IBM21D21B6B900E74036C37AA6199307658F5132BE9091971C8994946E3A890EE51Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum LSF Analytics
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Summary
There are multiple vulnerabilities in IBM®Runtime Environment Java™Version 7 used by IBM Spectrum LSF Analytics. IBM Spectrum LSF Analytics has addressed the applicable CVEs.
Vulnerability Details
If you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether additional Java vulnerabilities are applicable to your code. For a complete list of vulnerabilities, see “IBM Java SDK Security Bulletin” in the References section for more information.
CVEID: CVE-2019-7317 DESCRIPTION: libpng is vulnerable to a denial of service, caused by a use-after-free in png_image_free in png.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 3.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/156548> for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-2769 DESCRIPTION: An unspecified vulnerability related to the Java SE Utilities component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/163832> for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-2762 DESCRIPTION: An unspecified vulnerability related to the Java SE Utilities component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/163826> for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-2816 DESCRIPTION: An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 4.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/163878> for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2019-2786 DESCRIPTION: An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base Score: 3.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/163849> for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N)
CVEID: CVE-2019-2766 DESCRIPTION: An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base Score: 3.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/163829> for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)
CVEID: CVE-2019-11772 DESCRIPTION: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by an out-of-bounds write in the String.getBytes method. An attacker could exploit this vulnerability to corrupt memory and write to any 32-bit address or beyond the end of a byte array within Java code run under a SecurityManager.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/163990> for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-11775 DESCRIPTION: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by an error where the loop versioner fails to privatize a value that is pulled out of the loop by versioning. An attacker could exploit this vulnerability to corrupt memory and trigger an out-of-array-bounds and perform invalid actions.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/164479> for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-4473 DESCRIPTION: Multiple binaries in IBM SDK, Java Technology Edition on the AIX platform use insecure absolute RPATHs, which may facilitate code injection and privilege elevation by local users.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/163984> for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-11771 DESCRIPTION: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the inclusion of unused RPATHS in AIX builds. An attacker could exploit this vulnerability to inject code and gain elevated privileges on the system.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/163989> for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
Spectrum LSF Analytics 9.1.4
Remediation/Fixes
| Product | VRMF | APAR | Remediation/First Fix |
|---|---|---|---|
| Spectrum LSF Analytics | 9.1.4 | None |
1. Download IBM JRE 7 (7.0-10.50) from: <http://www.ibm.com/support/fixcentral> by keyword ‘Runtimes for Java Technology’. (The following steps use x86_64 as an example.)
2. Copy JRE package into the Analytics Server host and Analytics Node host(s).
3. On the Analytics Server host, stop pats, pars, and parb services.
4. On the Analytics Server host, extract new JRE files and replace old JRE files in the following directories:
#{ANALYTICS_SERVER_TOP}\jre
#{ANALYTICS_SERVER_TOP}\report\jre
Where ANALYTICS_SERVER_TOP describes the top-level IBM Spectrum LSF Analytics
server installation directory.
5. On the Analytics Server host, start pats, pars, and parb services on demand.
6. On the Analytics Node host, stop plc services.
7. On the Analytics Node host, extract new JRE files and replace old JRE files in the following directory:
#{ANALYTICS_NODE_TOP}/jre/#{ARCH}/
Where ANALYTICS_NODE_TOP describes the top-level IBM Spectrum LSF Analytics
node installation directory. ARCH describes the architecture of Analytics Node host.
E.g. linux-x86_64
8. On the Analytics Node host, start plc service.
Workarounds and Mitigations
None.
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm spectrum lsf analytics | eq | any |
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P