## Summary
IBM Java SDK is shipped as a component of WebSphere Application Server Community Edition 3.0.0.4. Information about a security vulnerability affecting IBM Java SDK has been published in a security bulletin.
## Vulnerability Details
Please consult the security bulletin [_IBM Java SDK security bulletin_](<http://www-01.ibm.com/support/docview.wss?uid=swg21969225>) for vulnerability details and information about fixes.
## Affected Products and Versions
Principal Product and Version(s)|
Affected Supporting Product and Version
---|---
WebSphere Application Server Community Edition 3.0.0.4| IBM SDK for Java 6, 7
## Get Notified about Future Security Bulletins
Subscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.
### References
[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> "Link resides outside of ibm.com" )
[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> "Link resides outside of ibm.com" )
[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> "Link resides outside of ibm.com" )
[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> "Link resides outside of ibm.com" )
Off
## Related Information
[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>)
[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)
## Change History
12/22/2012: Init the draft
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
## Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.
[{"Product":{"code":"SS6JMN","label":"WebSphere Application Server Community Edition"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"3.0.0.4","Edition":"Entry;Enhanced;Elite","Line of Business":{"code":"LOB45","label":"Automation"}}]
{"id": "2F2BBFAEC1BB5EF79F4455AE27E64E320D178223B4BC8CFFB570BC37F614E68A", "vendorId": null, "type": "ibm", "bulletinFamily": "software", "title": "A security vulnerability has been identified in IBM Java SDK shipped with WebSphere Application Server Community Edition(CVE-2015-4872 CVE-2015-5006)", "description": "## Summary\n\nIBM Java SDK is shipped as a component of WebSphere Application Server Community Edition 3.0.0.4. Information about a security vulnerability affecting IBM Java SDK has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [_IBM Java SDK security bulletin_](<http://www-01.ibm.com/support/docview.wss?uid=swg21969225>) for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)| \nAffected Supporting Product and Version \n---|--- \nWebSphere Application Server Community Edition 3.0.0.4| IBM SDK for Java 6, 7 \n \n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n12/22/2012: Init the draft\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SS6JMN\",\"label\":\"WebSphere Application Server Community Edition\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"3.0.0.4\",\"Edition\":\"Entry;Enhanced;Elite\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "published": "2018-06-15T07:04:30", "modified": "2018-06-15T07:04:30", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.ibm.com/support/pages/node/537607", "reporter": "IBM", "references": [], "cvelist": ["CVE-2015-4872", "CVE-2015-5006"], "immutableFields": [], "lastseen": "2022-06-28T22:02:45", "viewCount": 5, "enchantments": {"dependencies": {"references": [{"type": "aix", "idList": ["JAVA_OCT2015_ADVISORY.ASC"]}, {"type": "amazon", "idList": ["ALAS-2015-605", "ALAS-2015-606", "ALAS-2015-616"]}, {"type": "archlinux", "idList": ["ASA-201510-15", "ASA-201510-16", "ASA-201510-17", "ASA-201510-18", "ASA-201510-19", "ASA-201510-20"]}, {"type": "centos", "idList": ["CESA-2015:1919", "CESA-2015:1920", "CESA-2015:1921", "CESA-2015:2086"]}, {"type": "cve", "idList": ["CVE-2015-4872", "CVE-2015-5006"]}, {"type": "debian", "idList": ["DEBIAN:DLA-346-1:13970", "DEBIAN:DSA-3381-1:4656D", "DEBIAN:DSA-3381-2:F5B92"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2015-4872"]}, {"type": "f5", "idList": ["F5:K93203055", "SOL93203055"]}, {"type": "freebsd", "idList": ["A5934BA8-A376-11E5-85E9-14DAE9D210B8"]}, {"type": "gentoo", "idList": ["GLSA-201603-11", "GLSA-201603-14"]}, {"type": "ibm", "idList": ["024EB2AF336C591D6F8FB4B5D6CCFF7784B248A43430546267B59D8ECA8907E7", "031CA5D81D0F7BE4ECF57E23143A60E8C0DBA24053F9E728A6E12ABE37C72BF9", "10EF79AC52F94215AAE9A9390071778FDE4F6F8BF449438F29D04F1AC5201E39", "116CC00D5265D0FFFA8CE1B360264EF9FF95784E6C2C3F0019DE1DB74C6E9A89", "144C23662992641D90EB9C4F112C9AEC35AB69E760D70E39C29768CFAD97B56F", "1565697A60668A5CFBD3459C81D80D388EEFB2A097DA479EEA4C247D8016FF5F", "15909728814912171C33B02A0D72299D6DCEA6D2A39B5691C097CA86BB86C024", "19A3587788FC0724B696A0B0C63467FC0F63CBAE6B6B8505750C944E934042FC", "1F85DC40CCAC6193560C222233AFB88DDF301441A0F168CFDF21B3B88DF3BD1F", "245644ACD5BEB28C229BEA9479968403DF841BCB92D18DCCEBD4671EB2954D21", "294DB5E80D9BAF9919E7296FBF0D1F03EAAB0B4AED6C2E5EE31303FC017174F3", "3F0A86B9112F51C3B6A64183B5DCE227004E4FE8195B2CB6E060CDFA713A7026", "45D7F713B9C5C46EDBAD74FCCBC0F57FC042E9600BC85798BB56C1BF42AF2F03", "4BDD04259F9C817EF33E7639EDCC30564F0ABAA50D4ED30F0FA95C97C713937C", "4E95B5EB959CBE5490B90287812FD445A690A3158E83D37882EADCE4A7BCD44F", "537C6D5AB87E83C60FB14762388F0A746DFE1C4977ECE943492A36A3E17E504D", "53BCED365DBEB703C2EFA096921C6D5C691C8BAAB477F9F6CC2E22BBE5BE60BF", "5D0CC6456D2278646647F1A4FEFECEB673F2B5D1F99FBBC5755735CEF5AA6268", "5E09374F40B97F0189CAFDE91D8E1470F388A35D810B06708FD4EFC5DF5A1CA3", "5E3F2AA797C0DBBFE4FB4AD1FF5D8903589E4BB7DE390B11EEA3B7C52A0130F6", "62FA119440300E05EA5D80AA62190B5FE6478BA2FA552C2F6886A970B9311184", "64A319721BCD5C45FE57AF618AA40445A09DBA9F41D614384B72F65F556F6799", "67578E30259856437D267C1A3D6E2CF49BDE0DF9BE42CAA71809801A7935BE9A", "6C3276D773A29D1F10A39BA6B166184CEB01561E7FE5829CB3D29DBDA9328964", "7050868C4E43344032EEEC3BD66165B3495441215B8697E295343464376234CA", "7996A5B21090888A5E92985E9AA52C1DFFD5B468A73A1B32557A0A11DFBE0724", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "83F6DE1F56CBBBC340354AE2C6DB43997FA85BE8EDDFBF5367DC01A5F749DDFE", "87091D73D87236B8291DDE4935885E4B78DAEDDFC8E41010FB22D12BAB28A13B", "89110ABC25F6D47E30A7065527D32DED0588DB619219C340BCD7477553C82B04", "98D8175CC40843C4987C50867E7F92F99FC38F49750FFF31645FE6C72E890C19", "AACF6F6443D6B1F43A3B1EB2158C0974A7E3740F82735809A14DB68D406E34ED", "AF42BD53008E43A8F60AC336AAB63B4B1D9D0A7242D5CAF18118E642576D4117", "B089D6624B337C26D2541212B8B23D273724A834252AF85205DE0B455D554555", "B313494090BD6646936BBA966F9EA9258676693E16E6E2DB399C69B9C2D5D78D", "B666EC6C0BD4BE5CA16CBCF49F043C9E29F3715F1DF3ABE11300D1257417FBA7", "BB0EB38A592AB2649D1917AF112EE190EA4BF664AC07FB1463EA8F39EE61007D", "C08F98925DE99F3533B5821C7E8B3E78F1D3EC0E0CD323A7007D0AC3A3652492", "C524E188F1AD4B77D33D58D9EA8EE1C9CD8A2218160491F47EF6425DE23EBDEE", "D2E48469AB3A6F2B1FEAEFDF00F68B8BC2F210C7E3BBABA5556DFDE4C6DB7ECD", "D395E7DA5532733EF1D6D92AC4C7C2D1C9B09220E7762FBD28142A6837623D00", "D6FE0421F38EF266E6BA74C0093333F29D655A4C7A7BC7E8B0712362B8BC9F13", "DCEF1EAD4FB55EB159F072650EDDC9C85C5715A429B7B3B466EF3251A3AE9340", "E432D69FD747FEBA35F4B0BF60914AF5A4926D2D00F81B81D0023873400BEE1C", "E5618F1355FE1087914A5F703FE4C5F1F47F585AA5B966FB1A6CF40C889A56B1", "EFD27A09FAD3929BC2D3FE35B560A96CB07B7861AE219E0737F433220EA65AC7", "F6CF75F885C8ACB4B02719CD9377D583D38D5807B662456BBACFE07218EDDF34", "FC4C804F44282D78247FA90BC4C8C855819430A02725094AC97DBD89D0227589", "FCBE194563589DFF9606D62F884B470E8FE64EC32ECEF7BF7F3E11951F8D3E8F"]}, {"type": "mageia", "idList": ["MGASA-2015-0412"]}, {"type": "nessus", "idList": ["700652.PRM", "9352.PRM", "AIX_JAVA_OCT2015_ADVISORY.NASL", "ALA_ALAS-2015-605.NASL", "ALA_ALAS-2015-606.NASL", "ALA_ALAS-2015-616.NASL", "CENTOS_RHSA-2015-1919.NASL", "CENTOS_RHSA-2015-1920.NASL", "CENTOS_RHSA-2015-1921.NASL", "CENTOS_RHSA-2015-2086.NASL", "DEBIAN_DLA-346.NASL", "DEBIAN_DSA-3381.NASL", "FREEBSD_PKG_A5934BA8A37611E585E914DAE9D210B8.NASL", "GENTOO_GLSA-201603-11.NASL", "GENTOO_GLSA-201603-14.NASL", "OPENSUSE-2015-695.NASL", "OPENSUSE-2015-696.NASL", "OPENSUSE-2015-697.NASL", "OPENSUSE-2015-736.NASL", "OPENSUSE-2016-106.NASL", "ORACLELINUX_ELSA-2015-1919.NASL", "ORACLELINUX_ELSA-2015-1920.NASL", "ORACLELINUX_ELSA-2015-1921.NASL", "ORACLELINUX_ELSA-2015-2086.NASL", "ORACLE_JAVA_CPU_OCT_2015.NASL", "ORACLE_JAVA_CPU_OCT_2015_UNIX.NASL", "ORACLE_JROCKIT_CPU_OCT_2015.NASL", "REDHAT-RHSA-2015-1919.NASL", "REDHAT-RHSA-2015-1920.NASL", "REDHAT-RHSA-2015-1921.NASL", "REDHAT-RHSA-2015-1926.NASL", "REDHAT-RHSA-2015-1927.NASL", "REDHAT-RHSA-2015-1928.NASL", "REDHAT-RHSA-2015-2086.NASL", "REDHAT-RHSA-2015-2506.NASL", "REDHAT-RHSA-2015-2507.NASL", "REDHAT-RHSA-2015-2508.NASL", "REDHAT-RHSA-2015-2509.NASL", "REDHAT-RHSA-2015-2518.NASL", "REDHAT-RHSA-2016-1430.NASL", "SL_20151021_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL", "SL_20151021_JAVA_1_7_0_OPENJDK_ON_SL6_X.NASL", "SL_20151021_JAVA_1_8_0_OPENJDK_ON_SL6_X.NASL", "SL_20151118_JAVA_1_6_0_OPENJDK_ON_SL5_X.NASL", "SUSE_SU-2015-1874-1.NASL", "SUSE_SU-2015-1874-2.NASL", "SUSE_SU-2015-1875-1.NASL", "SUSE_SU-2015-1875-2.NASL", "SUSE_SU-2015-2166-1.NASL", "SUSE_SU-2015-2168-1.NASL", "SUSE_SU-2015-2168-2.NASL", "SUSE_SU-2015-2182-1.NASL", "SUSE_SU-2015-2192-1.NASL", "SUSE_SU-2015-2216-1.NASL", "SUSE_SU-2015-2268-1.NASL", "SUSE_SU-2016-0113-1.NASL", "UBUNTU_USN-2784-1.NASL", "UBUNTU_USN-2827-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108399", "OPENVAS:1361412562310120595", "OPENVAS:1361412562310120596", "OPENVAS:1361412562310120606", "OPENVAS:1361412562310121453", "OPENVAS:1361412562310121456", "OPENVAS:1361412562310122716", "OPENVAS:1361412562310122717", "OPENVAS:1361412562310122718", "OPENVAS:1361412562310122736", "OPENVAS:1361412562310131101", "OPENVAS:1361412562310703381", "OPENVAS:1361412562310806512", "OPENVAS:1361412562310842507", "OPENVAS:1361412562310842548", "OPENVAS:1361412562310851122", "OPENVAS:1361412562310851123", "OPENVAS:1361412562310851124", "OPENVAS:1361412562310851126", "OPENVAS:1361412562310851128", "OPENVAS:1361412562310851137", "OPENVAS:1361412562310851182", "OPENVAS:1361412562310851185", "OPENVAS:1361412562310871461", "OPENVAS:1361412562310871462", "OPENVAS:1361412562310871463", "OPENVAS:1361412562310871474", "OPENVAS:1361412562310882300", "OPENVAS:1361412562310882301", "OPENVAS:1361412562310882302", "OPENVAS:1361412562310882303", "OPENVAS:1361412562310882304", "OPENVAS:703381"]}, {"type": "oraclelinux", "idList": ["ELSA-2015-1919", "ELSA-2015-1920", "ELSA-2015-1921", "ELSA-2015-2086"]}, {"type": "osv", "idList": ["OSV:DLA-346-1", "OSV:DSA-3381-1", "OSV:DSA-3465-1"]}, {"type": "redhat", "idList": ["RHSA-2015:1919", "RHSA-2015:1920", "RHSA-2015:1921", "RHSA-2015:1926", "RHSA-2015:1927", "RHSA-2015:1928", "RHSA-2015:2086", "RHSA-2015:2506", "RHSA-2015:2507", "RHSA-2015:2508", "RHSA-2015:2509", "RHSA-2015:2518", "RHSA-2016:1430"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14755"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2015:1902-1", "OPENSUSE-SU-2015:1905-1", "OPENSUSE-SU-2015:1906-1", "OPENSUSE-SU-2015:1971-1", "OPENSUSE-SU-2016:0270-1", "SUSE-SU-2015:1874-1", "SUSE-SU-2015:1874-2", "SUSE-SU-2015:1875-1", "SUSE-SU-2015:1875-2", "SUSE-SU-2015:2166-1", "SUSE-SU-2015:2168-1", "SUSE-SU-2015:2168-2", "SUSE-SU-2015:2182-1", "SUSE-SU-2015:2192-1", "SUSE-SU-2015:2216-1", "SUSE-SU-2015:2268-1", "SUSE-SU-2016:0113-1"]}, {"type": "ubuntu", "idList": ["USN-2784-1", "USN-2827-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2015-4872"]}]}, "score": {"value": 0.6, "vector": "NONE"}, "backreferences": {"references": [{"type": "archlinux", "idList": ["ASA-201510-19"]}, {"type": "centos", "idList": ["CESA-2015:1919", "CESA-2015:1920", "CESA-2015:1921", "CESA-2015:2086"]}, {"type": "cve", "idList": ["CVE-2015-4872", "CVE-2015-5006"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3381-1:4656D", "DEBIAN:DSA-3381-2:F5B92"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2015-4872"]}, {"type": "f5", "idList": ["SOL93203055"]}, {"type": "freebsd", "idList": ["A5934BA8-A376-11E5-85E9-14DAE9D210B8"]}, {"type": "gentoo", "idList": ["GLSA-201603-14"]}, {"type": "ibm", "idList": ["031CA5D81D0F7BE4ECF57E23143A60E8C0DBA24053F9E728A6E12ABE37C72BF9", "1565697A60668A5CFBD3459C81D80D388EEFB2A097DA479EEA4C247D8016FF5F", "5E3F2AA797C0DBBFE4FB4AD1FF5D8903589E4BB7DE390B11EEA3B7C52A0130F6", "C524E188F1AD4B77D33D58D9EA8EE1C9CD8A2218160491F47EF6425DE23EBDEE", "DCEF1EAD4FB55EB159F072650EDDC9C85C5715A429B7B3B466EF3251A3AE9340"]}, {"type": "nessus", "idList": ["700652.PRM", "ALA_ALAS-2015-616.NASL", "CENTOS_RHSA-2015-1919.NASL", "OPENSUSE-2015-697.NASL", "OPENSUSE-2015-736.NASL", "REDHAT-RHSA-2015-1919.NASL", "SUSE_SU-2015-2166-1.NASL", "SUSE_SU-2015-2216-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310703381", "OPENVAS:1361412562310871461", "OPENVAS:1361412562310871474"]}, {"type": "oracle", "idList": ["ORACLE:CPUOCT2015"]}, {"type": "oraclelinux", "idList": ["ELSA-2015-1919"]}, {"type": "redhat", "idList": ["RHSA-2015:1921"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14755"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2015:1906-1", "SUSE-SU-2015:2182-1"]}, {"type": "ubuntu", "idList": ["USN-2827-1"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "WebSphere Application Server Community Edition", "version": 3}]}, "vulnersScore": 0.6}, "_state": {"dependencies": 1662399945, "score": 1662400137, "affected_software_major_version": 1666695388}, "_internal": {"score_hash": "6937a598016c31bb0b8ef5b21faef31d"}, "affectedSoftware": [{"name": "WebSphere Application Server Community Edition", "version": "3.0.0.4", "operator": "eq"}]}
{"ibm": [{"lastseen": "2022-10-01T01:30:44", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Asset Management Essentials, Maximo Industry Solutions (including Maximo for Aviation, Maximo for Energy Optimization, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities), Maximo Adapter for Primavera, IBM Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Change and Configuration Management Database, and TRIRIGA Energy Optimization. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [_Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server October 2015 CPU (CVE-2015-4872, CVE-2015-4734, CVE-2015-5006)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21969620>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nMaximo Asset Management 7.6 \nIBM Control Desk 7.6 \nMaximo for Aviation 7.6 \nMaximo for Life Sciences 7.6 \nMaximo for Transportation 7.6| IBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 8.5 Full Profile \nMaximo Asset Management 7.5 \nMaximo Asset Management Essentials 7.5 \nMaximo for Government 7.5 \nMaximo for Nuclear Power 7.5 \nMaximo for Transportation 7.5 \nMaximo for Life Sciences 7.5 \nMaximo for Oil and Gas 7.5 \nMaximo for Utilities 7.5 \nMaximo Adapter for Primavera 7.5 \nIBM Control Desk 7.5 \nTRIRIGA Energy Optimization 1.1| IBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 8.5 Full Profile \nIBM WebSphere Application Server 8.0 \nIBM WebSphere Application Server 7.0 \nMaximo Asset Management 7.1 \nMaximo Asset Management Essentials 7.1 \nMaximo Asset Management for Energy Optimization 7.1 \nMaximo for Government 7.1 \nMaximo for Nuclear Power 7.1 \nMaximo for Transportation 7.1 \nMaximo for Life Sciences 7.1 \nMaximo for Oil and Gas 7.1 \nMaximo for Utilities 7.1 \nMaximo Adapter for Primavera 7.1| IBM WebSphere Application Server 7.0 \nIBM WebSphere Application Server 6.1 \nTivoli Asset Management for IT 7.2 \nTivoli Service Request Manager 7.2 \nChange and Configuration Management Database 7.2| IBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 7.0 \nIBM WebSphere Application Server 6.1 \nTivoli Asset Management for IT 7.1 \nTivoli Service Request Manager 7.1 \nChange and Configuration Management Database 7.1| IBM WebSphere Application Server 6.1 \n \n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n25 November 2015: Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n[{\"Product\":{\"code\":\"SSLKT6\",\"label\":\"IBM Maximo Asset Management\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"7.1;7.1.1;7.5;7.6\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}},{\"Product\":{\"code\":\"SSWT9A\",\"label\":\"IBM Control Desk\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"7.5;7.5.1;7.5.1.1;7.5.1.2;7.5.3;7.6.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}},{\"Product\":{\"code\":\"SSWDVU\",\"label\":\"IBM TRIRIGA Energy Optimization\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"Version Independent\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}},{\"Product\":{\"code\":\"SSWK4A\",\"label\":\"Maximo Asset Management Essentials\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"7.5;7.1.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}},{\"Product\":{\"code\":\"SSU3T4\",\"label\":\"Maximo Asset Management for Energy Optimization\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"7.1;7.1.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}},{\"Product\":{\"code\":\"SSMQTP\",\"label\":\"Maximo for Government\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"7.1;7.1.1;7.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}},{\"Product\":{\"code\":\"SSLL84\",\"label\":\"Maximo for Life Sciences\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"7.1.2;7.5;7.1.0;7.6\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}},{\"Product\":{\"code\":\"SSLL8M\",\"label\":\"Maximo for Nuclear Power\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"7.1;7.5;7.5.1;7.1.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}},{\"Product\":{\"code\":\"SSLL9G\",\"label\":\"Maximo for Oil and Gas\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"7.1.2;7.5;7.5.1;7.1.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}},{\"Product\":{\"code\":\"SSLL9Z\",\"label\":\"Maximo for Transportation\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"7.1.0;7.1.1;7.5;7.5.1;7.6.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}},{\"Product\":{\"code\":\"SSLLAM\",\"label\":\"Maximo for Utilities\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"7.1.1;7.1.2;7.5;7.1.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}},{\"Product\":{\"code\":\"SSLKTY\",\"label\":\"Maximo Asset Management for IT\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud \\u0026 Data Platform\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"7.1;7.1.1;7.2;7.2.1;7.2.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}},{\"Product\":{\"code\":\"SSKTXT\",\"label\":\"Tivoli Change and Configuration Management Database\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"7.1;7.1.1;7.2;7.2.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}},{\"Product\":{\"code\":\"SS6HJK\",\"label\":\"Tivoli Service Request Manager\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"7.1;7.2;7.2.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}},{\"Product\":{\"code\":\"SS5RRF\",\"label\":\"IBM Maximo for Aviation\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"7.6;7.6.1;7.6.2;7.6.2.1;7.6.3\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}}]", "cvss3": {}, "published": "2022-09-22T03:02:31", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities have been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2015-4872, CVE-2015-4734, CVE-2015-5006)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4734", "CVE-2015-4872", "CVE-2015-5006"], "modified": "2022-09-22T03:02:31", "id": "B63DEF4194A0B1970AC0929C76BF42976F452DD870422CDFC513107B2CE93BF6", "href": "https://www.ibm.com/support/pages/node/272613", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-28T22:03:40", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as components of IBM Service Delivery Manager. