM JRE/SDK, including the Hybrid JREs/SDKs on Solaris, HP-UX and Mac OS.
Mitigation
The only solution is to upgrade the JRE.

CVE-2018-2799 (CVSS 5.3) Description
A flaw in the JAXP component allows an attacker to inflict a DoS via malicious serialized data which triggers an OutOfMemoryError.
The fix ensures that this type of malicious data is detected and handled gracefully.
Product Applicability
This issue is applicable if the JRE deserializes serialized object data from untrusted sources.
Mitigation
The only solution is to upgrade the JRE.

CVE-2018-2798 (CVSS 5.3) Description
A flaw in the AWT component allows an attacker to inflict a DoS via malicious serialized data which triggers an OutOfMemoryError.
The fix ensures that this type of malicious data is detected and handled gracefully.
Product Applicability
This issue is applicable if the JRE deserializes serialized object data from untrusted sources.
Mitigation
The only solution is to upgrade the JRE.

CVE-2018-2797 (CVSS 5.3) Description
A flaw in the JMX component allows an attacker to inflict a DoS via malicious serialized data which triggers an OutOfMemoryError.
The fix ensures that this type of malicious data is detected and handled gracefully.
Product Applicability
This issue is applicable if the JRE deserializes serialized object data from untrusted sources.
Mitigation
The only solution is to upgrade the JRE.

CVE-2018-2796 (CVSS 5.3) Description
A flaw in the java.lang.util.concurrent component allows an attacker to inflict a DoS via malicious serialized data which triggers an OutOfMemoryError.
The fix ensures that this type of malicious data is detected and handled gracefully.
Product Applicability
This issue is applicable if the JRE deserializes serialized object data from untrusted sources.
Mitigation
The only solution is to upgrade the JRE.

CVE-2018-2795 (CVSS 5.3) Description
A flaw in the java.util component allows an attacker to inflict a DoS via malicious serialized data which triggers an OutOfMemoryError.
The fix ensures that this type of malicious data is detected and handled gracefully.
Product Applicability
This issue is applicable if the JRE deserializes serialized object data from untrusted sources.
Mitigation
The only solution is to upgrade the JRE.

CVE-2018-2800 (CVSS 4.2) Description
RMI will accept HTTP connections by default, which may allow an RMI server to be exposed by XSS attacks.
The fix disables inbound HTTP connections by default. They can re-enabled if necessary by setting this system property:
java.rmi.server.disableIncomingHttp=false
Product Applicability
This issue applies to Java deployments that use an RMI server.
Mitigation
The only solution is to upgrade the JRE.

CVE-2018-2790 (CVSS 3.1) Description
A flaw in JAR parser allowed attributes to be added to a signed JAR’s manifest without breaking signature verification.
The fix ensures that any modification of manifest attributes prevents signature verification.
Product Applicability
This issue affects applications which rely on signed JARs for integrity purposes.
This issue is also applicable if the JRE is installed as a system JRE, such that it is used to launch and execute applets in a browser, or to launch applications via Java Web Start.
Mitigation
The only solution is to upgrade the JRE.

Affected Products and Versions

Platform Cluster Manager Standard Edition Version 4.1.0, 4.1.1 and 4.1.1.1

Platform Cluster Manager Version 4.2.0, 4.2.0.1, 4.2.0.2 and 4.2.1

Platform HPC Version 4.1.1, 4.1.1.1, 4.2.0 and 4.2.1

Spectrum Cluster Foundation 4.2.2

Remediation/Fixes

<Product

| VRMF| APAR| Remediation/First Fix
—|—|—|—
Platform Cluster Manager Standard Edition| 4.1.0, 4.1.1, 4.1.1.1, 4.2.0, 4.2.0.1, 4.2.0.2, 4.2.1| None| See workaround
Platform Cluster Manager Advanced Edition| 4.2.0, 4.2.0.1, 4.2.0.2, 4.2.1| None| See workaround
_Platform HPC _| 4.1.1, 4.1.1.1, 4.2.0, 4.2.1| None| See workaround
Spectrum Cluster Foundation| 4.2.2| None| See workaround

Workarounds and Mitigations

Platform Cluster Manager 4.1.x & Platform HPC 4.1.x

1. Download IBM JRE 6.0 x86_64 from the following location: http://www.ibm.com/support/fixcentral. (For POWER platform, download ppc64 version JRE tar package. The following steps are using x86_64 as an example.)

