Security Bulletin: Multiple vulnerabilities may affect IBM® Semeru Runtime

Summary

This bulletin covers all applicable Java SE CVEs published by OpenJDK as part of their July 2022 Vulnerability Advisory. For more information please refer to OpenJDK’s July 2022 Vulnerability Advisory and the X-Force database entries referenced below.

Vulnerability Details

CVEID:CVE-2022-34169
**DESCRIPTION:**The Apache Xalan Java XSLT library could allow a remote attacker to execute arbitrary code on the system, caused by an integer truncation issue when processing malicious XSLT stylesheets. By using specially crafted XSLT stylesheets, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231488 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2022-21549
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231575 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

8.0.302.0 - 8.0.332.0
11.0.12.0 - 11.0.15.0
17.0.1.0 - 17.0.3.0
18.0.1.0 - 18.0.1.1

For detailed information on which CVEs affect which releases, please refer to the IBM Semeru Runtimes Security Vulnerabilities page.

Remediation/Fixes

8.0.345.0
11.0.16.0
17.0.4.0
18.0.2.0

IBM Semeru Runtime releases can be downloaded from the IBM Semeru Developer Center.

IBM customers requiring an update for an SDK shipped with an IBM product should contact IBM support, and/or refer to the appropriate product security bulletin.

APAR numbers are as follows:

IJ41485 (CVE-2022-34169)
IJ41486 (CVE-2022-21549)

Workarounds and Mitigations

None