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nReview security bulletin [_Multiple vulnerabilities in IBM Java SDK affect WebSphere Application Server October 2015 CPU_](<http://www.ibm.com/support/docview.wss?uid=swg21969620>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Service Delivery Manager 7.2.4| WebSphere Application Server 6.1.0.37. \nIBM Service Delivery Manager 7.2.2| WebSphere Application Server 6.1.0.29. \nIBM Service Delivery Manager 7.2.1| WebSphere Application Server 6.1.0.23. \n \n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n* 12 January 2016: Original copy published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSBH2C\",\"label\":\"IBM Service Delivery Manager\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"Security\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"7.2.1;7.2.2;7.2.4\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {}, "published": "2018-06-17T22:32:51", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities have been identified in WebSphere Application Server shipped with IBM Service Delivery Manager (CVE-2015-4872, CVE-2015-4734 and CVE-2015-5006)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-4734", "CVE-2015-4872", "CVE-2015-5006"], "modified": "2018-06-17T22:32:51", "id": "D6FE0421F38EF266E6BA74C0093333F29D655A4C7A7BC7E8B0712362B8BC9F13", "href": "https://www.ibm.com/support/pages/node/619239", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-28T22:06:56", "description": "## Summary\n\nIBM WebSphere Application Server is used as a component of IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\n \nThis bulletin covers all applicable Java SE CVE's published by Oracle as part of their October 2015 Critical Patch Update and an additional vulnerability which affects IBM SDK, Java Technology Edition. There are other advisories included in the IBM Java SDK and WebSphere Application Server, but IBM Emptoris products are not vulnerable to them. \n \n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n \nPlease consult the security bulletin [Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server October 2015 CPU (CVE-2015-4872, CVE-2015-4734, CVE-2015-5006)](<http://www-01.ibm.com/support/docview.wss?uid=swg21969620>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nIBM Emptoris Contract Management 9.5 through 10.0.4 \nIBM Emptoris Program Management 10.0.0 through 10.0.4 \nIBM Emptoris Sourcing 10.0.0 through 10.0.4 \nIBM Emptoris Spend Analysis 10.0.0 through 10.0.4 \nIBM Emptoris Supplier Lifecycle Management 9.5 through 10.0.4 \nIBM Emptoris Strategic Supply Management 10.0.0 through 10.0.4 \nIBM Emptoris Services Procurement 10.0.0\n\n## Remediation/Fixes\n\nAn interim fix has been issued for the IBM WebSphere Application Server (WAS) which will upgrade the IBM Java Development Kit to a version which is not susceptible to this vulnerability. Customers running any of the IBM Emptoris products listed above should apply the interim fix to all IBM WebSphere Application Server installations that are used to run IBM Emptoris applications. See [Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server October 2015 CPU (CVE-2015-4872, CVE-2015-4734, CVE-2015-5006)](<http://www-01.ibm.com/support/docview.wss?uid=swg21969620>) for more details on upgrade versions. \n \nSelect the appropriate WebSphere Application Server fix based on the version being used for IBM Emptoris product version. The following table lists the IBM Emptoris application versions along with the corresponding required version of IBM WebSphere Application Server and a link to the corresponding fix version where further installation instructions are provided. \n \n \n\n\nEmptoris Product Version| WAS Version| Interim Fix \n---|---|--- \n9.5.x.x| 8.0.0.x| [_PI51442_](<http://www-01.ibm.com/support/docview.wss?uid=swg24041264>) \n10.0.0.x, 10.0.1.x| 8.5.0.x| [_PI51440_](<http://www-01.ibm.com/support/docview.wss?uid=swg24041271>) \n10.0.2.x , \n10.0.3.x , \n10.0.4.x, \n10.1| 8.5.5.x| [_PI51440_](<http://www-01.ibm.com/support/docview.wss?uid=swg24041271>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24040396>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24040154>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039957>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039651>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039294>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038811>) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n[IBM SDK Java Technology Edition Security Bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg21969225>)\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n14th Dec 2015 - Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSYQ72\",\"label\":\"Emptoris Strategic Supply Management\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Platform\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"Version Independent\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYQ89\",\"label\":\"Emptoris Contract Management\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYRER\",\"label\":\"Emptoris Program Management\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYR6U\",\"label\":\"Emptoris Services Procurement\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYR8W\",\"label\":\"Emptoris Sourcing\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYQAR\",\"label\":\"Emptoris Spend Analysis\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYRC7\",\"label\":\"Emptoris Supplier Lifecycle Management\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {}, "published": "2018-06-16T19:49:59", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server used with IBM Emptoris Strategic Supply Management, and IBM Emptoris Services Procurement products (CVE-2015-4872)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4734", "CVE-2015-4872", "CVE-2015-5006"], "modified": "2018-06-16T19:49:59", "id": "C08F98925DE99F3533B5821C7E8B3E78F1D3EC0E0CD323A7007D0AC3A3652492", "href": "https://www.ibm.com/support/pages/node/273657", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-01-07T01:39:56", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Versions 6 and 7 that are used by Tivoli Netcool/OMNIbus. These were disclosed as part of the IBM Java SDK updates in October 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>) \n**DESCRIPTION:** An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n \n**CVEID:** [_CVE-2015-4734_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4734>) \n**DESCRIPTION:** An unspecified vulnerability related to the JGSS component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107356_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107356>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-5006_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5006>) \n**DESCRIPTION:** IBM Java Security Components could allow an attacker with physical access to the system to obtain sensitive information from the Kerberos Credential Cache. \nCVSS Base Score: 4.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/106309_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/106309>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nTivoli Netcool/OMNIbus 7.3.0 \nTivoli Netcool/OMNIbus 7.3.1 \nTivoli Netcool/OMNIbus 7.4.0 \nTivoli Netcool/OMNIbus 8.1.0\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nOMNIbus | 7.3.0.16| IV78816| <http://www-01.ibm.com/support/docview.wss?uid=swg24039352> \nOMNIbus| 7.3.1.15| IV78816| <http://www-01.ibm.com/support/docview.wss?uid=swg24041381> \nOMNIbus| 7.4.0.9| IV78816| <http://www-01.ibm.com/support/docview.wss?uid=swg24041382> \nOMNIbus | 8.1.0.6| IV78816| <http://www-01.ibm.com/support/docview.wss?uid=swg24041385> \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n[_Complete CVSS v3 Guide_](<http://www.first.org/cvss/user-guide>) \n[_On-line Calculator v3_](<http://www.first.org/cvss/calculator/3.0>) \n[_IBM Java SDK Security Bulletin_](<http://www-01.ibm.com/support/docview.wss?uid=swg21969225>)\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\nNone\n\n## Change History\n\n29 January 2016: Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n[{\"Product\":{\"code\":\"SSSHTQ\",\"label\":\"Tivoli Netcool\\/OMNIbus\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"7.4.0;7.3.1;7.3.0;8.1.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {}, "published": "2018-06-17T15:15:50", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Tivoli Netcool/OMNIbus (Multiple CVEs)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4734", "CVE-2015-4872", "CVE-2015-5006"], "modified": "2018-06-17T15:15:50", "id": "5E3F2AA797C0DBBFE4FB4AD1FF5D8903589E4BB7DE390B11EEA3B7C52A0130F6", "href": "https://www.ibm.com/support/pages/node/538877", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-28T22:05:45", "description": "## Summary\n\nIBM Tivoli Storage Manager FastBack Reporting requires the dependent product IBM WebSphere Application Server. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [_Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server October 2015 CPU (CVE-2015-4872, CVE-2015-4734, CVE-2015-5006)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21969620>) for vulnerability details and information about fixes. Note that interim fix PI51440 and PI51439 can be applied to the current 8.5.0.1 Full Profile of IBM WebSphere Application server; it is not necessary to upgrade to the latest fix pack level for IBM WebSphere Application Server (8.5.5.1 or 8.5.5.2) and then apply the interim fix. \n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Tivoli Storage Manager Fastback 6.1.0 through 6.1.12.1| IBM WebSphere Application Server 8.5.0.1 Full Profile \nIBM Tivoli Storage Manager Fastback 6.1.12.2 through 6.1.12.3| IBM WebSphere Application Server 8.5.5.4 Full Profile \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n19 January 2016: Original Version Published \n6 April 2016: Add affected FastBack version 6.1.12.2 \n17 June 2016: Add affected FastBack version 6.1.12.3\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SS9NU9\",\"label\":\"Tivoli Storage Manager FastBack\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"6.1;6.1.1;6.1.2;6.1.3;6.1.4;6.1.5;6.1.6;6.1.7;6.1.8;6.1.9;6.1.10;6.1.11;6.1.12\",\"Edition\":\"All Editions\",\"Line of Business\":{\"code\":\"LOB26\",\"label\":\"Storage\"}}]", "cvss3": {}, "published": "2018-06-17T15:14:32", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server affecting IBM Tivoli Storage Manager FastBack Reporting (CVE-2015-4872, CVE-2015-4734, CVE-2015-5006)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4734", "CVE-2015-4872", "CVE-2015-5006"], "modified": "2018-06-17T15:14:32", "id": "45D7F713B9C5C46EDBAD74FCCBC0F57FC042E9600BC85798BB56C1BF42AF2F03", "href": "https://www.ibm.com/support/pages/node/274557", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-28T22:04:18", "description": "## Summary\n\nWebSphere Application Server is shipped as components of Tivoli Service Automation Manager. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nReview security bulletin [Multiple vulnerabilities in IBM Java SDK affect WebSphere Application Server October 2015 CPU](<http://www.ibm.com/support/docview.wss?uid=swg21969620>) for vulnerability details.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nTivoli Service Automation Manager 7.2.1 through 7.2.4 | WebSphere Application Server 6.1.0.0 through 6.1.0.47. \n \n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n* 14 December 2015: Original copy published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSFG5E\",\"label\":\"Tivoli Service Automation Manager\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"Security\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"7.2.1;7.2.2;7.2.3;7.2.4\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {}, "published": "2018-06-17T22:32:49", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities have been identified in WebSphere Application Server shipped with IBM Tivoli Service Automation Manager (CVE-2015-4872, CVE-2015-4734 and CVE-2015-5006)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-4734", "CVE-2015-4872", "CVE-2015-5006"], "modified": "2018-06-17T22:32:49", "id": "294DB5E80D9BAF9919E7296FBF0D1F03EAAB0B4AED6C2E5EE31303FC017174F3", "href": "https://www.ibm.com/support/pages/node/609179", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-01T01:31:17", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Process Server. Information about security vulnerabilities affecting WebSphere Application Server has been published in security bulletins.\n\n## Vulnerability Details\n\nPlease consult the security bulletins \n\n * [Security Bulletin: HTTP response splitting attack in WebSphere Application Server (CVE-2015-2017)](<http://www.ibm.com/support/docview.wss?uid=swg21966837>)\n * [Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server October 2015 CPU (CVE-2015-4872, CVE-2015-4734, CVE-2015-5006)](<http://www.ibm.com/support/docview.wss?uid=swg21969620>)\n * [Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)](<http://www.ibm.com/support/docview.wss?uid=swg21970575>)\n \nfor vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n * WebSphere Process Server 7.0.x\n * WebSphere Process Server Hypervisor Editions V7.0\n\n \nGeneral support for WebSphere Process Server ended 2015-04-30. Hypervisor editions were in support until 2015-09-30. You are strongly advised to upgrade to a supported product such as IBM Business Process Manager Advanced Edition.\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n## Important Note\n\nIBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [System z Security web site](<http://www.ibm.com/systems/z/solutions/security_subintegrity.html>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n2015-11-20 - inital version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n[{\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSQH9M\",\"label\":\"WebSphere Process Server\"},\"ARM Category\":[{\"code\":\"\",\"label\":\"\"}],\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"7.0.0.5;7.0.0.4;7.0.0.3;7.0.0.2;7.0.0.1;7.0\"},{\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSS8PZ\",\"label\":\"WebSphere Process Server Hypervisor Edition\"},\"ARM Category\":[{\"code\":\"\",\"label\":\"\"}],\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"7.0\"},{\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSS8PZ\",\"label\":\"WebSphere Process Server Hypervisor Edition\"},\"ARM Category\":[{\"code\":\"\",\"label\":\"\"}],\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"7.0\"},{\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSS8PZ\",\"label\":\"WebSphere Process Server Hypervisor Edition\"},\"ARM Category\":[{\"code\":\"\",\"label\":\"\"}],\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"}],\"Version\":\"7.0\"}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-15T18:47:15", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with WebSphere Process Server (CVE-2015-7450, CVE-2015-2017, CVE-2015-4872, CVE-2015-4734, CVE-2015-5006)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2017", "CVE-2015-4734", "CVE-2015-4872", "CVE-2015-5006", "CVE-2015-7450"], "modified": "2022-09-15T18:47:15", "id": "2AA98F262EB695D2458A3ED4EC4F0E7090EB4CE4B2F0F815EF828CF974F2C44B", "href": "https://www.ibm.com/support/pages/node/270853", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-12-02T21:37:07", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Intelligent Operations Center and related products. Oracle released the October 2015 critical patch updates which contain multiple fixes for security vulnerabilities in the IBM Java Development Kit that is included with IBM WebSphere Application Server.\n\n## Vulnerability Details\n\nConsult the security bulletin: [Multiple vulnerabilities in current releases of the IBM\u00ae SDK, Java\u2122 Technology Edition](<http://www.ibm.com/support/docview.wss?uid=swg21969225>) for vulnerability details and information about fixes.\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Internal Use Only\n\nRTC 100882\n\n[{\"Product\":{\"code\":\"SS3NGB\",\"label\":\"IBM Intelligent Operations Center\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"1.5;1.5.0.1;1.5.0.2;1.6;1.6.0.1;1.6.0.2;1.6.0.3;5.1;5.1.0.1;5.1.0.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}},{\"Product\":{\"code\":\"SSTMV4\",\"label\":\"IBM Intelligent Transportation\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"1.6.1;1.6;1.5.0;1.0.1.3;1.0.1.2;1.0.1.1;1.0.1;1.0.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}},{\"Product\":{\"code\":\"SS7QZZ\",\"label\":\"IBM Intelligent Water\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"1.6.1.1;1.6.1;1.6.0;1.5.1;1.5.0.2;1.5.0.1;1.5.0;1.0.0;1.6.1.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}},{\"Product\":{\"code\":\"SSR3XR\",\"label\":\"IBM Intelligent Operations Center for Emergency Management\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"1.6;5.1;5.1.0.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}}]", "cvss3": {}, "published": "2022-08-19T21:04:31", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Intelligent Operations Center products (Java Technology Edition CPU Oct 2015 - Includes Oracle Oct 2015 CPU + CVE-2015-5006)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-5006"], "modified": "2022-08-19T21:04:31", "id": "A373A3D46EEF36B85AECAD8DB2610988E5D09242F046BBAE1566CEFBFB65389A", "href": "https://www.ibm.com/support/pages/node/272129", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-28T22:13:10", "description": "## Summary\n\nThere is a vulnerability in IBM Java Runtime Version 7 that is used by WebSphere DataPower XC10 Appliance Versions 2.1 and 2.5. These issues were disclosed as part of the IBM Java SDK updates in October 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nWebSphere DataPower XC10 Appliance Version 2.1 \nWebSphere DataPower XC10 Appliance Version 2.5\n\n## Remediation/Fixes\n\nApply an interim fix, according to the table below.** **Interim fixes are associated with the original APAR that is documented in the table. Because these APAR references might be updated to more recent APARs, see the links in the table for the most recent interim fix information. \n \n\n\n_Product_| _Version_| _APAR_| _Link to interim fix_ \n---|---|---|--- \nWebSphere DataPower XC10 Appliance V2.1 on appliance 9235-92X| 2.1| IT12365| Refer to the **Version 2.1** table in[ Recommended fixes for WebSphere DataPower XC10 Appliance](<http://www-01.ibm.com/support/docview.wss?uid=swg27019704>). \nWebSphere DataPower XC10 Appliance V2.1 on appliance 7199-92X| 2.1| IT12365| Refer to the** Version 2.1** table in [Recommended fixes for WebSphere DataPower XC10 Appliance](<http://www-01.ibm.com/support/docview.wss?uid=swg27019704>). \nWebSphere DataPower XC10 Appliance V2.5 on appliance 7199-92X \n| Version 2.5 with SSD drivers ** \nImportant**: See More Information link and follow instructions to determine if you have an old or newer SSD driver on your appliance using the show ssd-version command.| IT12365| Refer to the **Version 2.5** table in [Recommended fixes for WebSphere DataPower XC10 Appliance](<http://www-01.ibm.com/support/docview.wss?uid=swg27019704>). \nWebSphere DataPower XC10 Appliance V2.5 virtual image| 2.5| IT12365| Refer to the** Version 2.5** table in [Recommended fixes for WebSphere DataPower XC10 Appliance](<http://www-01.ibm.com/support/docview.wss?uid=swg27019704>). \n \n## Workarounds and Mitigations\n\nThere is no workaround. The interim fix must be applied to correct the problem.