Lucene search

K
ibmIBM0ACDC7CDDEE06F34F2256DD048A556D53156ACF793ADBE3C9ED53FEEE712EF49
HistoryDec 21, 2018 - 11:10 a.m.

Security Bulletin: Multiple vulnerabilities in IBM® Java™ SDK and IBM® Java™ Runtime affect IBM® Intelligent Operations Center products

2018-12-2111:10:01
www.ibm.com
4

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Versions 6, 7, and 8, and IBM® Runtime Environment Java™, Versions 6, 7, and 8 that are used by IBM® Intelligent Operations Center, IBM® Intelligent Operations Center for Emergency Management, and IBM® Water Operations for Waternamics. IBM® Intelligent Operations Center has addressed the applicable CVEs.

Vulnerability Details

If you run your own Java™ code using the IBM® Java™ JRE that is delivered with this product, you should evaluate your code to determine whether additional Java™ vulnerabilities are applicable to your code.

CVE IDs: CVE-2018-2964 CVE-2018-2973 CVE-2018-2940 CVE-2018-2952 CVE-2018-1656 CVE-2018-1517 CVE-2018-2579 CVE-2018-2588 CVE-2018-2663 CVE-2018-2677 CVE-2018-2678 CVE-2018-2602 CVE-2018-2599 CVE-2018-2603 CVE-2018-2629 CVE-2018-2657 CVE-2018-2618 CVE-2018-2641 CVE-2018-2582 CVE-2018-2634 CVE-2018-2637 CVE-2018-2633 CVE-2018-2638 CVE-2018-2639 CVE-2018-2783 CVE-2018-2800

CVEID: CVE-2018-2964 DESCRIPTION: An unspecified vulnerability related to the Java SE Deployment component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/146827 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2018-2973 DESCRIPTION: An unspecified vulnerability related to the Java SE JSSE component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/146835 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID: CVE-2018-2940 DESCRIPTION: An unspecified vulnerability related to the Java SE Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/146803 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-2952 DESCRIPTION: An unspecified vulnerability related to the Java SE Concurrency component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors…
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/146815 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-1656 DESCRIPTION: The IBM Java Runtime Environment’s Diagnostic Tooling Framework for Java (DTFJ) does not protect against path traversal attacks when extracting compressed dump files.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/144882 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector:(CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

CVEID: CVE-2018-1517 DESCRIPTION: A flaw in the java.math component in IBM SDK, Java Technology Edition may allow an attacker to inflict a denial-of-service attack with specially crafted String data.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/141681 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-2579 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137833 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-2588 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit LDAP component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137841 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-2663 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137917 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-2677 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded AWT component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137932 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-2678 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JNDI component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137933 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-2602 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded I18N component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and low availability impact.
CVSS Base Score: 4.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137854 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID: CVE-2018-2599 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JNDI component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and low availability impact.
CVSS Base Score: 4.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)

CVEID: CVE-2018-2603 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137855 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-2629 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JGSS component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137880 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID: CVE-2018-2657 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, JRockit Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137910 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-2618 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137870 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-2641 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded AWT component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137893 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N)

CVEID: CVE-2018-2582 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Hotspot component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137836 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID: CVE-2018-2634 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded JGSS component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137886 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)

CVEID: CVE-2018-2637 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JMX component could allow an unauthenticated attacker to cause high confidentiality impact, high integrity impact, and no availability impact.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137889 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID: CVE-2018-2633 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JNDI component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137885 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2018-2638 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE Deployment component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137890 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2018-2639 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE Deployment component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137891 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector:(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2018-2783 DESCRIPTION: Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u161 and 8u152; Java SE Embedded: 8u152; JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
CVSS Base Score: 7.4 (Confidentiality and Integrity impacts).
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/141939 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID: CVE-2018-2800 DESCRIPTION: Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u181, 7u171 and 8u162; JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, JRockit accessible data as well as unauthorized read access to a subset of Java SE, JRockit accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.
CVSS Base Score: 4.2 (Confidentiality and Integrity impacts).
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/141956 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)

Affected Products and Versions

Principal Product and Versions

| Affected Supporting Products and Versions
—|—
IBM® Intelligent Operations Center V1.6.0 - V5.1.0.14 |

IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 55 and earlier releases

IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 55 and earlier releases

IBM SDK, Java Technology Edition, Version 7 Service Refresh 10 Fix Pack 15 and earlier releases

IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 4 Fix Pack 15 and earlier releases

IBM SDK, Java Technology Edition, Version 8 Service Refresh 5 Fix Pack 7 and earlier releases

IBM® Intelligent Operations Center for Emergency Management V1.6 - V5.1.0.6
IBM® Water Operations for Waternamics V5.1 - V5.2.1.1

Remediation/Fixes

IBM® Intelligent Operations Center and related products use IBM® WebSphere Application Server, IBM® WebSphere Application Server Liberty Profile, IBM® Db2, IBM® Installation Manager, IBM® WebSphere MQ, and Cognos®, which use the affected IBM® Java™ SDK and IBM® Java™ JRE versions.

The fix for this issue is available in IBM® Intelligent Operations Center version 5.2 on Passport Advantage.

