Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Conductor with Spark

Summary

There are multiple vulnerabilities in IBM® Runtime Environment Java™ versions, specifically Version 8 Service Refresh 5 Fix Pack 10 and earlier releases used by IBM Spectrum Conductor with Spark 2.2.0 and 2.2.1. These issues were disclosed as part of the IBM Java SDK updates in April 2018.

Vulnerability Details

If you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities is applicable to your code. For a complete list of vulnerabilities, refer to the link for “IBM Java SDK Security Bulletin" located in the “References” section.

CVEID: CVE-2018-2814 DESCRIPTION: An unspecified vulnerability related to the Java SE VM component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141970&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2018-2794 DESCRIPTION: An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 7.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141950&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2018-2783 DESCRIPTION: An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to cause high confidentiality impact, high integrity impact, and no availability impact.
CVSS Base Score: 7.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141939&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID: CVE-2018-2799 DESCRIPTION: An unspecified vulnerability related to the Java SE JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141955&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-2798 DESCRIPTION: An unspecified vulnerability related to the Java SE AWT component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141954&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-2797 DESCRIPTION: An unspecified vulnerability related to the Java SE JMX component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141953&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-2796 DESCRIPTION: An unspecified vulnerability related to the Java SE Concurrency component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141952&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-2795 DESCRIPTION: An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141951&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-2800 DESCRIPTION: An unspecified vulnerability related to the Java SE RMI component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 4.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141956&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)

CVEID: CVE-2018-2790 DESCRIPTION: An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 3.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141946&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)

Affected Products and Versions

IBM Spectrum Conductor with Spark 2.2.0
IBM Spectrum Conductor with Spark 2.2.1

Remediation/Fixes

Before installation

1. Log in to the cluster management console as the cluster administrator and stop all Spark instance groups.
2. Log on to the primary management host as the cluster administrator:
   > egosh user logon -u Admin -x Admin
3. Stop all services and shut down the cluster:
   > egosh service stop all
   > egosh ego shutdown all

Installation

1. Log on to each host in your cluster (root or sudo to root permission).
2. Define the CLUSTERADMIN environment variable and set it to any valid operating user account, which then owns all installation files. For example:
   > export CLUSTERADMIN=egoadmin
3. Upgrade the JRE by using the RPM in this interim fix.
   NOTE: RPM version 4.2.1 or later must be installed on the host. Ensure that you replace dbpath_location in the following RPM commands with the path to your database.
   For IBM Spectrum Conductor with Spark 2.2.0, take Linux x86_64 as example:
   > mkdir -p /tmp/cws22build498783
   > tar zxof cws-2.2.0.0_x86_64_build498783.tgz -C /tmp/cws22build498783
   > rpm -ivh --replacefiles --prefix $EGO_TOP --dbpath _dbpath_location /tmp/cws22build498783/egojre-8.0.5.17.x86_64.rpm
   For IBM Spectrum Conductor with Spark 2.2.1, take Linux x86_64 as example:
   > mkdir -p /tmp/cws221build498785
   > tar zxof cws-2.2.1.0_x86_64_build498785.tgz -C /tmp/cws221build498785
   > rpm -ivh --replacefiles --prefix $EGO_TOP --dbpath dbpath_location _/tmp/cws221build498785/egojre-8.0.5.17.x86_64.rpm
   The _cshrc.jre _and profile.jre files are updated to the current JRE version. If you made copies of these files, ensure that you update the copied files with the new JRE version.
4. Source the cluster profile again and start the cluster:
   > egosh ego start all
5. Log in to the cluster management console as the cluster administrator and start the required Spark instance groups.

Verify the installation

Run the rpm –qa command to verify the installation.

For IBM Spectrum Conductor with Spark 2.2.0, enter:
> rpm -qa --dbpath dbpath_location |grep egojre
egojre-8.0.5.17-498783.x86_64

For IBM Spectrum Conductor with Spark 2.2.1, enter:
> rpm -qa --dbpath dbpath_location |grep egojre
egojre-8.0.5.17-498785.x86_64

Uninstallation (if required)

1. Log in to the cluster management console as the cluster administrator and stop all Spark instance groups.
2. Log on to the primary management host as the cluster administrator:
   > egosh user logon -u Admin -x Admin
3. Stop services and shut down the cluster:
   > egosh service stop all
   > egosh ego shutdown all
4. Log on to each host in your cluster (root or sudo to root permission).
5. Define the CLUSTERADMIN environment variable and set it to any valid operating user account, which then owns all installation files. For example:
   > export CLUSTERADMIN=egoadmin
6. Uninstall the existing JRE and then install the old JRE.
   NOTE: RPM version 4.2.1 or later must be installed on the host.
   Ensure that you replace dbpath_location in the following RPM commands with the path to your database.
   For IBM Spectrum Conductor with Spark 2.2.0, enter:
   > rpm -e egojre-8.0.5.17-498783.x86_64 --dbpath dbpath_location --nodeps
   > rpm -qa --dbpath dbpath_location |grep egojre
   For each previous egojre rpm, run:
   > rpm -e [egojre_name] --dbpath dbpath_location --nodeps
   Then, install the old JRE:
   > mkdir -p /tmp/extract22
   > cws-2.2.0.0_x86_64.bin --extract /tmp/extract22
   > rpm -ivh --prefix $EGO_TOP --dbpath _dbpath_location /tmp/extract22/egojre-*.rpm
   For IBM Spectrum Conductor with Spark 2.2.1, enter:
   > rpm -e egojre-8.0.5.17-498785.x86_64 --dbpath dbpath_location --nodeps
   > rpm -qa --dbpath dbpath_location |grep egojre
   For each previous egojre rpm, run:
   > rpm -e [egojre_name] --dbpath dbpath_location --nodeps
   Then, install the old JRE:
   > mkdir -p /tmp/extract221
   > cws-2.2.1.0_x86_64.bin --extract /tmp/extract221
   > rpm -ivh --prefix $EGO_TOP --dbpath dbpath_location _/tmp/extract221/egojre-*.rpm
7. Source the cluster profile and start the cluster:
   > egosh ego start all
8. Log in to the cluster management console as the cluster administrator and start the required Spark instance groups.

Packages

egojre-8.0.5.17.x86_64.rpm

egojre-8.0.5.17.ppc64le.rpm

http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Conductor+with+Spark&release=All&platform=All&function=fixId&fixids=cws-2.2-build498783&includeSupersedes=0

IBM Spectrum Conductor with Spark | 2.2.1 | P102673 |

egojre-8.0.5.17.x86_64.rpm

egojre-8.0.5.17.ppc64le.rpm

http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Conductor+with+Spark&release=All&platform=All&function=fixId&fixids=cws-2.2.1-build498785&includeSupersedes=0

Workarounds and Mitigations

None