\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n11 Dec 2015: Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSS8GR\",\"label\":\"WebSphere DataPower XC10 Appliance\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"General\",\"Platform\":[{\"code\":\"PF009\",\"label\":\"Firmware\"}],\"Version\":\"2.5;2.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {}, "published": "2018-06-15T07:04:27", "type": "ibm", "title": "Security Bulletin: A security vulnerability exist in the IBM SDK, Java Technology Edition provided with WebSphere DataPower XC10 Appliance", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4872"], "modified": "2018-06-15T07:04:27", "id": "E5618F1355FE1087914A5F703FE4C5F1F47F585AA5B966FB1A6CF40C889A56B1", "href": "https://www.ibm.com/support/pages/node/274181", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-09-26T13:50:50", "description": "## Summary\n\nThere is a vulnerability in IBM Runtime Environment Java Technology Edition, Version 6 that affects IBM Cognos Business Viewpoint. These issues were disclosed as part of the IBM Java SDK updates in October 2015. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nIBM Cognos Business Viewpoint 10.1 FP1 \nIBM Cognos Business Viewpoint 10.1.1 FP2\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the fix in one of the 10.1.x versions listed as soon as practical. \nCognos Business Viewpoint 10.1 and Cognos Business Viewpoint 10.1.1 downloads \n \nIBM Cognos Business Viewpoint 10.1.0 FP1 IF7 Windows \n<http://www.ibm.com/support/docview.wss?uid=swg24041685> \n \nIBM Cognos Business Viewpoint 10.1.1 FP2 IF6 Windows \n<http://www.ibm.com/support/docview.wss?uid=swg24041685>\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSWRXS\",\"label\":\"Cognos 8 Business Viewpoint\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Business Viewpoint\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"10.1.1;10.1\",\"Edition\":\"All Editions\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {}, "published": "2020-02-13T23:52:21", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java Runtime Version 6 affects IBM Cognos Business Viewpoint (CVE-2015-4872 )", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4872"], "modified": "2020-02-13T23:52:21", "id": "A35661CCCDFD9CD1B23AD86D68D08425CB4CBFEC6C19D51D1A323A103F35554A", "href": "https://www.ibm.com/support/pages/node/540551", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-06-28T22:15:15", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 7 and 7R1 that is used by IBM MessageSight. These issues were disclosed as part of the IBM Java SDK updates for October 2015.\n\n## Vulnerability Details\n\n**CVEID**: [**CVE-2015-4872**](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>) \nDESCRIPTION: An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107361> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nIBM MessageSight 1.2 and 1.1\n\n## Remediation/Fixes\n\n`Product`\n\n| `VMRM`| `APAR`| `First Fix` \n---|---|---|--- \n`IBM MessageSight`| `1.2`| `IT12295`| `1.2.0.3-IBM-IMA-IF``IT12295` \n \n| `1.1`| `IT12620 `| `1.1.0.1-IBM-IMA-``IFIT12620 ` \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n09 December 2015: original document published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSCGGQ\",\"label\":\"IBM MessageSight\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"Security\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"1.1;1.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {}, "published": "2018-06-17T15:14:12", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MessageSight (CVE-2015-4872)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4872"], "modified": "2018-06-17T15:14:12", "id": "B313494090BD6646936BBA966F9EA9258676693E16E6E2DB399C69B9C2D5D78D", "href": "https://www.ibm.com/support/pages/node/274091", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-06-28T22:14:28", "description": "## Summary\n\nThere is a vulnerability in IBM\u00ae SDK Java\u2122 Technology Edition Version 6 that is used by IBM Workload Deployer. The issue was disclosed as part of the IBM Java SDK updates in October 2015. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \n** \n**DESCRIPTION:** An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nIBM Workload Deployer version 3.1 and later\n\n## Remediation/Fixes\n\nThe solution is to apply the following IBM Workload Deployer fix: \n \nUpgrade the IBM Workload Deployer to the following fix level or higher: \n \n\n\n_Product_\n\n| \n\n_VRMF_\n\n| \n\n_Remediation/First Fix_ \n \n---|---|--- \nIBM Workload Deployer System| Release V3.1.0.7| V3.1.0.7 Interim fix10 or higher, \n \n[_http://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Workload+Deployer&release=3.1.0.7&platform=All&function=fixId&fixids=3.1.0.7-ifix10-IBM_Workload_Deployer&includeRequisites=1&includeSupersedes=0_](<http://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Workload+Deployer&release=3.1.0.7&platform=All&function=fixId&fixids=3.1.0.7-ifix10-IBM_Workload_Deployer&includeRequisites=1&includeSupersedes=0>) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\nNone\n\n## Change History\n\n05 April 2016: Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSZ6WM\",\"label\":\"IBM Workload Deployer\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF009\",\"label\":\"Firmware\"}],\"Version\":\"3.1.0.7\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB15\",\"label\":\"Integration\"}}]", "cvss3": {}, "published": "2018-06-15T07:05:23", "type": "ibm", "title": "Security Bulletin: A vulnerability in IBM Java SDK affects IBM Workload Deployer. (CVE-2015-4872)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4872"], "modified": "2018-06-15T07:05:23", "id": "C524E188F1AD4B77D33D58D9EA8EE1C9CD8A2218160491F47EF6425DE23EBDEE", "href": "https://www.ibm.com/support/pages/node/547305", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-06-28T22:09:24", "description": "## Summary\n\nThere is a vulnerability in IBM Java Runtime Versions 6 and 7 that is used by WebSphere eXtreme Scale. These issues were disclosed as part of the IBM Java SDK updates in October 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nWebSphere eXtreme Scale 7.1.0 \n\nWebSphere eXtreme Scale 7.1.1\n\nWebSphere eXtreme Scale 8.5\n\nWebSphere eXtreme Scale 8.6\n\n## Remediation/Fixes\n\n_<Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n_WebSphere eXtreme Scale_| 7.1| _PI53280_| Refer to the **Version 7.1** table in the [Recommended Fixes page for WebSphere eXtreme Scale](<http://www-01.ibm.com/support/docview.wss?uid=swg27018991>). \n_WebSphere eXtreme Scale_| 7.1.1 \n\n8.5\n\n8.6\n\n| _PI53295_| Refer to the **Version 7.1.1**, **8.5**, or **8.6** table in the [Recommended Fixes page for WebSphere eXtreme Scale](<http://www-01.ibm.com/support/docview.wss?uid=swg27018991>). \n \n## Workarounds and Mitigations\n\nNo workaround exists. If you are running WebSphere eXtreme Scale standalone, apply the appropriate fix from the previous table. If you are running WebSphere eXtreme Scale clients or servers that are embedded in WebSphere Application Server, apply the appropriate fix for WebSphere Application Server, which is described here: **_<https://www-304.ibm.com/support/docview.wss?uid=swg21962931>_**\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n11 Dec 2015: Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSTVLU\",\"label\":\"WebSphere eXtreme Scale\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"General\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"8.6;8.5;7.1.1;7.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {}, "published": "2018-06-15T07:04:27", "type": "ibm", "title": "Security Bulletin: A vulnerability in IBM Java Runtime affects WebSphere eXtreme Scale", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4872"], "modified": "2018-06-15T07:04:27", "id": "15909728814912171C33B02A0D72299D6DCEA6D2A39B5691C097CA86BB86C024", "href": "https://www.ibm.com/support/pages/node/274179", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-06-28T22:14:07", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 6 that is used by IBM QuickFile. These issues were disclosed as part of the IBM Java SDK updates for October 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \n** \n**DESCRIPTION:** An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n\n\n## Affected Products and Versions\n\nIBM QuickFile 1.1.0.1\n\n## Remediation/Fixes\n\nContact Support and request the fix package to be published for you on the ECuRep server.\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Internal Use Only\n\niFix 11\n\n[{\"Product\":{\"code\":\"SSBKPW\",\"label\":\"IBM QuickFile\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"1.1.0.1;1.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {}, "published": "2018-06-16T19:59:25", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM QuickFile (CVE-2015-4872)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4872"], "modified": "2018-06-16T19:59:25", "id": "144C23662992641D90EB9C4F112C9AEC35AB69E760D70E39C29768CFAD97B56F", "href": "https://www.ibm.com/support/pages/node/543041", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-02-10T00:00:00", "description": "## Summary\n\nThere is a vulnerability in IBM\u00ae SDK Java\u2122 Technology Edition, Version 7SR8 that is used by Rational Automation Framework. This issue was disclosed as part of the IBM Java SDK updates in October 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nRational Automation Framework 3.0.1, 3.0.1.1, 3.0.1.2.x, 3.0.1.3.x on all supported platforms.\n\n## Remediation/Fixes\n\nUpgrade to [RAF 3.0.1.3 ifix6](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/Rational+Automation+Framework&release=3.0.1.3i6&platform=All&function=all>) or later.\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n[](<http://www.first.org/cvss/cvss-guide.html>)[](<http://www.first.org/cvss/cvss-guide.html>)[](<http://www.first.org/cvss/cvss-guide.html>)[_IBM Java SDK Security Bulletin_](<http://www-01.ibm.com/support/docview.wss?uid=swg21962302>)\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n03 March 2016 Original Version Published \n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Internal Use Only\n\nPSIRT 63931 for the advisory 4021\n\n[{\"Product\":{\"code\":\"SSWJ96\",\"label\":\"Rational Automation Framework\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"General Information\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"3.0.1;3.0.1.1;3.0.1.2;3.0.1.3\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {}, "published": "2018-06-17T05:10:30", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java SDK affect Rational Automation Framework (CVE-2015-4872)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4872"], "modified": "2018-06-17T05:10:30", "id": "B666EC6C0BD4BE5CA16CBCF49F043C9E29F3715F1DF3ABE11300D1257417FBA7", "href": "https://www.ibm.com/support/pages/node/543809", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-12-05T17:35:38", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6 and 8 that are used in IBM License Metric Tool v9, IBM Endpoint Manager for Software Use Analysis v2.2 and IBM BigFix Inventory v9. These issues were disclosed as part of the IBM Java SDK updates for October 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nIBM License Metric Tool v9 \nIBM Endpoint Manager for Software Use Analysis v2.2 \n\nIBM BigFix Inventory v9\n\n## Remediation/Fixes\n\nIBM License Metric Tool v9 and IBM BigFix Inventory v9: \n\n * Upgrade to v9.2.3.0 or later, manually or with a fixlet.\n \nIBM Endpoint Manager for Software Use Analysis v2.2: \n\n * Verify that your IBM Software Invntory site is at least version 69.\n * Run fixlet \"Java update (1.6 SR16 FP15)\" against machine hosting your IBM Endpoint Manager for Software Use Analysis v2.2 server.\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n[{\"Product\":{\"code\":\"SS8JFY\",\"label\":\"IBM License Metric Tool\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"9.0;9.0.1;9.1;9.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {}, "published": "2022-08-19T23:26:06", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM License Metric Tool v9, IBM Endpoint Manager for Software Use Analysis v2.2 and IBM BigFix Inventory v9 (CVE-2015-4872)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4872"], "modified": "2022-08-19T23:26:06", "id": "4BDD04259F9C817EF33E7639EDCC30564F0ABAA50D4ED30F0FA95C97C713937C", "href": "https://www.ibm.com/support/pages/node/544251", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-10-07T05:37:21", "description": "## Summary\n\nThere is a vulnerability in IBM\u00ae SDK Java\u2122 Technology Edition, Version 7 and 8, that is used by IBM Standards Processing Engine and IBM Transformation Extender Advanced. This issue was disclosed as part of the IBM Java SDK updates for October 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n\n\n## Affected Products and Versions\n\nIBM Standards Processing Engine version 8.5.1.1 (common component 2.0.1.1) \n\nIBM Transformation Extender Advanced version 9.0.0.0\n\n## Remediation/Fixes\n\nProduct\n\n| VRMF| Remediation/First Fix \n---|---|--- \nIBM Standards Processing Engine| 8.5.1.1| 8.5.1.2 (2.0.1.2 for common component) available on [Fix Central](<http://www-933.ibm.com/support/fixcentral/options?selectionBean.selectedTab=find&selection=ibm%2fOther+software%3bibm%2fOther+software%2fStandards+Processing+Engine>) \nIBM Transformation Extender Advanced| 9.0.0.0| 9.0.0.1 available on PassPort Advantage \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n## Important Note\n\nIBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [System z Security web site](<http://www.ibm.com/systems/z/solutions/security_subintegrity.html>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n[{\"Product\":{\"code\":\"SSDF7K\",\"label\":\"IBM Transformation Extender Advanced\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF035\",\"label\":\"z\\/OS\"}],\"Version\":\"9.0;8.5.1.1;2.0.1.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}}]", "cvss3": {}, "published": "2022-05-15T12:11:44", "type": "ibm", "title": "Security Bulletin: A vulnerability in IBM Java SDK affects IBM Standards Processing Engine and IBM Transformation Extender Advanced (CVE-2015-4872)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4872"], "modified": "2022-05-15T12:11:44", "id": "87091D73D87236B8291DDE4935885E4B78DAEDDFC8E41010FB22D12BAB28A13B", "href": "https://www.ibm.com/support/pages/node/542315", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-06-28T21:59:24", "description": "## Summary\n\nIBM Java SDK is shipped as a component of IBM DB2 Recovery Expert for Linux, UNIX, and Windows . Information about a security vulnerability affecting IBM Java SDK has been published in a security bulletin.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nIBM DB2 Recovery Expert for Linux, UNIX, and Windows versions 3.1 through 4.1 \n\n## Remediation/Fixes\n\nReplace existing JRE with JRE V7 SR9-Fix Pack 1 ([_http://www-01.ibm.com/support/docview.wss?uid=swg21639279_](<http://www-01.ibm.com/support/docview.wss?uid=swg21639279>)). \n\nYou can replace the IBM Runtime Environment, Java\u2122 Technology Edition that is installed with IBM DB2 Recovery Expert for Linux, UNIX, and Windows with the latest IBM Runtime Environment, Java\u2122 Technology Edition following the detailed instructions provided in the tech-note \"[_Updating the JRE for DB2 Recovery Expert for Linux, UNIX and Windows_](<http://www-01.ibm.com/support/docview.wss?uid=swg21644942>)\". \n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n11 February 2016\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SS8QJD\",\"label\":\"DB2 Recovery Expert for Linux, UNIX and Windows\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"4.1.0;3.1.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {}, "published": "2018-06-16T13:38:33", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM Java SDK shipped with IBM DB2 Recovery Expert for Linux, UNIX, and Windows (CVE-2015-4872)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4872"], "modified": "2018-06-16T13:38:33", "id": "B089D6624B337C26D2541212B8B23D273724A834252AF85205DE0B455D554555", "href": "https://www.ibm.com/support/pages/node/540879", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-09-27T14:03:33", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Versions 7.0.5.0 and 6.0.14.0, that are used by Sterling Connect:Direct FTP+. These issues were disclosed as part of the IBM Java SDK updates for October 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \n** \nDESCRIPTION: An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107361> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n\n\n## Affected Products and Versions\n\nIBM Sterling Connect:Direct FTP+ 1.3.0\n\n## Remediation/Fixes\n\n**V.R.M**\n\n| **APAR**| **Remediation** \n---|---|--- \n1.3.0| IT14195 \n \n \nIT14554| For all platforms except for HP-UX on Itanium, apply 1.3.0 Fix002, available on [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+Connect%3ADirect+FTP+Plus&release=1.3.0.0&platform=All&function=fixId&fixids=1.3.0*iFix002*&includeSupersedes=0>). \n \nFor HP-UX on Itanium, apply 1.3.0 Fix003, available on [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+Connect%3ADirect+FTP+Plus&release=1.3.0.0&platform=All&function=fixId&fixids=1.3.0*iFix003*&includeSupersedes=0>). \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n## Important Note\n\nIBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [System z Security web site](<http://www.ibm.com/systems/z/solutions/security_subintegrity.html>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\nNone\n\n## Change History\n\n01 April 2016: Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/bulletin/#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n[{\"Product\":{\"code\":\"SS3KMW\",\"label\":\"IBM Sterling Connect:Direct FTP+\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"1.3.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}}]", "cvss3": {}, "published": "2020-07-24T22:49:37", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Sterling Connect:Direct FTP+ (CVE-2015-4872)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4872"], "modified": "2020-07-24T22:49:37", "id": "53BCED365DBEB703C2EFA096921C6D5C691C8BAAB477F9F6CC2E22BBE5BE60BF", "href": "https://www.ibm.com/support/pages/node/545743", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-06-28T22:14:16", "description": "## Summary\n\nA vulnerability exists in IBM Runtime Environment Java Technology Edition, Version 6 that is used by eDiscovery Analyzer. These issues were disclosed as part of the IBM Java SDK updates for October 2015.