Security Bulletin: A vulnerability in Eclipse Jetty affects the IBM InfoSphere Information Server installers

Summary

A vulnerability in Eclipse Jetty was addressed by IBM InfoSphere Information Server.

Vulnerability Details

CVEID: CVE-2017-9735 DESCRIPTION: Jetty could allow a remote attacker to obtain sensitive information, caused by a timing channel flaw in util/security/Password.java. By observing elapsed times before rejection of incorrect passwords, an attacker could exploit this vulnerability to obtain access information.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127842 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

The following product, running on all supported platforms, is affected:
IBM InfoSphere Information Server: versions 9.1, 11.3, and 11.5
IBM InfoSphere Information Server on Cloud version 11.5

Remediation/Fixes

Product

| VRMF|APAR|Remediation/First Fix
—|—|—|—
InfoSphere Information Server, Information Server on Cloud| 11.5| JR58248| --Update to the latest Updater for 11.5 before applying any patch
InfoSphere Information Server| 11.3| JR58248| --Update to the latest Updater for 11.3 before applying any patch
InfoSphere Business Server| 9.1| JR58248| --Upgrade to a new release where the issue has been fixed

Contact Technical Support:
In the United States and Canada dial 1-800-IBM-SERV
View the support contacts for other countries outside of the United States.
Electronically open a Service Request with Information Server Technical Support.

Workarounds and Mitigations

None