Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM0195EF9270C92B580690607B214E8A9EAB1DF3E5DC94EF6452F5250A541EC1F4
HistoryJul 08, 2021 - 9:30 p.m.

Security Bulletin:Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system and The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java does not protect against CVE-2018-1656 and CVE-2018-12539

2021-07-0821:30:52
www.ibm.com
21
ibm java runtime environment
eclipse openj9
security vulnerabilities
update required
path traversal
java attach api
elevated privileges
ibm infosphere optim performance manager

EPSS

0.002

Percentile

58.5%

JSON

Summary

The IBM Java Runtime Environment’s Diagnostic Tooling Framework for Java (DTFJ) (IBM SDK, Java Technology Edition 6.0, 7.0, and 8.0) does not protect against path traversal attacks when extracting compressed dump files. IBM X-Force ID: 144882. And Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the failure to restrict the use of Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations to only the process owner. An attacker could exploit this vulnerability to execute untrusted native code and gain elevated privileges on the system.

Vulnerability Details

CVEID: CVE-2018-1656
DESCRIPTION: The IBM Java Runtime Environment’s Diagnostic Tooling Framework for Java (DTFJ) (IBM SDK, Java Technology Edition 6.0, 7.0, and 8.0) does not protect against path traversal attacks when extracting compressed dump files. IBM X-Force ID: 144882.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/144882 for the current score
CVSS Environmental Score*: Undefined
CVSS Attack Vector: Local

CVEID: CVE-2018-12539
DESCRIPTION: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the failure to restrict the use of Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations to only the process owner. An attacker could exploit this vulnerability to execute untrusted native code and gain elevated privileges on the system.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/148389 for the current score
CVSS Environmental Score*: Undefined
CVSS Attack Vector: Local

Affected Products and Versions

IBM and Eclipse Foundation OpenJ9 0.8

IBM SDK, Java Technology Edition 6.0,7.0,8.0

Remediation/Fixes

You must replace the IBM® Runtime Environment, Java™ Technology Edition that is installed with IBM InfoSphere Optim Performance Manager for DB2 on Linux, UNIX, and Windows with the latest IBM® Runtime Environment, Java™ Technology Edition. Detailed instructions are provided in the tech-note: “Updating the IBM Runtime Environment, Java™ Technology Edition for InfoSphere Optim Performance Manager

Workarounds and Mitigations

N/A

Related

ibm 126
nvd 2
cvelist 2
redhatcve 2
veracode 2
prion 2
osv 1
cve 2
ubuntucve 1
nessus 15
redhat 6
openvas 7
aix 1
oracle 1
ibm
ibm
Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Rational ClearQuest (CVE-2018-1656, CVE-2018-12539)
2018-11-15 15:50:02
Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MQ
2019-01-03 16:15:01
Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affects Liberty for Java for IBM Cloud July 2018 CPU
2018-09-28 04:30:01
nvd
nvd
CVE-2018-12539
2018-08-14 19:29:00
CVE-2018-1656
2018-08-20 21:29:01
cvelist
cvelist
CVE-2018-12539
2018-08-14 19:00:00
CVE-2018-1656
2018-08-20 21:00:00
redhatcve
redhatcve
CVE-2018-12539
2019-10-10 23:34:49
CVE-2018-1656
2018-08-17 20:49:15
veracode
veracode
Arbitrary Code Execution
2019-01-15 09:24:36
Directory Traversal
2019-05-16 03:24:18
prion
prion
Default configuration
2018-08-14 19:29:00
Path traversal
2018-08-20 21:29:00
osv
osv
CVE-2018-12539
2018-08-14 19:29:00
cve
cve
CVE-2018-12539
2018-08-14 19:29:00
CVE-2018-1656
2018-08-20 21:29:01
ubuntucve
ubuntucve
CVE-2018-1656
2018-08-20 00:00:00
nessus
nessus
SUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2018:2649-2)
2018-10-22 00:00:00
RHEL 6 : java-1.7.1-ibm (RHSA-2018:2712)
2018-09-18 00:00:00
SUSE SLES11 Security Update : java-1_7_1-ibm (SUSE-SU-2018:2583-1)
2018-09-04 00:00:00
redhat
redhat
(RHSA-2018:2576) Important: java-1.7.1-ibm security update
2018-08-28 19:07:03
(RHSA-2018:2569) Important: java-1.7.1-ibm security update
2018-08-27 14:10:03
(RHSA-2018:2712) Moderate: java-1.7.1-ibm security update
2018-09-17 14:42:53
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2018:2649-2)
2021-04-19 00:00:00
SUSE: Security Advisory (SUSE-SU-2018:2574-1)
2021-06-09 00:00:00
SUSE: Security Advisory (SUSE-SU-2018:2583-1)
2021-06-09 00:00:00
aix
aix
Multiple vulnerabilities in IBM Java SDK affect AIX
2018-09-19 08:42:00
oracle
oracle
Oracle Critical Patch Update Advisory - April 2019
2019-04-16 00:00:00

EPSS

0.002

Percentile

58.5%

JSON
Related for 0195EF9270C92B580690607B214E8A9EAB1DF3E5DC94EF6452F5250A541EC1F4
ibm126nvd2cvelist2redhatcve2veracode2prion2osv1cve2ubuntucve1nessus15redhat6openvas7aix1oracle1