\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>) \n \n \n**DESCRIPTION:** An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\n \nIBM eDiscovery Analyzer 2.2 \nIBM eDiscovery Analyzer 2.2.1 \nIBM eDiscovery Analyzer 2.2.2\n\n## Remediation/Fixes\n\n_Product_\n\n| \n_VRMF_| \n_APAR_| \n_Remediation/First Fix_ \n---|---|---|--- \n \nIBM ediscovry manager| \n2.2| \nNone| \nsee work around \n \nIBM ediscovry manager| \n2.2.1| \nNone| \nsee work around \n \nIBM ediscovry manager| \n2.2.2| \nNone| [](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=Enterprise%2BContent%2BManagement&product=ibm/Information+Management/InfoSphere+eDiscovery+Analyzer&release=2.2.2.2&platform=All&function=fixId&fixids=2.2.2.2-EDA-AIX-IF0003&includeRequisites=1&includeSupersedes=0&downloadMethod=http>)[http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=Enterprise%2BContent%2BManagement&product=ibm/Information+Management/InfoSphere+eDiscovery+Analyzer&release=2.2.2.2&platform=All&function=fixId&fixids=2.2.2.2-EDA-AIX-IF0003&includeRequisites=1&includeSupersedes=0&downloadMethod=http](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=Enterprise%2BContent%2BManagement&product=ibm/Information+Management/InfoSphere+eDiscovery+Analyzer&release=2.2.2.2&platform=All&function=fixId&fixids=2.2.2.2-EDA-AIX-IF0003&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \nand \n[http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=Enterprise%2BContent%2BManagement&product=ibm/Information+Management/InfoSphere+eDiscovery+Analyzer&release=2.2.2.2&platform=All&function=fixId&fixids=2.2.2.2-EDA-WIN-IF0003&includeRequisites=1&includeSupersedes=0&downloadMethod=http](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=Enterprise%2BContent%2BManagement&product=ibm/Information+Management/InfoSphere+eDiscovery+Analyzer&release=2.2.2.2&platform=All&function=fixId&fixids=2.2.2.2-EDA-WIN-IF0003&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \n \n## Workarounds and Mitigations\n\nMitigation is to upgrade to fixed stream: 2.2.2. \nPlease refer to [_http://www.ibm.com/support/knowledgecenter/en/SSJKLP_2.2.2/com.ibm.eda.doc/edain001.html_](<http://www.ibm.com/support/knowledgecenter/en/SSJKLP_2.2.2/com.ibm.eda.doc/edain001.html>)\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n \n[_IBM Secure Engineering Web Portal_](<https://www-304.ibm.com/jct03001c/security/secure-engineering/>) \n[_IBM Product Security Incident Response Blog_](<https://www.ibm.com/blogs/psirt>)\n\n## Change History\n\nMay 23, 2016: Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSJKLP\",\"label\":\"eDiscovery Analyzer\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"2.2.2;2.2.1;2.2.0.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {}, "published": "2018-06-17T12:15:49", "type": "ibm", "title": "Security Bulletin: A Vulnerability in IBM Java SDK affect eDiscovery Analyzer (CVE-2015-4872)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4872"], "modified": "2018-06-17T12:15:49", "id": "98D8175CC40843C4987C50867E7F92F99FC38F49750FFF31645FE6C72E890C19", "href": "https://www.ibm.com/support/pages/node/280233", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-06-28T22:08:23", "description": "## Summary\n\nIBM Java SDK is shipped as a component of IBM Data Studio, InfoSphere Data Architect, InfoSphere Optim Query Workload Tuner for Linux, UNIX and Windows, and InfoSphere Optim Query Workload Tuner for z/OS. Information about a security vulnerability affecting IBM Java SDK has been published in a security bulletin.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nIBM Data Studio client 4.1.2 and earlier \nIBM InfoSphere Optim Query Workload Tuner for DB2 for LUW 4.1.1 and earlier \nIBM InfoSphere Optim Query Workload Tuner for DB2 for z/OS 4.1.1 and earlier \nIBM InfoSphere Data Architect 9.1.3 and earlier\n\n## Remediation/Fixes\n\nEach affected product and version requires the upgrade of the IBM SDK, Java Technology Edition that is installed with the client. Install one of the following IBM Java SDK versions: \n\n\n * IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 3 Fix Pack 20 and subsequent releases\n * IBM SDK, Java Technology Edition, Version 7 Service Refresh 9 Fix Pack 20 and subsequent releases\n * IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 15 and subsequent releases\n * IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 15 and subsequent releases \n \n**Product**| **Version**| **IBM SDK** \n---|---|--- \nIBM Data Studio client \n\nIBM InfoSphere Optim Query Workload Tuner for DB2 for LUW\n\nIBM InfoSphere Optim Query Workload Tuner for DB2 for z/OS\n\n| 3.1.0, 3.1.1| Replace JRE [(latest JRE V6](<http://www-01.ibm.com/support/docview.wss?uid=swg21691806>)) \nIBM Data Studio client \n\nIBM InfoSphere Optim Query Workload Tuner for DB2 for LUW\n\nIBM InfoSphere Optim Query Workload Tuner for DB2 for z/OS\n\n| 3.2, 4.1.0, 4.1.0.1, 4.1.1, 4.1.2| Replace JRE ([latest JRE V7](<http://www-01.ibm.com/support/docview.wss?uid=swg21691806>)) \nInfoSphere Data Architect| 7.6, 8.1| Replace JRE [(latest JRE V6](<http://www-01.ibm.com/support/docview.wss?uid=swg21691806>)) \nInfoSphere Data Architect| 8.5, 9.1, 9.1.1, 9.1.2, 9.1.3| Replace JRE ([latest JRE V7](<http://www-01.ibm.com/support/docview.wss?uid=swg21691806>)) \n \n \nDetailed instructions are provided in the tech-note \u201c[Updating the IBM SDK, Java Technology Edition for Optim Data Server Tools Desktop Products](<http://www-01.ibm.com/support/docview.wss?uid=swg21691806>)\u201d.[](<http://www-01.ibm.com/support/docview.wss?uid=swg21691806>)\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n11 January 2016 - Initial Security Bulletin\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SS62YD\",\"label\":\"IBM Data Studio\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"General\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"3.1;3.1.1;3.2;4.1;4.1.0.1;4.1.1.0;4.1.2.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}},{\"Product\":{\"code\":\"SS9UM9\",\"label\":\"InfoSphere Data Architect\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"7.5.3;7.5.3.1;7.6;8.1;8.5;9.1;9.1.1;9.1.2;9.1.3\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}},{\"Product\":{\"code\":\"SS7LB8\",\"label\":\"InfoSphere Optim Query Workload Tuner for DB2 for Linux, UNIX and Windows\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"3.1;3.1.1;3.2;4.1;4.1.0.1;4.1.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}},{\"Product\":{\"code\":\"SS7L9Q\",\"label\":\"InfoSphere Optim Query Workload Tuner for DB2 for z\\/OS\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"\",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"3.1;3.1.1;3.2;4.1;4.1.0.1;4.1.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {}, "published": "2018-06-16T13:38:48", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM Java SDK shipped with IBM Data Studio, InfoSphere Data Architect, Optim Query Workload Tuner for Linux, UNIX and Windows, and Optim Query Workload Tuner for z/OS (CVE-2015-4872)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4872"], "modified": "2018-06-16T13:38:48", "id": "62FA119440300E05EA5D80AA62190B5FE6478BA2FA552C2F6886A970B9311184", "href": "https://www.ibm.com/support/pages/node/541901", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-10-01T01:52:10", "description": "## Summary\n\nIBM Java SKD is shipped as a component of IBM InfoSphere Optim Performance Manager. Information about a security vulnerability affecting IBM Java SDK has been published in a security bulletin.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \n4.1 - 5.1.1.1| JRE V6 SR16-Fix Pack 5 or ealier \n5.2 \u2013 5.3.1| JRE V7 SR9-Fix Pack 10 or earlier \n \n## Remediation/Fixes\n\nYou must replace the IBM\u00ae Runtime Environment, Java\u2122 Technology Edition that is installed with IBM InfoSphere Optim Performance Manager for DB2 on Linux, UNIX, and Windows with the latest IBM\u00ae Runtime Environment, Java\u2122 Technology Edition. Detailed instructions are provided in the tech-note: [__\u201cUpdating the __](<http://www.ibm.com/support/docview.wss?uid=swg21640535>)[__IBM Runtime Environment, Java\u2122 Technology Edition__](<http://www.ibm.com/support/docview.wss?uid=swg21640535>)[__ for InfoSphere Optim Performance Manager__](<http://www.ibm.com/support/docview.wss?uid=swg21640535>)_\u201d_.\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n02/12/2016: Original Version Published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n[{\"Product\":{\"code\":\"SSBH2R\",\"label\":\"InfoSphere Optim Performance Manager for Db2 for Linux, UNIX, and Windows\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF013\",\"label\":\"Inspur K-UX\"}],\"Version\":\"5.3.1;5.3;5.2;5.1.1.1;5.1.1;5.1;4.1.1;4.1.0.1;4.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}}]", "cvss3": {}, "published": "2021-07-08T21:30:52", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM Java SDK shipped with IBM InfoSphere Optim Performance Manager (CVE-2015-4872)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4872"], "modified": "2021-07-08T21:30:52", "id": "024EB2AF336C591D6F8FB4B5D6CCFF7784B248A43430546267B59D8ECA8907E7", "href": "https://www.ibm.com/support/pages/node/273795", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-06-28T22:13:43", "description": "## Summary\n\nThere is a vulnerability in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6 SR16 FP7 that is used by IBM Cognos Planning. This issue was disclosed as part of the IBM Java SDK updates for October 2015\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \n** \n**DESCRIPTION:** An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nIBM Cognos Planning 10.1 \n\nIBM Cognos Planning 10.1.1\n\n## Remediation/Fixes\n\nApply fixes, download available at: \n\nCognos Planning 10.1.1 Fix Pack 7:\n\n \n[_http://www-01.ibm.com/support/docview.wss?uid=swg24041772_](<http://www-01.ibm.com/support/docview.wss?uid=swg24041772>) \n \nCognos Planning 10.1 Interim Fix 7: \n[_http://www-01.ibm.com/support/docview.wss?uid=swg24041943_](<http://www-01.ibm.com/support/docview.wss?uid=swg24041943>)\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n[_IBM Java SDK Security Bulletin_](<http://www-01.ibm.com/support/docview.wss?uid=swg21969225>)\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n16 March 2016: Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSPN2D\",\"label\":\"Cognos Planning\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"10.1.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {}, "published": "2018-06-15T22:42:46", "type": "ibm", "title": "Security Bulletin: An unspecified vulnerability related to the Security component in IBM Java Runtime affects IBM Cognos Planning (CVE-2015-4872)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4872"], "modified": "2018-06-15T22:42:46", "id": "5E09374F40B97F0189CAFDE91D8E1470F388A35D810B06708FD4EFC5DF5A1CA3", "href": "https://www.ibm.com/support/pages/node/545113", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-06-28T22:13:11", "description": "## Summary\n\nThere is a security vulnerability in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 5 that is used by IBM Systems Director Storage Control. This issue was disclosed as part of the IBM Java updates for October 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\nFrom the IBM Systems Director command line enter **smcli lsver** to determine the level of IBM Systems Director installed. \n\n**Affected Product and Version(s)**| **Product and Version shipped as a component** \n---|--- \nIBM System Director Storage Control 4.2.1.0| IBM Systems Director 6.2.1.x \nIBM System Director Storage Control 4.2.1.1| IBM Systems Director 6.3.0.0 \nIBM System Director Storage Control 4.2.2.x| IBM Systems Director 6.3.1.x \nIBM System Director Storage Control 4.2.3.x| IBM Systems Director 6.3.2.x \nIBM System Director Storage Control 4.2.4.x| IBM Systems Director 6.3.3.x \nIBM System Director Storage Control 4.2.6.x| IBM Systems Director 6.3.5.x \nIBM System Director Storage Control 4.2.7.x| IBM Systems Director 6.3.6.x \nIBM System Director Storage Control 4.2.8.x| IBM Systems Director 6.3.7.x \n \n## Remediation/Fixes\n\n**WARNING:** Before installing the fix for this issue on ISD 6.3.5 or 6.3.6, you must install the fix described in Technote [**_760294347_**](<http://www-01.ibm.com/support/docview.wss?uid=nas73635202929791fbe86257ef20035f6b7>) found in the [**_Support Portal_**](<https://www-947.ibm.com/support/entry/portal/support/>). \n \nThe base ISD 6.3.7 code contains the fix in Technote [**_760294347_**](<http://www-01.ibm.com/support/docview.wss?uid=nas73635202929791fbe86257ef20035f6b7>) therefore the fix is not needed for 6.3.7. \n \nComplete the fix for this issue for ISD 6.3.5, 6.3.6, and 6.3.7[](<http://www-01.ibm.com/support/docview.wss?uid=nas73635202929791fbe86257ef20035f6b7>) by following the instructions in Technote [**_793147997_**](<http://www-01.ibm.com/support/docview.wss?uid=nas75cc6d09c7c17de078625803b0056876b>) which is also found in the [**_Support Portal_**](<https://www-947.ibm.com/support/entry/portal/support/>). \n \nFor IBM Systems Director Storage Control 4.2.1.0 - 4.2.4.x IBM recommends upgrading to a fixed, supported version/release of the product.\n\n## Workarounds and Mitigations\n\nnone \n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n07 October, 2016 : Original version published \n10 November, 2016 : Fix typo in \"Affected Products and Versions\" table \n23 March, 2017 : Add Remediation warning \n26 April, 2017 : Add clarification to Remediation warning\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Internal Use Only\n\nAdv 4021 / PRID 64019\n\n[{\"Product\":{\"code\":\"SGZ2Z3\",\"label\":\"IBM Systems Director\"},\"Business Unit\":{\"code\":\"BU054\",\"label\":\"Systems w\\/TPS\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"Version Independent\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB35\",\"label\":\"Mainframe SW\"}}]", "cvss3": {}, "published": "2018-06-18T01:33:34", "type": "ibm", "title": "Security Bulletin: A security vulnerability in IBM Java Runtime affects IBM Systems Director Storage Control ( CVE-2015-4872)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4872"], "modified": "2018-06-18T01:33:34", "id": "1565697A60668A5CFBD3459C81D80D388EEFB2A097DA479EEA4C247D8016FF5F", "href": "https://www.ibm.com/support/pages/node/629795", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-10-01T01:37:43", "description": "## Summary\n\nThere is vulnerability in IBM\u00ae SDK Java\u2122 Technology Edition, Version 8.0.1.10 and earlier that is used by IMS\u2122 Enterprise Suite: SOAP Gateway, Connect API for Java, Explorer for Development. This issue was disclosed as part of the IBM Java SDK updates for October 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \n** \n**DESCRIPTION:** An invalid (too short) RSA key might be accepted under certain circumstances. \nThe fix ensures that invalid RSA keys are rejected correctly. \nThis issue affects Java deployments which use SSL/TLS communication and/or the java.security.cert.CertPath API. The only solution is to upgrade the JRE. \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n\n\n## Affected Products and Versions\n\nExplorer for Development of the IMS\u2122 Enterprise Suite Versions 3.2 and earlier. \nConnect API for Java component of the IMS\u2122 Enterprise Suite Versions 3.2 and earlier. \nThe SOAP Gateway component of the IMS\u2122 Enterprise Suite Versions 3.1 and earlier..\n\n## Remediation/Fixes\n\n**Fixes **\n\n**_Product_**\n\n| \n\n**_VRMF_**\n\n| \n\n**_APAR_**\n\n| **_Download URL_** \n---|---|---|--- \n \n_IMS Enterprise Suite Explorer for Development V3.2_\n\n| \n\n_3.2.1.0_\n\n| \n\n_N/A_\n\n| [__https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite__](<https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite>) \n \n_IMS Enterprise Suite Connect API for Java V3.1_\n\n| \n\n_3.1.0.8_\n\n| \n\n_N/A_\n\n| [__https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite__](<https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite>) \nPlease follow the instructions on the download site to get the updated Java. \n \n_IMS Enterprise Suite Connect API for Java V3.2_\n\n| \n\n_3.2.0.1_\n\n| \n\n_ _ \n_N/A_\n\n| [__https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite__](<https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite>) \nPlease follow the instructions on the download site to get the updated Java. \n \n_IMS Enterprise Suite SOAP Gateway V3.1_\n\n| \n\n_3.1.0.4_\n\n| \n\n_N/A_\n\n| [__https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite__](<https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite>) \nPlease follow the instructions on the download site to get the updated Java. \n \n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n11 December 2015: Original version published \n29 January 2016: Updated with Connect API for Java information. \n23 February 2016: Updated with SOAP Gateway information.\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n[{\"Product\":{\"code\":\"SSGMWY\",\"label\":\"IBM IMS Enterprise Suite for z\\/OS\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"3.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB35\",\"label\":\"Mainframe SW\"}}]", "cvss3": {}, "published": "2022-06-01T13:05:44", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java SDK affect IMS\u2122 Enterprise Suite: SOAP Gateway, Connect API for Java, Explorer for Development (CVE-2015-4872).", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4872"], "modified": "2022-06-01T13:05:44", "id": "BB0EB38A592AB2649D1917AF112EE190EA4BF664AC07FB1463EA8F39EE61007D", "href": "https://www.ibm.com/support/pages/node/273781", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-06-28T22:10:44", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 7 that is used by IBM Sterling Control Center. These issues were disclosed as part of the IBM Java SDK updates in October 2015 and January 2016. This bulletin also addresses the \u201cSLOTH - Weak MD5 Signature Hash vulnerability\"\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n** ** \n**CVEID:** [_CVE-2015-7575_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575>)** \nDESCRIPTION:** The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. \nCVSS Base Score: 7.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109415_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109415?cm_mc_uid=61889025412014549487477&cm_mc_sid_50200000=1456250599>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) \n\n## Affected Products and Versions\n\nIBM Control Center 6.0.0.0 through 6.0.0.1 iFix03 \nIBM Sterling Control Center 5.4.2 through 5.4.2.1 iFix06 \nIBM Sterling Control Center 5.4.1 through 5.4.1.0 iFix03 \nIBM Sterling Control Center 5.4.0 through 5.4.0.1 iFix04 \nIBM Sterling Control Center 5.3.0 through 5.3.0.4 iFix02 \nIBM Sterling Control Center 5.2.0 through 5.2.12 \n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **Fix**| **How to acquire fix** \n---|---|---|--- \nIBM Control Center| 6.0.0.1| iFix04| [_Fix Central - 6.0.0.1_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Control+Center&release=6.0.0.1&platform=All&function=all>) \nSterling Control Center| 5.4.2.1| iFix07| [_Fix Central - 5.4.2.1_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Control+Center&release=5.4.2.1&platform=All&function=all>) \nSterling Control Center| 5.4.1| \n| Contact Support and request the fix package to be published for you on the ECuRep server. \nSterling Control Center| 5.4.0| \n| Contact Support and request the fix package to be published for you on the ECuRep server. \nSterling Control Center| 5.3| \n| Contact Support and request the fix package to be published for you on the ECuRep server. \nSterling Control Center| 5.2| \n| Contact Support and request the fix package to be published for you on the ECuRep server. \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n25 February 2016: Original version published \n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SS9GLA\",\"label\":\"IBM Control Center\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"6.0.0.1;5.4.2.1;5.4.1;5.4.0.1;5.3\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-12-17T22:47:42", "type": "ibm", "title": "Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affects IBM Control Center (CVE-2015-4872, CVE-2015-7575)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4872", "CVE-2015-7575"], "modified": "2019-12-17T22:47:42", "id": "537C6D5AB87E83C60FB14762388F0A746DFE1C4977ECE943492A36A3E17E504D", "href": "https://www.ibm.com/support/pages/node/543185", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-06-28T22:01:45", "description": "## Summary\n\nJazz Team Server is shipped as a component of Jazz Reporting Service. Information about multiple security vulnerabilities affecting Jazz Team Server and Jazz-based products has been published in a security bulletin. \n\n## Vulnerability Details\n\n \nConsult the security bulletin [Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affects multiple IBM Rational products based on IBM Jazz technology (CVE-2015-7575, CVE-2016-0483, etc.)](<http://www-01.ibm.com/support/docview.wss?uid=swg21977347>) for vulnerability details and information about fixes. \n \nIf you have an integrated environment where an IBM Rational product based on IBM's Jazz technology is configured with IBM Cognos Business Intelligence (e.g. using ALM Cognos Connector), also consult the [Cognos Business Intelligence 10.2.x interim fixes address a security vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg24041905>).