Security Bulletin: One vulnerability in IBM Java SDK affects IBM Application Delivery Intelligence v1.0.1, v1.0.1.1, v1.0.2, v5.0.2, v5.0.2.1, v5.0.3, v5.0.4, v5.0.4.1 (CVE-2017-10356)

Summary

There is one vulnerability in the following versions of IBM® SDK Java™ Technology Edition, which affects IBM® Application Delivery Intelligence (ADI):
- Version 7.1, that is used by ADI v1.0.1, v1.0.1.1, v1.0.2, v5.0.2, v5.0.2.1, and v5.0.3.
- Version 8.0, that is used by ADI v5.0.4 and v5.0.4.1.
This issue was disclosed as part of the IBM Java SDK updates in Oct 2017.

Vulnerability Details

CVEID: CVE-2017-10356**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Security component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact by using unknown attack vectors.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/133785 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM Application Delivery Intelligence v1.0.1, v1.0.1.1, v1.0.2, v5.0.2, v5.0.2.1, v5.0.3, v5.0.4, and v5.0.4.1

Remediation/Fixes

You need to complete the following steps to apply the fix:
1. Stop the server. Navigate to the unzipped-archive/adi/server directory and run this script: server.shutdown (the script will also shutdown Elasticsearch server and service for ADI v5.0.4 or later versions).
2. Delete jre directory from unzipped-archive/server/jre.
3. (Optional)Upgrade JRE used by Elasticsearch, which is applied to only ADI V5.0.4 and later versions.

1. Delete jre directory from unzipped-archive/elasticsearch/java.
2. Download adi-ibm-java-jre-8.0-5.10, unzip it and copy the jre directory to unzipped-archive/elasticsearch/java.

• ADI-IBM-JRE-8.0-5.10 download links:

Windows:http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FIBM+Application+Delivery+Intelligence&fixids=adi-ibm-java-jre-8.0-5.10-win-x86_64&source=SAR Linux:http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FIBM+Application+Delivery+Intelligence&fixids=adi-ibm-java-jre-8.0-5.10-linux-x86_64&source=SAR 4. Download adi-ibm-java-jre-7.1-4.20, unzip it and copy the jre directory to unzipped-archive/server (you are providing the jre directory that you deleted in step 2).

  * _ADI-IBM-JRE-7.1-4.20_ download links:

Windows:
http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FIBM+Application+Delivery+Intelligence&fixids=adi-ibm-java-jre-7.1-4.20-win-x86_64&source=SAR**
Linux:**
http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FIBM+Application+Delivery+Intelligence&fixids=adi-ibm-java-jre-7.1-4.20-linux-x86&source=SAR 5. Start the server. Navigate to the unzipped-archive/adi/server directory and run this script: server.startup (the script will also start Elasticsearch server and service).