IBM14723C72CB297F922A42A068012B570EF8B0434C3F507036BF1BBC67793F576ESecurity Bulletin: Vulnerability in IBM Java Runtime affects Tivoli Storage Productivity Center (CVE-2015-2590)
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.024 Low
EPSS
Percentile
89.8%
Summary
Vulnerability CVE-2015-2590 exists in IBM® Runtime Environment Java™ Technology Edition, Version 6.0.16.5 and earlier that is shipped with Tivoli Storage Productivity Center for download and use with its Java WebStart GUI.
Vulnerability Details
CVEID: CVE-2015-2590**
DESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104724 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Affected Products and Versions
IBM® Runtime Environment Java™ Technology Edition, Version 6.0.16.5 and earlier that is provided for download and use with the Java WebStart GUI from the following versions:
- Tivoli Storage Productivity Center 5.2.0 through 5.2.6
- Tivoli Storage Productivity Center 5.1.0 through 5.1.1.8
- Tivoli Storage Productivity Center 4.2.0 through 4.2.2.195
IBM® Runtime Environment Java™ Technology Edition, Version 5.0.16.11 and earlier that is provided for download and use with the Java WebStart GUI from the following versions:
- Tivoli Storage Productivity Center 4.1.x
- TotalStorage Productivity Center 3.3.x
The versions listed above apply to all licensed offerings of Tivoli Storage Productivity Center, including IBM SmartCloud Virtual Storage Center Storage Analytics Engine.
System Storage Productivity Center is affected if it has one of the versions listed above installed.
Note:
The Tivoli Storage Productivity Center server component is not directly affected. However, the affected versions listed above provide an interface to download the affected IBM® Runtime Environment Java™ Technology Edition. It you did not download and install this IBM® Runtime Environment Java™ Technology Edition on any systems, such as is required for the Tivoli Storage Productivity Center GUI that launches using Java WebStart, you are not affected and do not need to apply a fix.
Remediation/Fixes
The solution is to apply an appropriate Tivoli Storage Productivity Center fix maintenance for each named product and execute the manual steps listed below. The solution should be implemented as soon as practicable.
If you have downloaded and installed an affected IBM® Runtime Environment Java™ Technology Edition, Version 6 Service Refresh 16 Fix Pack 2 or earlier from any version of Tivoli Storage Productivity Center, this interim fix provides a replacement package. Do not use the IBM JRE 1.6.0 or IBM SDK 1.6.0 links provided with the affected Tivoli Storage Productivity Center versions.
**
Note:** It is always recommended to have a current backup before applying any update procedure.
| Affected TPC Version | APAR | Fixed TPC Version |
|---|---|---|
| 5.2.x | IT10634 | 5.2.7 |
| -OR- | ||
| 5.2-TIV-TPC-JRE-6SR16FP7 | ||
| 5.1.x | IT10634 | 5.1.1.9 (target October 2015) |
| -OR- | ||
| 5.1-TIV-TPC-JRE-6SR16FP7 | ||
| 4.2.x | IT10635 | 4.2.2 FP10 |
| -OR- | ||
| 4.2-TIV-TPC-JRE-6SR16FP7 |
For Tivoli Storage Productivity Center V3.x, and V4.1.x IBM recommends upgrading to a fixed, supported version/release/platform of the product.
Workarounds and Mitigations
None
Related
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.024 Low
EPSS
Percentile
89.8%