\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product(s) and Version(s) \n---|--- \nJRS 5.0, 5.0.1 and 5.0.2| Jazz Foundation 5.0, 5.0.1, 5.0.2 \nJRS 6.0, 6.0.1| Jazz Foundation 6.0, 6.0.1 \n \n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\nCVE-2015-7575 was reported to IBM by Karthikeyan Bhargavan at INRIA in Paris, France \n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Internal Use Only\n\nPSIRT # 4021 Record # 65896 \nPSIRT # 4587 Record # 69740\n\n[{\"Product\":{\"code\":\"SSTU9C\",\"label\":\"Jazz Reporting Service\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"6.0;6.0.1;5.0;5.0.1;5.0.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}}]", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T05:07:56", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in Jazz Team Server shipped with Jazz Reporting Service (CVE-2015-4872, CVE-2015-4893, CVE-2015-4803, CVE-2015-5006, CVE-2016-0483, CVE-2015-7575, CVE-2016-0448, CVE-2016-0466)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4803", "CVE-2015-4872", "CVE-2015-4893", "CVE-2015-5006", "CVE-2015-7575", "CVE-2016-0448", "CVE-2016-0466", "CVE-2016-0483"], "modified": "2018-06-17T05:07:56", "id": "1F85DC40CCAC6193560C222233AFB88DDF301441A0F168CFDF21B3B88DF3BD1F", "href": "https://www.ibm.com/support/pages/node/273921", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-26T13:49:59", "description": "## Summary\n\nMultiple security vulnerabilities exist in the IBM\u00ae Runtime Environment Java\u2122 Technology Edition 6 SR16 FP15 (and earlier) used by WebSphere Message Broker and the IBM\u00ae Runtime Environment Java\u2122 Technology Edition 7 SR9 FP20 (and earlier) or 7R1 SR3 FP20 (and earlier) used by IBM Integration Bus. These vulnerabilities were disclosed as part of the IBM Java SDK updates for October 2015\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4844_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4844>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107346_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107346>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4911_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4911>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107360_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107360>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4893_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4893>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107359_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107359>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4840_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4840>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107353_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107353>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4803_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4803>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107358_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107358>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4734_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4734>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the JGSS component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107356_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107356>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-5006_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5006>)** \nDESCRIPTION:** IBM Java Security Components could allow an attacker with physical access to the system to obtain sensitive information from the Kerberos Credential Cache. \nCVSS Base Score: 4.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/106309_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/106309>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Integration Bus V9, V10 \n\nWebSphere Message Broker V8\n\nIBM Integration Toolkit V9\n\nWebSphere Message Broker Toolkit V8 \n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **APAR**| **Remediation/Fix** \n---|---|---|--- \nIBM Integration Bus \n \n \n| V10 \n \n| IT12305 | The APAR IT13254 supersedes IT12305. Please consult security bulletin <http://www.ibm.com/support/docview.wss?uid=swg21976779> for fix details. \nIBM Integration Bus \n \n \n| V9 \n \n| IT12305 | An interim fix is available from IBM Fix Central for all platforms. \n[http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/Integration+Bus&release=All&platform=All&function=aparId&apars= IT12305 ](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/Integration+Bus&release=All&platform=All&function=aparId&apars=%20IT12305>) \nThe APAR is targeted to be available in fix pack 9.0.0.6 \nWebSphere Message Broker (with APAR IT03599 applied*) \n| V8| IT12305 | An interim fix is available from IBM Fix Central for all platforms. \n[http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Message+Broker&release=All&platform=All&function=aparId&apars= IT12305 ](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Message+Broker&release=All&platform=All&function=aparId&apars=%20IT12305>) \n \n* For V8.0 users IT12305 is applicable if: \n\\- you have APAR IT03599 applied \n\\- you are using a V8.0 fix pack containing IT03599 \n \nThe APAR is targeted to be available in fix pack 8.0.0.7 \nWebSphere Message Broker (with APAR IT03599 not applied**) \n \n| V8 \n| IT12303 | An interim fix is available from IBM Fix Central for all platforms. \n[http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Message+Broker&release=All&platform=All&function=aparId&apars=IT12303 ](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Message+Broker&release=All&platform=All&function=aparId&apars=IT12303>) \n \n** For V8.0 users IT12303 is applicable if : \n\\- you do not have APAR IT03599 applied \n\\- or you are using a V8.0 fix pack which does not contain IT03599 \n \n**_To address Java vulnerabilities in Toolkit_** \n \n**Product**| **VRMF**| **APAR**| **Remediation/Fix** \n---|---|---|--- \nIBM Integration Toolkit| V9.0| IT12305| An intim fix is available from IBM Fix Central \n[http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/Integration+Bus&release=All&platform=All&function=aparId&apars= IT12305](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/Integration+Bus&release=All&platform=All&function=aparId&apars=%20IT12305>) \nWebSphere Message Broker \nToolkit| V8.0| IT12303 | An interim fix is available from IBM Fix Central \n[http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Message+Broker&release=All&platform=All&function=aparId&apars=IT12303](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Message+Broker&release=All&platform=All&function=aparId&apars=IT12303>) \n \n**Note regarding CVE-2015-4911** \nThis was addressed by IBM in June 2008. As a reminder, users of Java 6 and above should refer to the [_IBM XL XP-J documentation_](<https://www-01.ibm.com/support/knowledgecenter/api/content/nl/en-us/SSYKE2_7.0.0/com.ibm.java.win.70.doc/user/xml/xlxpj_reference.html>) for the javax.xml.stream.supportDTD property for information to help avoid this vulnerability. \n \n_For unsupported versions of the product __IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n \nThe planned maintenance release dates for WebSphere Message Broker and IBM Integration Bus are available at : \n[http://www.ibm.com/support/docview.wss?uid=swg27006308 ](<http://www.ibm.com/support/docview.wss?uid=swg27006308>)\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n## Important Note\n\nIBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [System z Security web site](<http://www.ibm.com/systems/z/solutions/security_subintegrity.html>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n[_IBM Java SDK Security Bulletin_](<http://www-01.ibm.com/support/docview.wss?uid=swg21969225>)\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n05 -Feb-2016 - Original version Published \n19-Feb-2016 - Added V10 fix details \n\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSKM8N\",\"label\":\"WebSphere Message Broker\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"8.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB36\",\"label\":\"IBM Automation\"}},{\"Product\":{\"code\":\"SSNQK6\",\"label\":\"IBM Integration Bus\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"10.0;9.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}] \n\n## Product Synonym\n\nWMB IIB", "cvss3": {}, "published": "2020-03-23T20:41:52", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Message Broker and IBM Integration Bus", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4840", "CVE-2015-4844", "CVE-2015-4872", "CVE-2015-4893", "CVE-2015-4911", "CVE-2015-5006"], "modified": "2020-03-23T20:41:52", "id": "FC3E140D5E8F3EE5581715DC2DD605A0B3AE95D6E732CA98E87454F55EDDC846", "href": "https://www.ibm.com/support/pages/node/272293", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:54:44", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java Technology Edition, Version 1.6 and 1.7 that are used by IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Collaborative Lifecycle Management (CLM), Rational Requirements Composer (RRC), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM), and Rational Software Architect (RSA DM). These issues were disclosed as part of the IBM Java SDK updates in January 2016 and October 2015, and includes the vulnerability commonly referred to as \u201cSLOTH\u201d.\n\n## Vulnerability Details\n\nIBM Jazz Team Server and the CLM applications (RRC, RTC, RQM, RDNG), RELM, Rhapsody DM, and RSA DM applications are affected by the following vulnerabilities disclosed in and corrected by the IBM\u00ae Java SDK updates in January 2016 and October 2015: \n \n \n**Jan 2016 vulnerabilities:** \n**CVEID:** [_CVE-2015-7575_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575>)** \nDESCRIPTION:** The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as \u201cSLOTH\u201d. \nCVSS Base Score: 7.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109415_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109415>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) \n \n**CVEID:** [_CVE-2016-0483_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0483>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE Java SE Embedded and Jrockit related to the AWT component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109945_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109945>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2016-0466_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0466>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE Java SE Embedded and Jrockit related to the JAXP component could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109948_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109948>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2016-0448_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0448>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the JMX component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109949_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109949>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)\n\n \n**Oct 2015 vulnerabilities:** \n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n\n**CVEID:** [_CVE-2015-4893_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4893>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107359_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107359>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4803_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4803>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107358_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107358>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-5006_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5006>)** \nDESCRIPTION:** IBM Java Security Components could allow an attacker with physical access to the system to obtain sensitive information from the Kerberos Credential Cache. \nCVSS Base Score: 4.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/106309_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/106309>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nRational Collaborative Lifecycle Management 3.0.1 - 6.0.1 \n \nRational Quality Manager 2.0 - 2.0.1 \nRational Quality Manager 3.0 - 3.0.1.6 \nRational Quality Manager 4.0 - 4.0.7 \nRational Quality Manager 5.0 - 5.0.2 \nRational Quality Manager 6.0 - 6.0.1 \n \nRational Team Concert 2.0 - 2.0.0.2 \nRational Team Concert 3.0 - 3.0.6 \nRational Team Concert 4.0 - 4.0.7 \nRational Team Concert 5.0 - 5.0.2 \nRational Team Concert 6.0 - 6.0.1 \n \nRational Requirements Composer 2.0 - 2.0.0.4 \nRational Requirements Composer 3.0 - 3.0.1.6 \nRational Requirements Composer 4.0 - 4.0.7 \n \nRational DOORS Next Generation 4.0 - 4.0.7 \nRational DOORS Next Generation 5.0 - 5.0.2 \nRational DOORS Next Generation 6.0 - 6.0.1 \n \nRational Engineering Lifecycle Manager 1.0- 1.0.0.1 \nRational Engineering Lifecycle Manager 4.0.3 - 4.0.7 \nRational Engineering Lifecycle Manager 5.0 - 5.0.2 \nRational Engineering Lifecycle Manager 6.0 - 6.0.1 \n \nRational Rhapsody Design Manager 3.0 - 3.0.1 \nRational Rhapsody Design Manager 4.0 - 4.0.7 \nRational Rhapsody Design Manager 5.0 - 5.0.2 \nRational Rhapsody Design Manager 6.0 - 6.0.1 \n \nRational Software Architect Design Manager 3.0 - 3.0.1 \nRational Software Architect Design Manager 4.0 - 4.0.7 \nRational Software Architect Design Manager 5.0 - 5.0.2 \nRational Software Architect Design Manager 6.0 - 6.0.1\n\n## Remediation/Fixes\n\nIf your product is deployed on WebSphere Application Server (WAS) and your deployment does not use an Eclipse based client nor the RM Browser plugin, then it is sufficient to continue using the existing version of the your Rational product, and only upgrade the JRE in the WAS server according to these instructions: \n[_ __Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server January 2016 CPU_](<https://www.ibm.com/support/docview.wss?uid=swg21975424>) \n \nThe January 2016 update contains all of the corrections from the October 2015 update. The October update is listed here for convenience, but upgrade to the January 2016 update to get all the corrections. \n[_ __Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server October 2015 CPU_](<https://www.ibm.com/support/docview.wss?uid=swg21969620>) \n \n**Otherwise:** \n_Note: for any of the below remediations, if you are a WAS deployment, then WAS must also be upgraded, in addition to performing your product upgrades._ \nUpgrade your products to version **3.0.1.6 or 4.0.7** or **5.0.2** or **6.0.1**, apply the latest ifix, and then perform the following upgrades. Request the January 2016 CPU update for the IBM_\u00ae_ Java SDK: \n \n[_How to update the IBM SDK for Java of IBM Rational products based on version 3.0.1.6 or later of IBM's Jazz technology_](<http://www.ibm.com/support/docview.wss?uid=swg21674139>)\n\n * * For the 3.x releases of Rational Software Architect Design Manager and Rhapsody Design Manager, if you cannot upgrade to 4.0.7 or 5.0 or 6.0, contact [IBM Support](<http://www.ibm.com/software/support/einfo.html>) for guidance.\n * For the 2.x releases, contact [IBM Support](<http://www.ibm.com/software/support/einfo.html>) for additional details on the fix.\n\n## Workarounds and Mitigations\n\nFor CVE-2015-7575: \n\nUsers of Java 7 and later can address the issue by updating the /jre/lib/security/java.security file as follows (**both steps are required**): \n\n\u00b7 Add MD5 to the jdk.certpath.disabledAlgorithms property - e.g. jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024, **MD5**\n\n\u00b7 Add MD5withRSA to the jdk.tls.disabledAlgorithms property - e.g. jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768, **MD5withRSA**\n\nJava 6 requires code changes in the JSSE component in addition to the java.security file modifications, so upgrading the JDK is the only solution.