Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM InfoSphere Streams (CVE-2016-0466, CVE-2016-0448)

Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 8 Service Refresh 2 Fix Pack 11 and earlier releases, Version 7R1 Service Refresh 3 Fix Pack 31 and earlier releases, and Version 6 Service Refresh 16 Fix Pack 21 and earlier releases.

If you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities are applicable to your code. For a complete list of vulnerabilities please refer to the Reference section for more information.

Vulnerability Details

CVEID: CVE-2016-0466**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE Java SE Embedded and Jrockit related to the JAXP component could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109948 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2016-0448**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the JMX component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109949 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

Affected Products and Versions

• IBM InfoSphere Streams Version 1.2.1.0
• IBM InfoSphere Streams Version 2.0.0.4 and earlier
• IBM InfoSphere Streams Version 3.0.0.5 and earlier
• IBM InfoSphere Streams Version 3.1.0.7 and earlier
• IBM InfoSphere Streams Version 3.2.1.4 and earlier
• IBM InfoSphere Streams Version 4.0.1.1 and earlier
• IBM Streams Version 4.1.1.0 and earlier

Remediation/Fixes

NOTE: Fix Packs are available on IBM Fix Central.

• Version 4.1.1:
  • Apply 4.1.1 Fix Pack 1 (4.1.1.1) or higher.
• Version 4.0.1:
  • Apply 4.0.1 Fix Pack 2 (4.0.1.2) or higher.
• Version 3.2.1:
  • Apply 3.2.1 Fix Pack 5 (3.2.1.5) or higher.
• Version 3.1.0:
  • Apply 3.1 Fix Pack 8 (3.1.0.8) or higher.
• Version 3.0.0:
  • Apply 3.0 Fix Pack 6 (3.0.0.6) or higher.
• Versions 1.2 and 2.0:
  • For version 1.x and 2.x, IBM recommends upgrading to a fixed, supported version/release/platform of the product. Customers who cannot upgrade and need to secure their installation should open a PMR with IBM Technical Support and request assistance securing their InfoSphere Streams system against the vulnerabilities identified in this Security Bulletin.

IMPORTANT NOTE: If JAVA_HOME is set ensure it points to the install location of the upgraded IBM Developer Kit, Java. Applications compiled with JAVA_HOME set to a different location will need to be recompiled after JAVA_HOME has been changed. For more information on compiling with JAVA_HOME set see the Notes section on the page at the following URL: http://www-01.ibm.com/support/knowledgecenter/SSCRJU_4.0.0/com.ibm.streams.install.doc/doc/ibminfospherestreams-install-prerequisites-java-supported-sdks.html?lang=en

Workarounds and Mitigations

None.