The following areas may require remediation using the information provided in the listed security bulletins:

Area Security Bulletins
Data server for IBM® Intelligent Operations Center V5.1 - V5.1.0.14, IBM® Intelligent Operations Center for Emergency Management V5.1 - V5.1.0.6, and IBM® Water Operations for Waternamics V5.1 - V5.2.1.1

IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM® Db2®

CVE(s): CVE-2018-2783, CVE-2018-2794

IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM® Db2®

CVE(s): CVE-2018-2579, CVE-2018-2678, CVE-2018-2618, CVE-2018-2602

Application server for IBM® Intelligent Operations Center V5.1 - V5.1.0.14, IBM® Intelligent Operations Center for Emergency Management V5.1 - V5.1.0.6, and IBM® Water Operations for Waternamics V5.1 - V5.2.1.1 |

IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affects WebSphere Application Server July 2018 CPU

CVE(s): CVE-2018-1656, CVE-2018-12539

IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affects WebSphere Application Server April 2018 CPU

CVE(s): CVE-2018-2783, CVE-2018-2800

Analytics server for IBM® Intelligent Operations Center V5.1 - V5.1.0.14, IBM® Intelligent Operations Center for Emergency Management V5.1- V5.1.0.6, and IBM® Water Operations for Waternamics V5.1 - V5.2.1.1 |

IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affects WebSphere Application Server July 2018 CPU

CVE(s): CVE-2018-1656, CVE-2018-12539

IBM Security Bulletin: Multiple Vulnerabilities in IBM Java SDK affects WebSphere Application Server April 2018 CPU

CVE(s): CVE-2018-2783, CVE-2018-2800

IBM® WebSphere® MQ used by IBM® Intelligent Operations Center V5.1 - V5.1.0.14 and IBM® Water Operations for Waternamics V5.1 - V5.2.1.1 |

IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MQ

CVE(s): CVE-2018-2799, CVE-2018-2798, CVE-2018-2797, CVE-2018-2796, CVE-2018-2795, CVE-2018-2794, CVE-2018-2814, CVE-2018-2783, CVE-2018-2790

IBM® Business Process Manager used by IBM® Intelligent Operations Center V1.6.0 - V5.1.0.14, IBM® Intelligent Operations Center for Emergency Management V1.6 - V5.1.0.6, and IBM® Water Operations for Waternamics V5.1 - V5.2.1.1 |

IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Integration Designer used in IBM Business Process Manager

CVE(s): CVE-2018-2633, CVE-2018-2637, CVE-2018-2603, CVE-2018-2602, CVE-2018-2579

Cognos® used by IBM® Intelligent Operations Center V1.6.0 -V5.1.0.14, IBM® Intelligent Operations Center for Emergency Management V1.6 - V5.1.0.6, and IBM® Water Operations for Waternamics V5.1 - V5.2.1.1 |

IBM Security Bulletin: Multiple vulnerabilities in IBM Cognos Business intelligence affect Rational Insight

CVE(s): CVE-2017-3735, CVE-2017-3736, CVE-2018-0739, CVE-2017-3737, CVE-2017-7525, CVE-2017-12624, CVE-2017-15095, CVE-2018-1413, CVE-2018-2579, CVE-2018-2588, CVE-2018-2663, CVE-2018-2677, CVE-2018-2678, CVE-2018-2599, CVE-2018-2603, CVE-2018-2657, CVE-2018-2618, CVE-2018-2634, CVE-2018-2637, CVE-2018-2800, CVE-2018-2795, CVE-2018-2796, CVE-2018-2797, CVE-2018-2798, CVE-2018-2799, CVE-2018-2783, CVE-2018-2814, CVE-2018-2790

IBM® Installation Manager used by IBM® Intelligent Operations Center V1.6.0 - V5.1.0.14, IBM® Intelligent Operations Center for Emergency Management V1.6 - V5.1.0.6, and IBM® Water Operations for Waternamics V5.1 - V5.2.1.1 |

IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility

CVE(s): CVE-2018-2814, CVE-2018-2783

IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility

CVE(s): CVE-2018-2579, CVE-2018-2602, CVE-2018-2603, CVE-2018-2618, CVE-2018-2633

IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility

CVE(s): CVE-2016-5547, CVE-2016-5548, CVE-2016-5549, CVE-2016-2183

IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Installation Manager and IBM Packaging Utility (CVE-2016-5597)

IBM® SPSS® Analytic Server used by IBM® Intelligent Operations Center V5.1 - V5.1.0.14 and IBM® Water Operations for Waternamics V5.1 - V5.2.1.1 | IBM Security Bulletin: Vulnerability in IBM® Java SDK affects IBM SPSS Analytic Server (CVE-2018-2602, CVE-2018-2634)

Workarounds and Mitigations

Until you apply the fixes, it may be possible to reduce the risk of successful attacks by restricting network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from unprivileged users may help reduce the risk of successful attack. Both approaches may break application functionality, so IBM strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

Related for 0ACDC7CDDEE06F34F2256DD048A556D53156ACF793ADBE3C9ED53FEEE712EF49