\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n## Important Note\n\nIBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [System z Security web site](<http://www.ibm.com/systems/z/solutions/security_subintegrity.html>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n[_IBM Java SDK Security Bulletin_](<http://www-01.ibm.com/support/docview.wss?uid=swg21974193>)\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\nCVE-2015-7575 was reported to IBM by Karthikeyan Bhargavan at INRIA in Paris, France\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Internal Use Only\n\nAll links created in fix central: \nJava 6.0 for CLM 3.0.1.6, 4.0.7, 5.0.2, 6.0.0 \nCLM: [_http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=All&platform=All&function=fixId&fixids=Rational-CLM-JavaSE-JRE-6.0SR16FP20&includeSupersedes=0&source=fc_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=All&platform=All&function=fixId&fixids=Rational-CLM-JavaSE-JRE-6.0SR16FP20&includeSupersedes=0&source=fc>) \nRTC: [_http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Team+Concert&release=All&platform=All&function=fixId&fixids=Rational-RTC-JavaSE-JRE-6.0SR16FP20&includeSupersedes=0&source=fc_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Team+Concert&release=All&platform=All&function=fixId&fixids=Rational-RTC-JavaSE-JRE-6.0SR16FP20&includeSupersedes=0&source=fc>) \nDNG: [_http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+DOORS+Next+Generation&release=All&platform=All&function=fixId&fixids=Rational-DNG-JavaSE-JRE-6.0SR16FP20&includeSupersedes=0&source=fc_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+DOORS+Next+Generation&release=All&platform=All&function=fixId&fixids=Rational-DNG-JavaSE-JRE-6.0SR16FP20&includeSupersedes=0&source=fc>) \nRQM: [_http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Quality+Manager&release=All&platform=All&function=fixId&fixids=Rational-RQM-JavaSE-JRE-6.0SR16FP20&includeSupersedes=0&source=fc_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Quality+Manager&release=All&platform=All&function=fixId&fixids=Rational-RQM-JavaSE-JRE-6.0SR16FP20&includeSupersedes=0&source=fc>) \nJava 7.0 for CLM 4.0.7, 5.0.2, 6.0.0 \nCLM: [_http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=All&platform=All&function=fixId&fixids=Rational-CLM-JavaSE-JRE-7.0SR9FP30&includeSupersedes=0&source=fc_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=All&platform=All&function=fixId&fixids=Rational-CLM-JavaSE-JRE-7.0SR9FP30&includeSupersedes=0&source=fc>) \nRTC: [_http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Team+Concert&release=All&platform=All&function=fixId&fixids=Rational-RTC-JavaSE-JRE-7.0SR9FP30&includeSupersedes=0&source=fc_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Team+Concert&release=All&platform=All&function=fixId&fixids=Rational-RTC-JavaSE-JRE-7.0SR9FP30&includeSupersedes=0&source=fc>) \nDNG: [_http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+DOORS+Next+Generation&release=All&platform=All&function=fixId&fixids=Rational-DNG-JavaSE-JRE-7.0SR9FP30&includeSupersedes=0&source=fc_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+DOORS+Next+Generation&release=All&platform=All&function=fixId&fixids=Rational-DNG-JavaSE-JRE-7.0SR9FP30&includeSupersedes=0&source=fc>) \nRQM: [_http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Quality+Manager&release=All&platform=All&function=fixId&fixids=Rational-RQM-JavaSE-JRE-7.0SR9FP30&includeSupersedes=0&source=fc_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Quality+Manager&release=All&platform=All&function=fixId&fixids=Rational-RQM-JavaSE-JRE-7.0SR9FP30&includeSupersedes=0&source=fc>) \nJava 7.1 for CLM 6.0.1 (Instructions are for JAS) \nCLM: [_http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=All&platform=All&function=fixId&fixids=Rational-CLM-JavaSE-JRE-7.1SR3FP30&includeSupersedes=0&source=fc_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=All&platform=All&function=fixId&fixids=Rational-CLM-JavaSE-JRE-7.1SR3FP30&includeSupersedes=0&source=fc>) \nRTC: [_http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Team+Concert&release=All&platform=All&function=fixId&fixids=Rational-RTC-JavaSE-JRE-7.1SR3FP30&includeSupersedes=0&source=fc_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Team+Concert&release=All&platform=All&function=fixId&fixids=Rational-RTC-JavaSE-JRE-7.1SR3FP30&includeSupersedes=0&source=fc>) \nDNG: [_http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+DOORS+Next+Generation&release=All&platform=All&function=fixId&fixids=Rational-DNG-JavaSE-JRE-7.1SR3FP30&includeSupersedes=0&source=fc_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+DOORS+Next+Generation&release=All&platform=All&function=fixId&fixids=Rational-DNG-JavaSE-JRE-7.1SR3FP30&includeSupersedes=0&source=fc>) \nRQM: [_http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Quality+Manager&release=All&platform=All&function=fixId&fixids=Rational-RQM-JavaSE-JRE-7.1SR3FP30&includeSupersedes=0&source=fc_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Quality+Manager&release=All&platform=All&function=fixId&fixids=Rational-RQM-JavaSE-JRE-7.1SR3FP30&includeSupersedes=0&source=fc>) ` \n`\n\n[{\"Product\":{\"code\":\"SSPRJQ\",\"label\":\"IBM Engineering Lifecycle Management Base\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"General Information\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF014\",\"label\":\"iOS\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF035\",\"label\":\"z\\/OS\"}],\"Version\":\"3.0.1;3.0.1.6;4.0;4.0.1;4.0.2;4.0.3;4.0.4;4.0.5;4.0.6;4.0.7;5.0;5.0.1;5.0.2;6.0;6.0.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}},{\"Product\":{\"code\":\"SSUB2H\",\"label\":\"IBM Engineering Lifecycle Optimization - Engineering Insights\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\"General Information\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF035\",\"label\":\"z\\/OS\"}],\"Version\":\"4.0.3;4.0.4;4.0.5;4.0.6;4.0.7;5.0;5.0.1;5.0.2;6.0;6.0.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}},{\"Product\":{\"code\":\"SSUVV6\",\"label\":\"IBM Engineering Test Management\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"General Information\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF035\",\"label\":\"z\\/OS\"}],\"Version\":\"2.0;2.0.0.1;2.0.0.2;2.0.1;2.0.1.1;3.0.1;3.0.1.1;3.0.1.2;3.0.1.3;3.0.1.4;3.0.1.5;3.0.1.6;4.0;4.0.0.1;4.0.0.2;4.0.1;4.0.2;4.0.3;4.0.4;4.0.5;4.0.6;4.0.7;5.0;5.0.1;5.0.2;6.0;6.0.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}},{\"Product\":{\"code\":\"SSUC3U\",\"label\":\"IBM Engineering Workflow Management\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\"General Information\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF012\",\"label\":\"IBM i\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF035\",\"label\":\"z\\/OS\"},{\"code\":\"PF022\",\"label\":\"OS X\"}],\"Version\":\"2.0;2.0.0.1;2.0.0.2;3.0;3.0.1;3.0.1.1;3.0.1.2;3.0.1.3;3.0.1.4;3.0.1.5;3.0.1.6;4.0;4.0.0.1;4.0.0.2;4.0.1;4.0.2;4.0.3;4.0.4;4.0.5;4.0.6;4.0.7;5.0;5.0.1;5.0.2;6.0;6.0.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}},{\"Product\":{\"code\":\"SSUVLZ\",\"label\":\"IBM Engineering Requirements Management DOORS Next\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"General information\",\"Platform\":[{\"code\":\"PF012\",\"label\":\"IBM i\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF035\",\"label\":\"z\\/OS\"}],\"Version\":\"4.0.1;4.0.2;4.0.3;4.0.4;4.0.5;4.0.6;4.0.7;5.0;5.0.1;5.0.2;6.0;6.0.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}},{\"Product\":{\"code\":\"SSRNEV\",\"label\":\"Rational Rhapsody Design Manager\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"General Information\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"3.0;3.0.0.1;3.0.1;4.0;4.0.1;4.0.2;4.0.3;4.0.4;4.0.5;4.0.6;4.0.7;5.0;5.0.1;5.0.2;6.0;6.0.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}},{\"Product\":{\"code\":\"SSRMY8\",\"label\":\"Rational Software Architect Design Manager\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"Design Manager Server\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"3.0;3.0.0.1;3.0.1;4.0;4.0.1;4.0.2;4.0.3;4.0.4;4.0.5;4.0.6;4.0.7;5.0;5.0.1;5.0.2;6.0;6.0.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB36\",\"label\":\"IBM Automation\"}}] \n\n## Product Synonym\n\nRational DOORS Next Generation;Rational Team Concert;Rational Quality Manager;Rational Engineering Lifecycle Manager;Rational Collaborative Lifecycle Management Solution", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-28T18:35:50", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affects multiple IBM Rational products based on IBM Jazz technology (CVE-2015-7575, CVE-2016-0483, etc.)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4803", "CVE-2015-4872", "CVE-2015-4893", "CVE-2015-5006", "CVE-2015-7575", "CVE-2016-0448", "CVE-2016-0466", "CVE-2016-0483"], "modified": "2021-04-28T18:35:50", "id": "116CC00D5265D0FFFA8CE1B360264EF9FF95784E6C2C3F0019DE1DB74C6E9A89", "href": "https://www.ibm.com/support/pages/node/542725", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:43:36", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition and IBM\u00ae Runtime Environment Java\u2122 Technology Edition that is shipped and used by IBM Spectrum Control and Tivoli Storage Productivity Center. These issues were disclosed as part of the IBM Java SDK updates in October 2015 and January 2016 and include the vulnerability commonly referred to as \u201cSLOTH\u201d. \n\n## Vulnerability Details\n\n**Vulnerabilities disclosed in the January 2016 Critical Patch Update**\n\n**CVEID:** [_CVE-2016-0475_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0475>)** \nDESCRIPTION:** An unspecified vulnerability related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109946_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109946>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N) \n\n \n \n \n\n\n**CVEID:** [_CVE-2015-7575_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575>)** \nDESCRIPTION:** The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as \u201cSLOTH\u201d. \nCVSS Base Score: 7.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109415_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109415>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) \n\n \nThe IBM\u00ae Runtime Environment Java\u2122 Technology Edition provided for download with Tivoli Storage Productivity Center 5.1.x and 5.2.0 through 5.2.7, which can be installed separately, is vulnerable to all CVEs as noted by the IBM Java SDK security bulletin. Review the following security bulletin** **and evaluate your own code to determine if you are vulnerable.[](<http://www.ibm.com/support/docview.wss?uid=swg21974193>) \n[Security Bulletin: Multiple vulnerabilities in current releases of the IBM\u00ae SDK, Java\u2122 Technology Edition (January 2016 CPU)](<http://www.ibm.com/support/docview.wss?uid=swg21974193>) \n\n\n**Vulnerabilities disclosed in the October 2015 Critical Patch Update**\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n \nThe IBM\u00ae Runtime Environment Java\u2122 Technology Edition provided for download with Tivoli Storage Productivity Center 5.1.x and 5.2.0 through 5.2.7, which can be installed separately, is vulnerable to all CVEs as noted by the IBM Java SDK security bulletin. Review the following security bulletin** **and evaluate your own code to determine if you are vulnerable. \n[Security Bulletin: Multiple vulnerabilities in current releases of the IBM\u00ae SDK, Java\u2122 Technology Edition (October 2015 CPU)](<http://www.ibm.com/support/docview.wss?uid=swg21969225>)\n\n[](<https://w3-connections.ibm.com/wikis/home?lang=en-us#!/wiki/Support%20Content%20Information%20Wiki/page/Importing%20HTML%20into%20a%20DCF%20document>) 'Importing HTML'. \n\n\n## Affected Products and Versions\n\nIBM Spectrum Control 5.2.8 \nTivoli Storage Productivity Center 5.2.0 through 5.2.7 \nTivoli Storage Productivity Center 5.1.0 through 5.1.1.9 \nTivoli Storage Productivity Center 4.2.x \nTivoli Storage Productivity Center 4.1.x \nTotalStorage Productivity Center 3.3.x \n \nThe versions listed above apply to all licensed offerings of IBM Spectrum Control and Tivoli Storage Productivity Center, including IBM SmartCloud Virtual Storage Center Storage Analytics Engine. \n \nSystem Storage Productivity Center is affected if it has one of the Tivoli Storage Productivity Center versions listed above installed on it.\n\n## Remediation/Fixes\n\nThe solution is to apply an appropriate Tivoli Storage Productivity Center fix maintenance for each named product and execute the manual steps listed below. The solution should be implemented as soon as practicable. Starting with 5.2.8, Tivoli Storage Productivity Center has been renamed to IBM Spectrum Control. \n\nIf you have downloaded and installed IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6 Service Refresh 16 Fix Pack 15 or earlier from an older version of Tivoli Storage Productivity Center, you should uninstall it or download an updated version after applying the fix pack and reinstall IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6 Service Refresh 16 Fix Pack 20 or later. Do not use the IBM JRE 1.6.0 or IBM SDK 1.6.0 links provided with the affected Tivoli Storage Productivity Center versions. If you upgrade to IBM Spectrum Control 5.2.8 or higher, there is no new version to download and apply as the Java WebStart GUI that previously used it is no longer provided.\n\n**Note:** It is always recommended to have a current backup before applying any update procedure.\n\n \n\n\n< /br >\n\n \n \n**_IBM Spectrum Control 5.2.x and Tivoli Storage Productivity Center V5.2.x_** \n \n**Affected Version**| **APAR**| **Fixed Version**| **Availability** \n---|---|---|--- \n5.2.x| IT13956| 5.2.9| February 2016 \nApply fix maintenance V5.2.9 as soon as practicable. (See [_Latest Downloads_](<http://www.ibm.com/support/docview.wss?uid=swg21320822>)) \n \n**Important Note:** If you upgrade from version 5.2.x to IBM Spectrum Control version 5.2.13 or later, your SSLv3 settings (enabled or disabled) will persist after the upgrade. See [Enabling & Disabling Legacy Protocol (SSLv3 & MD5 hash)](<http://www-01.ibm.com/support/docview.wss?uid=swg21697904>) tecnote for more details. \n\n\n< /br >\n\n \n \n**_Tivoli Storage Productivity Center V5.1.x_** \n \n**Affected Version**| **APAR**| **Fixed Version**| **Availability** \n---|---|---|--- \n5.1.x| IT13956| 5.1.1.10 \n \n_Manual update steps are required in addition to applying 5.1.1.10_| April 2016 \nApply fix maintenance V5.1.1.10 as soon as practicable. (See [_Latest Downloads_](<http://www.ibm.com/support/docview.wss?uid=swg21320822>)) \n \n**These manual steps are required in addition to applying the V5.1.1.10 fixpack:** \n \nTivoli Integrated Portal embeds Websphere Application Server 7.0 and requires three fixes. Follow these steps to apply the fixes: \n\n \n1) Download Websphere iFix **PI54960 **for WAS 7.0.0.37 (7.0.0.37-WS-WAS-IFPI54960) \n<http://www-01.ibm.com/support/docview.wss?uid=swg21975698> \n \n2) Download Websphere iFix **PI55781 **for WAS 7.0.0.X \n<http://www-01.ibm.com/support/docview.wss?uid=swg24041662> \n \n3) Download Websphere iFix **PI52103 **for WAS 7.0.0.X \n<http://www-01.ibm.com/support/docview.wss?uid=swg24041257> \n \n4) Apply the WebSphere Application Server 7.0 ifixes to Tivoli Integrated Portal using the preinstalled WAS Update Installer \n \n_ On Windows, the default location for __WAS Update Installer __is:_ \n[TPC_Install_Location]\\IBM\\tipv2\\WebSphereUpdateInstallerV7\\ \n \nFollow these steps to update certificate files for Tivoli Storage Productivity Center: \n \n**N****ote:**** **The 5.1.1-TIV-TPC-IT17360 patch file has replaced 5.1.1.10-TIV-TPC-IT13956 with 5.1.1.12 and later. \n \n\n\n1) Download the patch file for the specific Tivoli Storage Productivity Center server platform: \n[_5.1.1.10-TIV-TPC-IT13956 _](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+Storage+Productivity+Center&platform=All&function=all&release=5.1.1.10>)_is included with the files for the 5.1.1.10 and 5.1.1.11 server packages._ \n[_5.1.1-TIV-TPC-IT17360_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+Storage+Productivity+Center&platform=All&function=all&release=5.1.1.12>)_ is included with the files for the 5.1.1.12 and later server packages but can be used with 5.1.1.10 or later. This patch is preferred as it includes fixes for both IT13956 and IT17360._ \n \n2) Stop each of the Tivoli Storage Productivity Center services: Data server, Device server, Replication server, TIP sever \n \nFollow the Knowledge Center procedure for starting and stopping the servers \n<http://www.ibm.com/support/knowledgecenter/SSNE44_5.1.1.1/com.ibm.tpc_V5111.doc/fqz0_r_start_stop_tpc_services.html> \n \n3) Create a backup copy of the \\TPC\\data\\ and \\TPC\\ewas\\profiles\\ folders which contain the original files (in case a roll back is needed) \n \n_ On Windows, the default location is:_ \n[Root_Install_Location]\\IBM\\TPC\\data\\ \n[Root_Install_Location]\\IBM\\TPC\\ewas\\profiles\\ \n \n_ On AIX or Linux: \n_ [Root_Install_Location]/IBM/TPC/data/ \n[Root_Install_Location]/IBM/TPC/ewas/profiles/ \n \n4) Extract the 5.1.1.10-TIV-TPC-IT13956 file to the Tivoli Storage Productivity Center installation directory, overwriting existing files \n \nFor example, on Windows extract the files from the archive to: \n[Root_Install_Location]\\IBM\\TPC\\ \n \n5) Restart all of the Tivoli Storage Productivity Center servers \n \n \n< /br > \n \n**_Tivoli Storage Productivity Center V4.2.x, 4.1.x and TotalStorage Productivity Center 3.3.x_** \nFor these releases, IBM recommends upgrading to a fixed, supported release of the product. \n \n< /br > \n \n**Note regarding CVE-2015-7575** \nIBM recommends that you review your entire environment to identify areas that utilize the MD5 security algorithm and take appropriate mitigation and remediation actions. See [Resolving security certificate errors in IBM Spectrum Control](<http://www.ibm.com/support/docview.wss?uid=swg21976237>) for information to resolve compatibility issues with monitored devices using the MD5 security algorithm. \n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n[IBM Java SDK Security Bulletin (January 2016)](<http://www.ibm.com/support/docview.wss?uid=swg21974193>) \n[IBM WebSphere Application Server Security Bulletin (January 2016)](<http://www.ibm.com/support/docview.wss?uid=swg21975424>) \n[IBM Java SDK Security Bulletin (October 2015)](<http://www.ibm.com/support/docview.wss?uid=swg21969225>) \n[IBM WebSphere Application Server Security Bulletin (October 2015)](<http://www.ibm.com/support/docview.wss?uid=swg21969620>) \n\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\nCVE-2015-7575 was reported to IBM by Karthikeyan Bhargavan at INRIA in Paris, France\n\n## Change History\n\n25 February 2016: Original Version Published \n02 March 2016: Corrected JRE versions listed. \n22 April 2016: Updated with 5.1.x fix instructions. \n10 May 2016: Corrected listing of CVEs in vulnerability details. \n18 October 2016: Updated to include reference to the 5.1.1-TIV-TPC-IT17360 patch.\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n[{\"Product\":{\"code\":\"SS5R93\",\"label\":\"IBM Spectrum Control\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF035\",\"label\":\"z\\/OS\"}],\"Version\":\"5.2.8;5.2.9;5.2.10;5.2.11;5.2.12\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB26\",\"label\":\"Storage\"}}]", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-02-22T19:50:07", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum Control and Tivoli Storage Productivity Center October 2015 CPU and January 2016 CPU", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4872", "CVE-2015-7575", "CVE-2016-0475"], "modified": "2022-02-22T19:50:07", "id": "67578E30259856437D267C1A3D6E2CF49BDE0DF9BE42CAA71809801A7935BE9A", "href": "https://www.ibm.com/support/pages/node/543247", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-09-27T14:03:35", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 7.0 that is used by IBM Sterling Connect:Direct Browser User Interface. These issues were disclosed as part of the IBM Java Runtime updates in October 2015 and January 2016 and include the vulnerability commonly referred to as \u201cSLOTH\u201d.\n\n## Vulnerability Details\n\n**CVEID: **[_CVE-2015-7575_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575>)** \nDESCRIPTION: **The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. \nCVSS Base Score: 7.