Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM14C97104BCF75D000EB0338B3459ECEA0D1ADC44700E4D1225D84D331BF1A88C
HistoryDec 22, 2020 - 6:18 p.m.

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affecting Rational Synergy

2020-12-2218:18:53
www.ibm.com
17

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7.0.10.40 and Version 8.0.5.35 used by Rational Synergy versions 7.2.1.0 to 7.2.1.7. Rational Synergy has addressed the applicable CVEs.

Vulnerability Details

Rational Synergy has addressed the following:

If you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether additional Java vulnerabilities are applicable to your code. For a complete list of vulnerabilities, refer to the “IBM Java SDK Security Bulletin”, located in the References section for more information.

CVEID: CVE-2019-7317 DESCRIPTION: libpng is vulnerable to a denial of service, caused by a use-after-free in png image free in png.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service. CVSS Base Score: 3.3 CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/156548&gt;_ for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2019-2769 DESCRIPTION: An unspecified vulnerability related to the Java SE Utilities component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base Score: 5.3 CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/163832&gt;_ for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2019-2762 DESCRIPTION: An unspecified vulnerability related to the Java SE Utilities component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base Score: 5.3 CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/163826&gt;_ for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2019-2816 DESCRIPTION: An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. CVSS Base Score: 4.8 CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/163878&gt;_ for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID: CVE-2019-2786 DESCRIPTION: An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base Score: 3.4 CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/163849&gt;_ for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N)

CVEID: CVE-2019-2766 DESCRIPTION: An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base Score: 3.1 CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/163829&gt;_ for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)

CVEID: CVE-2019-11772 DESCRIPTION: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by an out-of-bounds write in the String.getBytes method. An attacker could exploit this vulnerability to corrupt memory and write to any 32-bit address or beyond the end of a byte array within Java code run under a SecurityManager. CVSS Base Score: 8.4 CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/163990&gt;_ for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2019-11775 DESCRIPTION: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by an error where the loop versioner fails to privatize a value that is pulled out of the loop by versioning. An attacker could exploit this vulnerability to corrupt memory and trigger an out-of-array-bounds and perform invalid actions. CVSS Base Score: 8.4 CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/164479&gt;_ for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2019-4473 DESCRIPTION: Multiple binaries in IBM SDK, Java Technology Edition on the AIX platform use insecure absolute RPATHs, which may facilitate code injection and privilege elevation by local users. CVSS Base Score: 8.4 CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/163984&gt;_ for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2019-11771 DESCRIPTION: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the inclusion of unused RPATHS in AIX builds. An attacker could exploit this vulnerability to inject code and gain elevated privileges on the system. CVSS Base Score: 8.4 CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/163989&gt;_ for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2019-2989
**DESCRIPTION:**An unspecified vulnerability in Java SE could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base score: 6.8 CVSS Temporal Score: See: _<https://exchange.xforce.ibmcloud.com/vulnerabilities/169295&gt;_ for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N)

CVEID:CVE-2019-2958
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base score: 5.9 CVSS Temporal Score: See: _<https://exchange.xforce.ibmcloud.com/vulnerabilities/169264&gt;_ for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2019-2975

**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Scripting component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and low availability impact.
CVSS Base score: 4.8
CVSS Temporal Score: See: _<https://exchange.xforce.ibmcloud.com/vulnerabilities/169281&gt;_ for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)

CVEID:CVE-2019-2999
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Javadoc component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 4.7 CVSS Temporal Score: See: <https://exchange.xforce.ibmcloud.com/vulnerabilities/169305&gt; for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2019-2992

**DESCRIPTION:**An unspecified vulnerability in Java SE related to the 2D component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7 CVSS Temporal Score: See: _<https://exchange.xforce.ibmcloud.com/vulnerabilities/169298&gt;_ for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-2988

**DESCRIPTION:**An unspecified vulnerability in Java SE related to the 2D component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7 CVSS Temporal Score: See: _<https://exchange.xforce.ibmcloud.com/vulnerabilities/169294&gt;_ for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-2981

**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7 CVSS Temporal Score: See: _<https://exchange.xforce.ibmcloud.com/vulnerabilities/169287&gt;_ for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-2973

**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7 CVSS Temporal Score: See: _<https://exchange.xforce.ibmcloud.com/vulnerabilities/169279&gt;_ for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-2962

**DESCRIPTION:**An unspecified vulnerability in Java SE related to the 2D component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7 CVSS Temporal Score: See: _<https://exchange.xforce.ibmcloud.com/vulnerabilities/169268&gt;_ for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-2964

**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Concurrency component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7 CVSS Temporal Score: See: _<https://exchange.xforce.ibmcloud.com/vulnerabilities/169270&gt;_ for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM Rational Synergy 7.2.1.0 to 7.2.1.7.