2. Copy the tar package into the management node. If high availability is enabled, copy the JRE tar package to stand-by management node, as well.

3. If high availability is enabled, shutdown stand-by management node to avoid triggering high availability.

4. On the management node, stop GUI and PERF services

HA disabled:

pmcadmin stop

perfadmin stop all

HA enabled:

egosh user logon -u Admin -x Admin

egosh service stop all

5. On management node, extract new JRE files and replace some old folders with new ones.

tar -zxvf ibm-java-jre-6.0-16.65-linux-x86_64.tgz

mv /opt/pcm/web-portal/jre/linux-x86_64/bin /opt/pcm/web-portal/jre/linux-x86_64/bin-old

mv /opt/pcm/web-portal/jre/linux-x86_64/lib /opt/pcm/web-portal/jre/linux-x86_64/lib-old

mv /opt/pcm/web-portal/jre/linux-x86_64/plugin /opt/pcm/web-portal/jre/linux-x86_64/plugin-old

cp -r ibm-java-x86_64-60/jre/bin /opt/pcm/web-portal/jre/linux-x86_64/

cp -r ibm-java-x86_64-60/jre/lib /opt/pcm/web-portal/jre/linux-x86_64/

cp -r ibm-java-x86_64-60/jre/plugin /opt/pcm/web-portal/jre/linux-x86_64/

6. On management node, start GUI and PERF services

HA disabled:

pmcadmin start

perfadmin start all

HA enabled:

egosh user logon -u Admin -x Admin

egosh service start all

Platform Cluster Manager 4.2.x & Platform HPC 4.2.x & Spectrum Cluster Foundation 4.2.2

1. Download IBM JRE 7.0 x86_64 from the following location: http://www.ibm.com/support/fixcentral. (For POWER platform, download ppc64 version JRE tar package. The following steps are using x86_64 as an example.)

2. Copy the tar package into the management node. If high availability is enabled, copy the JRE tar package to stand-by management node, as well.

3. If high availability is enabled, shutdown stand-by management node to avoid triggering high availability.

4. On the management node, stop GUI and PERF services

pcmadmin service stop --group ALL

5. On management node, extract new JRE files and replace some old folders with new ones.

tar -zxvf ibm-java-jre-7.0-10.25-linux-x86_64.tgz

mv /opt/pcm/jre/bin /opt/pcm/jre/bin-old

mv /opt/pcm/jre/lib /opt/pcm/jre/lib-old

mv /opt/pcm/jre/plugin /opt/pcm/jre/plugin-old

cp -r ibm-java-x86_64-70/jre/bin /opt/pcm/jre/

cp -r ibm-java-x86_64-70/jre/lib /opt/pcm/jre/

cp -r ibm-java-x86_64-70/jre/plugin /opt/pcm/jre/

mv /opt/pcm/web-portal/jre/linux-x86_64/bin /opt/pcm/web-portal/jre/linux-x86_64/bin-old

mv /opt/pcm/web-portal/jre/linux-x86_64/lib /opt/pcm/web-portal/jre/linux-x86_64/lib-old

mv /opt/pcm/web-portal/jre/linux-x86_64/plugin /opt/pcm/web-portal/jre/linux-x86_64/plugin-old

cp -r ibm-java-x86_64-70/jre/bin /opt/pcm/web-portal/jre/linux-x86_64/

cp -r ibm-java-x86_64-70/jre/lib /opt/pcm/web-portal/jre/linux-x86_64/

cp -r ibm-java-x86_64-70/jre/plugin /opt/pcm/web-portal/jre/linux-x86_64/

6. On management node, start GUI and PERF services

pcmadmin service start --group ALL

7. If high availability is enabled, start up stand-by management node, and replace bin, lib, plugin folders under /opt/pcm/web-portal/jre/linux-x86_64, on stand-by management node.