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109415_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109415>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) \n\n**CVEID:** [_CVE-2016-0475_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0475>)** \nDESCRIPTION: **An unspecified vulnerability in Oracle Java SE Java SE Embedded and Jrockit related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109946_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109946>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N) \n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nIBM Sterling Connect:Direct Browser User Interface 1.5.0 through 1.5.0.2 iFix 15 \nIBM Sterling Connect:Direct Browser User Interface 1.4.0 through 1.4.11.0 iFix 4 \n\n## Remediation/Fixes\n\n**_Product_**\n\n| \n\n**_VRMF_**\n\n| \n\n**_iFix_**\n\n| **_Remediation/First Fix_** \n---|---|---|--- \nIBM Sterling Connect:Direct Browser User Interface| \n\n1.5.0.2\n\n| \n\n_iFix 16_\n\n| [_Fix Central_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Connect%3ADirect+Browser+User+Interface&release=1.5.0.2&platform=All&function=all>) \nIBM Sterling Connect:Direct Browser User Interface| \n\n1.4.11.0\n\n| \n\n_iFix 5_\n\n| Contact Support and request the fix package be published for you on the ECuRep server. \n \n## Workarounds and Mitigations\n\nFor CVE-2015-7575 (SLOTH MD5): \n\nUsers of Java 7 and later can address the issue by updating the ./jre/lib/security/java.security file as follows (**both steps are required**): \n\n * Add MD5 to the jdk.certpath.disabledAlgorithms property -For example, jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024, **MD5**\n * Add MD5withRSA to the jdk.tls.disabledAlgorithms property - For example, jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768, **MD5withRSA**\n \nJava 6 requires code changes in the JSSE component in addition to the java.security file modifications, so upgrading the JRE is the only solution. \n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n## Important Note\n\nIBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [System z Security web site](<http://www.ibm.com/systems/z/solutions/security_subintegrity.html>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n[_IBM Java SDK Security Bulletin_](<http://www-01.ibm.com/support/docview.wss?uid=swg21974193>) January 2016 \n[_IBM Java SDK Security Bulletin_](<http://www-01.ibm.com/support/docview.wss?uid=swg21969225>) October 2015\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\nCVE-2015-7575 was reported to IBM by Karthikeyan Bhargavan at INRIA in Paris, France\n\n## Change History\n\n23 February 2016 Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/bulletin/#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n[{\"Product\":{\"code\":\"SS6HLS\",\"label\":\"IBM Sterling Connect:Direct Browser User Interface\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF035\",\"label\":\"z\\/OS\"}],\"Version\":\"1.5.2;1.5.1;1.5.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}}]", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-24T22:49:37", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling Connect:Direct Browser User Interface (CVE-2015-7575, CVE-2016-0475, CVE-2015-4872)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4872", "CVE-2015-7575", "CVE-2016-0475"], "modified": "2020-07-24T22:49:37", "id": "3F0A86B9112F51C3B6A64183B5DCE227004E4FE8195B2CB6E060CDFA713A7026", "href": "https://www.ibm.com/support/pages/node/542469", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-12-30T21:54:07", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Service Registry and Repository. Information about security vulnerabilities affecting WebSphere Application Server have been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [WebSphere Application Server](<http://www.ibm.com/support/docview.wss?uid=swg21969620>) for vulnerability details and information about fixes. \n \nIn addition to to CVE-2015-4872 WebSphere Service Registry and Repository is vulnerable to the following issues. \n \n**CVEID:** [_CVE-2015-4911_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4911>)** \n** \n**DESCRIPTION:** An unspecified vulnerability related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107360_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107360>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVEID:** [_CVE-2015-4893_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4893>)** \n** \n**DESCRIPTION:** An unspecified vulnerability related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107359_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107359>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVEID:** [_CVE-2015-4803_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4803>)** \n** \n**DESCRIPTION:** An unspecified vulnerability related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107358_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107358>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\nPrinciple Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nWebSphere Service Registry and Repository V8.5| WebSphere Application Server Network Deployment V8.5.5 \nWebSphere Service Registry and Repository V8.0| WebSphere Application Server Network Deployment V8.0 \nWebSphere Service Registry and Repository V7.5| WebSphere Application Server Network Deployment V7.0 \nWebSphere Service Registry and Repository V7.0| WebSphere Application Server Network Deployment V7.0 \n \n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n## Important Note\n\nIBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [System z Security web site](<http://www.ibm.com/systems/z/solutions/security_subintegrity.html>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n02 February 2016: Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n[{\"Product\":{\"code\":\"SSWLGF\",\"label\":\"WebSphere Service Registry and Repository\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"Security\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF035\",\"label\":\"z\\/OS\"}],\"Version\":\"8.5;8.0;7.5;7.0\",\"Edition\":\"All Editions\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {}, "published": "2018-06-15T07:04:51", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities have been identified in WebSphere Application Server shipped with WebSphere Service Registry and Repository (CVE-2015-4872 CVE-2015-4911 CVE-2015-4893 CVE-2015-4803)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4803", "CVE-2015-4872", "CVE-2015-4893", "CVE-2015-4911"], "modified": "2018-06-15T07:04:51", "id": "DCEF1EAD4FB55EB159F072650EDDC9C85C5715A429B7B3B466EF3251A3AE9340", "href": "https://www.ibm.com/support/pages/node/540475", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-06-28T22:09:16", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition that is used by IBM b-type SAN Network Advisor. These issues were disclosed as part of the IBM Java SDK updates for October 2015 (CVE-2015-4872, CVE-2015-4911, CVE-2015-4893, CVE-2015-4803).\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n\n**CVEID:** [_CVE-2015-4911_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4911>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107360_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107360>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4893_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4893>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107359_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107359>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4803_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4803>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107358_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107358>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\nIBM Network Advisor prior to release 14.0.2\n\n## Remediation/Fixes\n\nIBM Network Advisor Release 14.0.2 \n\n \n[_http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009621_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009621>)\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\nNone\n\n## Change History\n\n18 November 2016: Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"STMSDB\",\"label\":\"Storage area network (SAN)->IBM Network Advisor\"},\"Business Unit\":{\"code\":\"BU054\",\"label\":\"Systems w\\/TPS\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"\",\"label\":\"N\\/A\"}],\"Version\":\"All Versions\",\"Edition\":\"Enterprise\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}},{\"Product\":{\"code\":\"STMSDB\",\"label\":\"Storage area network (SAN)->IBM Network Advisor\"},\"Business Unit\":{\"code\":\"BU054\",\"label\":\"Systems w\\/TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}}]", "cvss3": {}, "published": "2018-06-18T00:28:23", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Network Advisor.", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4803", "CVE-2015-4872", "CVE-2015-4893", "CVE-2015-4911"], "modified": "2018-06-18T00:28:23", "id": "EFD27A09FAD3929BC2D3FE35B560A96CB07B7861AE219E0737F433220EA65AC7", "href": "https://www.ibm.com/support/pages/node/696329", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-10-01T01:58:25", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6.0 SR16 FP5 that is used by Rational Synergy. These issues were disclosed as part of the IBM Java SDK updates in July and October 2015. \n\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2601_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-2625_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-1931_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102967> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n\n\n## Affected Products and Versions\n\n\u00b7 Rational Synergy release 7.2.1.4 ifix01 or earlier. \n\u00b7 Rational Synergy release 7.2.0.7 ifix01 or earlier.\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _Remediation/First Fix_ \n---|---|--- \nRational Synergy| 7.2.0.x and 7.2.1.x| Replace the JRE used in Rational Synergy. \n \n**Steps to download and replace JRE in Rational Synergy:** \n1\\. Open the list of [_Synergy downloads on Fix Central_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Synergy&release=All&platform=All&function=all&source=fc>) \n2\\. Select the SDK and Readme for Rational Synergy which applied to your release as follows: \n \n**Note:** The fix will use the following naming convention: \n**_<V.R.M.F>_** _-Rational-RATISYNE-JavaSE-SDK-6.0.16.15-_ **_<platform>_** ** \n \n**Where **<V.R.M.F> = release **& **<platform> = operating system** \n \no Rational Synergy 7.2.1 (uses 7.2.1.4 release designation) \nExample: **7.2.1.4-Rational-RATISYNE-JavaSE-SDK-6.0.16.15-Linux** \n \no Rational Synergy 7.2.0 (uses 7.2.0.7 release designation) \nExample: **7.2.0.7-Rational-RATISYNE-JavaSE-SDK-6.0.16.15-Windows** \n \n3\\. Follow the steps in the [_Install instructions_](<http://www.ibm.com/support/docview.wss?uid=swg27042896>) to replace the JRE. \n \n_For Rational Synergy 7.1.0.x IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n \n \n**To verify if Synergy has JRE version to address these security vulnerabilities**:- \nOpen a command prompt ** \nUnix**:- \nGo to $CCM_HOME/jre/bin folder \nExecute ./java -version \n** \nWindows**:- \nGo to %CCM_HOME%\\jre\\bin folder \nExecute java -version \n \nIf in the output version is greater than SR16 FP15 or if it is SR16 FP15, It implies the run area has jre version that addresses these security vulnerabilities. \n \n**Example**:- \nJava(TM) SE Runtime Environment (build pwi3260sr16fp15-20151106_01(SR16 FP15)) \nIBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 Windows 7 x86-32 jvmwi3260sr16fp15-20 \n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n[](<http://www-01.ibm.com/support/docview.wss?uid=swg21962302>)[_IBM Java SDK Security Bulletin July-2015_](<http://www-01.ibm.com/support/docview.wss?uid=swg21962302>) \n[_ IBM Java SDK Security Bulletin Oct-2015_](<http://www-01.ibm.com/support/docview.wss?uid=swg21969225>)\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n21st Dec 2015 : Orignal Version Published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n[{\"Product\":{\"code\":\"SSC6Q5\",\"label\":\"Rational Synergy\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"7.2;7.2.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-22T16:37:26", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Synergy (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931 and CVE-2015-4872)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4872"], "modified": "2020-12-22T16:37:26", "id": "6C3276D773A29D1F10A39BA6B166184CEB01561E7FE5829CB3D29DBDA9328964", "href": "https://www.ibm.com/support/pages/node/275265", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-10-01T02:01:19", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDKs Java\u2122 Technology Edition, Versions 7 and 8 that is used by IBM Rational Software Architect, IBM Rational Software Architect for WebSphere Software and IBM Rational Software Architect RealTime. These issues were disclosed as part of the IBM Java SDK updates in July and Oct 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-2613_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2613>)** \nDESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104734_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-2601_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2601>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104733_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-2625_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2625>)** \nDESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 2.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104743_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-1931_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1931>)** \nDESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nRational Software Architect, Rational Software Architect for WebSphere Software and Rational Software Architect RealTime: Ver 8.5 through 9.5\n\n## Remediation/Fixes\n\n**_Product_**\n\n| \n\n**_VRMF_** | \n\n**_Remediation/First Fix_** \n---|---|--- \nRational Software Architect (RSA) \n| 9.5| [IBM Java SDK/JRE 8 SR2 IFixes](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect&release=9.5.0&platform=All&function=fixId&fixids=Rational-RSA-Java8SR2-ifix&includeSupersedes=0&source=fc>) \nRational Software Architect for WebSphere Software (RSA4WS)| 9.5| [IBM Java SDK/JRE 8 SR2 IFixes](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect+for+WebSphere+Software&release=9.5.0&platform=All&function=fixId&fixids=Rational-RSA4WS-Java8SR2-ifix&includeSupersedes=0&source=fc>) \nRational Software Architect RealTime (RSART)| 9.5| [IBM Java SDK/JRE 8 SR2 IFixes](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect+RealTime+Edition&release=9.5.0&platform=All&function=fixId&fixids=Rational-RSART-Java8SR2-ifix&includeSupersedes=0&source=fc>) \nRational Software Architect (RSA) \n| 8.5 to 8.5.5.4, \n9.0 to 9.0.0.1 \n9.1 to 9.1.2| [IBM Java SDK/JRE 7 SR9 FP 20 IFixes](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect&release=8.5.0&platform=All&function=fixId&fixids=Rational-RSA-Java7SR9FP20-ifix&includeSupersedes=0&source=fc>) \nRational Software Architect for WebSphere Software (RSA4WS)| 8.5 to 8.5.5.4, \n9.0 to 9.0.0.1 \n9.1 to 9.1.2| [IBM Java SDK/JRE 7 SR9 FP 20 IFixes](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect+for+WebSphere+Software&release=8.5.0&platform=All&function=fixId&fixids=Rational-RSA4WS-Java7SR9FP20-ifix&includeSupersedes=0&source=fc>) \nRational Software Architect RealTime (RSART)| 8.5 to 8.5.1 \n9.0 to 9.0.0.1 \n9.1 to 9.1.2| [IBM Java SDK/JRE 7 SR9 FP 20 IFixes](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect+RealTime+Edition&release=8.5.0&platform=All&function=fixId&fixids=Rational-RSART-Java7SR9FP20-ifix&includeSupersedes=0&source=fc>) \n \n**Installation Instructions:** \n \nFor instructions on installing this update using Installation Manager, review the topic [Updating Installed Product Packages](<http://www.ibm.com/support/knowledgecenter/SS8PJ7_9.1.0/com.ibm.xtools.installation.rsaws.doc/topics/t_update.html>) in the IBM Knowledge Center. \n \n**Instructions to download and install the update from the compressed files:** \n\n\n 1. Download the update files from Fix Central by following the link listed in the download table above \n \n\n 2. Extract the compressed files in an appropriate directory. \n \nFor example, choose to extract to `C:\\temp\\update \n \n`\n 3. Add the update repository location in IBM Installation Manager: \n \n\n 4. Start IBM Installation Manager. \n \n\n 5. On the Start page of Installation Manager, click **File > Preferences**, and then click **Repositories**. The Repositories page opens. \n \n\n 6. On the Repositories page, click **Add Repository**. \n \n\n 7. In the Add repository window, browse to or enter the file path to the repository.config file, which is located in the directory where you extracted the compressed files and then click OK. \n \nFor example, enter `C:\\temp\\updates\\repository.config`. \n \n\n 8. Click **OK** to close the Preference page. \n \n\n 9. Install the update as described in the the topic **Updating Installed Product Packages** in the [IBM Knowledge Center](<http://www.ibm.com/support/knowledgecenter/>) for your product and version.\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n[IBM Java SDK Security Bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg21680334>)\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Internal Use Only\n\nPSIRT 4021, Record 63903 \nPSIRT 3528 Record 59424\n\n[{\"Product\":{\"code\":\"SSYK2S\",\"label\":\"Rational Software Architect Designer\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"Modeling\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF022\",\"label\":\"OS X\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"8.5;8.5.1;8.5.5;8.5.5.1;8.5.5.2;8.5.5.3;8.5.5.4;9.0;9.0.0.1;9.1;9.1.1;9.1.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB36\",\"label\":\"IBM Automation\"}},{\"Product\":{\"code\":\"SSYK2S\",\"label\":\"Rational Software Architect Designer\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"9.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB36\",\"label\":\"IBM Automation\"}},{\"Product\":{\"code\":\"SS4JCV\",\"label\":\"Rational Software Architect for WebSphere Software\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\" \",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF022\",\"label\":\"OS X\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"8.5;8.5.1;8.5.5;8.5.5.1;8.5.5.2;8.5.5.3;8.5.5.4;9.0;9.0.0.1;9.1;9.1.1;9.1.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB15\",\"label\":\"Integration\"}},{\"Product\":{\"code\":\"SSYKBQ\",\"label\":\"Rational Software Architect Designer for WebSphere Software\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"9.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}},{\"Product\":{\"code\":\"SS5JSH\",\"label\":\"Rational Software Architect RealTime Edition\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\" \",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"8.5;8.5.1;9.0;9.0.0.1;9.1;9.1.1;9.1.2;9.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}}]", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-09-10T15:49:00", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects Rational Software Architect, Software Architect for WebSphere Software & Rational Software Architect RealTime (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-4872)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-4872"], "modified": "2020-09-10T15:49:00", "id": "FCBE194563589DFF9606D62F884B470E8FE64EC32ECEF7BF7F3E11951F8D3E8F", "href": "https://www.ibm.com/support/pages/node/275349", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-28T22:11:25", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 7.0 SR7 that is used by IBM Multi-Enterprise Integration Gateway. These issues were disclosed as part of the IBM Java SDK updates for October 2015 and January 2016.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n\n**CVEID:** [_CVE-2015-4911_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4911>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107360_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107360>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4893_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4893>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107359_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107359>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4803_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4803>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107358_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107358>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n \n**CVEID:** [_CVE-2016-0466_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0466>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE Java SE Embedded and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109948_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109948>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-7575_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575>)** \nDESCRIPTION:** The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. \nCVSS Base Score: 7.