Remediation/Fixes

Product VRMF APAR Remediation/ First Fix
Rational Synergy 7.2.1.0 to 7.2.1.7 None

Upgrade to Rational Synergy 7.2.2 from IBM Passport Advantage and apply it.

NOTE:

Download the Rational Synergy 7.2.2 installation image by referring to the installation platform and its part number in the following list:

  • IBM Rational Synergy V7.2.2 Linux Informix Multilingual (CC5T9ML)
  • IBM Rational Synergy V7.2.2 Linux Oracle Multilingual (CC5TAML)
  • IBM Rational Synergy V7.2.2 Windows Informix Multilingual (CC5TBML)

For Rational Synergy 7.1.0.x IBM recommends upgrading to a fixed, supported version/release/platform of the product.

Workarounds and Mitigations

None.

Related

ibm 65
aix 1
nessus 71
redhat 18
openvas 25
oraclelinux 7
centos 4
amazon 3
mageia 1
suse 3
debian 1
ibm
ibm
Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jul 2019 - Includes Oracle Jul 2019 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time
2019-09-06 05:05:02
Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products
2020-07-24 21:16:35
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections
2019-11-04 06:00:12
aix
aix
Multiple vulnerabilities in IBM Java SDK affect AIX
2019-10-09 13:12:20
nessus
nessus
SUSE SLES11 Security Update : java-1_7_1-ibm (SUSE-SU-2019:14160-1)
2021-06-10 00:00:00
SUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2019:2336-1)
2019-09-10 00:00:00
RHEL 8 : java-1.8.0-ibm (RHSA-2019:2590)
2019-09-03 00:00:00
redhat
redhat
(RHSA-2019:2737) Important: java-1.8.0-ibm security update
2019-09-11 13:12:25
(RHSA-2019:2590) Important: java-1.8.0-ibm security update
2019-09-02 07:32:56
(RHSA-2019:2592) Important: java-1.8.0-ibm security update
2019-09-02 10:22:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2019:14160-1)
2021-06-09 00:00:00
SUSE: Security Advisory (SUSE-SU-2019:2336-1)
2021-04-19 00:00:00
SUSE: Security Advisory (SUSE-SU-2019:2291-1)
2021-06-09 00:00:00
oraclelinux
oraclelinux
java-1.7.0-openjdk security update
2019-10-21 00:00:00
java-1.8.0-openjdk security update
2019-10-17 00:00:00
java-1.8.0-openjdk security update
2019-10-16 00:00:00
centos
centos
java security update
2019-10-22 23:51:11
java security update
2019-10-23 12:59:48
java security update
2019-10-23 13:04:50
amazon
amazon
Medium: java-1.7.0-openjdk
2019-12-13 19:13:00
Important: java-1.8.0-openjdk
2020-01-06 23:06:00
Important: java-11-amazon-corretto
2019-10-15 22:06:00
mageia
mageia
Updated java-1.8.0-openjdk packages fix security vulnerabilities
2019-10-24 00:06:40
suse
suse
Security update for java-1_8_0-openjdk (important)
2019-08-15 00:00:00
Security update for java-1_8_0-openjdk (important)
2019-12-15 00:00:00
Security update for java-11-openjdk (important)
2019-08-15 00:00:00
debian
debian
[SECURITY] [DSA 4548-1] openjdk-8 security update
2019-10-21 21:30:53

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON
Related for 14C97104BCF75D000EB0338B3459ECEA0D1ADC44700E4D1225D84D331BF1A88C
ibm65aix1nessus71redhat18openvas25oraclelinux7centos4amazon3mageia1suse3debian1