Security Bulletin: Security vulnerabilities affecting IBM InfoSphere Optim Performance Manager (CVE-2015-1916, CVE-2015-0488)

Summary

This advisory covers all the issues disclosed by Oracle in their April 2015 Critical Patch Update (CPU), plus additional CVEs which are specific to the IBM JRE/SDK.

Vulnerability Details

CVE-2015-1916_ _ Description: Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability.

CVSS Base Score: 5.00
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101995 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

CVE-2015-0488 Description: An unspecified vulnerability in Oracle Java SE and Jrockit related to the JSSE component could allow a remote attacker to cause a denial of service.

CVSS Base Score: 5.00
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102336 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Affected Products and Versions

IBM Optim Performance Manager for DB2 on Linux, UNIX, and Windows version 4.1 through 5.3

Remediation/Fixes

OPM Version

| Download URL
—|—
4.1 - 5.1.1.1| Replace JRE (V6 SR16-Fix Pack 4)
5.2 – 5.3.1| Replace JRE (V7 SR9)

You must replace the IBM® Runtime Environment, Java™ Technology Edition that is installed with IBM InfoSphere Optim Performance Manager for DB2 on Linux, UNIX, and Windows with the latest IBM® Runtime Environment, Java™ Technology Edition. Detailed instructions are provided in the tech-note: __“Updating the __IBM Runtime Environment, Java™ Technology Edition__ for InfoSphere Optim Performance Manager__”.

Workarounds and Mitigations

None