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109415_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109415>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)\n\n## Affected Products and Versions\n\nIBM Multi-Enterprise Integration Gateway 1.0 - 1.0.0.1 \n\nIBM B2B Advanced Communications 1.0.0.2 - 1.0.0.4\n\n## Remediation/Fixes\n\nThe recommended solution is to upgrade to the current release as soon as practical. Please see below for information about the fixes available. \n \n\n\n**_Fix*_**| **_VRMF_**| **_APAR_**| **_How to acquire fix_** \n---|---|---|--- \nFixpack 1.0.0.5| 1.0.0.1| IT14760| IBM Fix Central > [](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/Multi-Enterprise+Integration+Gateway&release=1.0.0.1&platform=All&function=fixId&fixids=IBM_Multi-Enterprise_Integration_Gateway_V1.0.0.1_3_iFix_Media&includeSupersedes=0>)[B2B_Advanced_Communications_V1.0.0.5_Media](<http://www.ibm.com/support/fixcentral/swg/selectFix?product=ibm%2FOther+software%2FMulti-Enterprise+Integration+Gateway&fixids=B2B_Advanced_Communications_V1.0.0.5_FixPack_Media&source=dbluesearch&function=fixId&parent=ibm/Other>) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n02 May 2016: Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSYJCD\",\"label\":\"IBM Multi-Enterprise Integration Gateway\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"1.0.0\",\"Edition\":\"All Editions\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-16T20:00:30", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM B2B Advanced Communications.", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4803", "CVE-2015-4872", "CVE-2015-4893", "CVE-2015-4911", "CVE-2015-7575", "CVE-2016-0466"], "modified": "2018-06-16T20:00:30", "id": "AF42BD53008E43A8F60AC336AAB63B4B1D9D0A7242D5CAF18118E642576D4117", "href": "https://www.ibm.com/support/pages/node/276621", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-06-28T22:13:59", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition Versions 5, 6, 7 and 8, which are used by IBM Security Access Manager for Web and IBM Tivoli Access Manager for e-business. These issues were disclosed as part of the IBM Java SDK updates for October 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4844_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4844>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107346_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107346>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-4843_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4843>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107342_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107342>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4805_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4805>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Serialization component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107345_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107345>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4860_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4860>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107344_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107344>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4883_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4883>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107343_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107343>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4835_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4835>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the CORBA component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107340_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107340>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4810_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4810>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 6.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107349_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107349>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4806_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4806>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 6.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107350_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107350>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4871_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4871>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107351_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107351>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4902_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4902>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Deployment component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107352_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107352>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4893_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4893>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107359_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107359>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4840_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4840>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107353_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107353>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4842_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4842>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the JAXP component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107355_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107355>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4882_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4882>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the CORBA component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107354_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107354>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4903_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4903>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the RMI component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107357_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107357>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4803_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4803>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107358_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107358>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4734_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4734>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the JGSS component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107356_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107356>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-5006_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5006>)** \nDESCRIPTION:** IBM Java Security Components could allow an attacker with physical access to the system to obtain sensitive information from the Kerberos Credential Cache. \nCVSS Base Score: 4.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/106309_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/106309>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Tivoli Access Manager for e-business 6.0, 6.1, 6.1.1 \n\nIBM Security Access Manager for Web 7.0 (software)\n\nIBM Security Access Manager for Web 8.0, all firmware versions\n\nIBM Security Access Manager for Web 9.0\n\n## Remediation/Fixes\n\nThe table below provides links to patches for all affected versions. Follow the installation instructions in the README file included with the patch. \n \n\n\n**Product**| **VRMF**| **APAR**| **Remediation** \n---|---|---|--- \nIBM Tivoli Access Manager for e-business| 6.0| IV79536| 1\\. Apply Interim Fix 42:[](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=6.0.0.41&platform=All&function=fixId&fixids=6.0.0-ISS-TAM-IF0042&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \n[6.0.0-ISS-TAM-IF0042](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=6.0.0.41&platform=All&function=fixId&fixids=6.0.0-ISS-TAM-IF0042&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \nIBM Tivoli Access Manager for e-business| 6.1| IV79536| 1\\. Apply Interim Fix 23: \n[6.1.0-ISS-TAM-IF0023](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=6.1.0.22&platform=All&function=fixId&fixids=6.1.0-ISS-TAM-IF0023&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \nIBM Tivoli Access Manager for e-business| 6.1.1| IV79536| 1\\. Apply Interim Fix 22: \n[6.1.1-ISS-TAM-IF0022](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=6.1.1.21&platform=All&function=fixId&fixids=6.1.1-ISS-TAM-IF0022&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \nIBM Security Access Manager for Web| 7.0 (software)| IV79536| 1\\. Apply Interim Fix 20: \n[7.0.0-ISS-SAM-IF0020](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=7.0.0.19&platform=All&function=fixId&fixids=7.0.0-ISS-SAM-IF0020&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \nIBM Security Access Manager for Web| 8.0.0.0 - \n8.0.1.3| IV79576 | 1\\. For 8.0-8.0.1.2 environments, upgrade to 8.0.1.3: \n[8.0.1-ISS-WGA-FP0003](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=8.0&platform=All&function=all>)** ** \n \n2\\. Apply 8.0.1.3 Interim Fix 3: \n[8.0.1.3-ISS-WGA-IF0003](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=8.0.1.3&platform=All&function=all>) \nIBM Security Access Manager| 9.0| IV79576 | 1\\. Upgrade to 9.0.0.1: \n[9.0.0-ISS-ISAM-FP0001](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=9.0.0.0&platform=Linux&function=all>) \n \n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n[](<http://www-01.ibm.com/support/docview.wss?uid=swg21969225>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg21969225>)[_IBM Java SDK Security Bulletin_](<http://www-01.ibm.com/support/docview.wss?uid=swg21969225>)\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\nNone\n\n## Change History\n\nDecember 15, 2015: Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSPREK\",\"label\":\"Tivoli Access Manager for e-business\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Java Runtime\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"6.0;6.1;6.1.1;7.0;8.0;8.0.0.2;8.0.0.4;8.0.0.5;8.0.1;8.0.1.2;8.0.1.3;9.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {}, "published": "2018-06-16T21:38:37", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Access Manager for Web and IBM Tivoli Access Manager for e-business", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4871", "CVE-2015-4872", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-5006"], "modified": "2018-06-16T21:38:37", "id": "89110ABC25F6D47E30A7065527D32DED0588DB619219C340BCD7477553C82B04", "href": "https://www.ibm.com/support/pages/node/274879", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:02:47", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 7 that is used by IBM Security Network Protection. These issues were disclosed as part of the IBM Java SDK updates in October 2015.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4734_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4734>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the JGSS component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107356_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107356>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-4803_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4803>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107358_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107358>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4805_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4805>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Serialization component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107345_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107345>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4806_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4806>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 6.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107350_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107350>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4844_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4844>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107346_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107346>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4860_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4860>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107344_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107344>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4810_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4810>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 6.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107349_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107349>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4835_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4835>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the CORBA component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107340_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107340>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4840_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4840>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107353_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107353>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4842_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4842>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the JAXP component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107355_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107355>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4843_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4843>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107342_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107342>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4871_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4871>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107351_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107351>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4881_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4881>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the CORBA component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107341_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107341>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4882_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4882>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the CORBA component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107354_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107354>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4883_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4883>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107343_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107343>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4893_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4893>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107359_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107359>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4902_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4902>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Deployment component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107352_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107352>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4903_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4903>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the RMI component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107357_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107357>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4911_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4911>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107360_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107360>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-5006_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5006>)** \nDESCRIPTION:** IBM Java Security Components could allow an attacker with physical access to the system to obtain sensitive information from the Kerberos Credential Cache. \nCVSS Base Score: 4.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/106309_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/106309>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Security Network Protection 5.3.1 \nIBM Security Network Protection 5.3.2\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _Remediation/First Fix_ \n---|---|--- \nIBM Security Network Protection| Firmware version 5.3.1| Download Firmware 5.3.1.7 from [IBM Security License Key and Download Center](<https://ibmss.flexnetoperations.com/control/isdl/home>) and upload and install via the Available Updates page of the Local Management Interface. \nIBM Security Network Protection| Firmware version 5.3.2| Install Firmware 5.3.2.1 from the Available Updates page of the Local Management Interface, or by performing a One Time Scheduled Installation from SiteProtector. \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n15 January 2016: Original Version Published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSHLHV\",\"label\":\"IBM Security Network Protection\"},\"Business Unit\":{\"code\":\"BU008\",\"label\":\"Security\"},\"Component\":\"Documentation\",\"Platform\":[{\"code\":\"PF009\",\"label\":\"Firmware\"}],\"Version\":\"5.3.1;5.3.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {}, "published": "2018-06-16T21:38:16", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security Network Protection", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4871", "CVE-2015-4872", "CVE-2015-4881", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-4911", "CVE-2015-5006"], "modified": "2018-06-16T21:38:16", "id": "031CA5D81D0F7BE4ECF57E23143A60E8C0DBA24053F9E728A6E12ABE37C72BF9", "href": "https://www.ibm.com/support/pages/node/273805", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:11:56", "description": "## Summary\n\nJava SE issues disclosed in the Oracle October 2015 Critical Patch Update, plus CVE-2015-5006 \n\n## Vulnerability Details\n\n**CVE IDs:** CVE-2015-4844 CVE-2015-4843 CVE-2015-4805 CVE-2015-4860 CVE-2015-4883 CVE-2015-4835 CVE-2015-4810 CVE-2015-4806 CVE-2015-4871 CVE-2015-4902 CVE-2015-4872 CVE-2015-4911 CVE-2015-4893 CVE-2015-4840 CVE-2015-4842 CVE-2015-4882 CVE-2015-4903 CVE-2015-4803 CVE-2015-4734 CVE-2015-5006 \n\n**DESCRIPTION:** This bulletin covers all applicable Java SE CVEs published by Oracle as part of their October 2015 Critical Patch Update. For more information please refer to [_Oracle's October 2015 CPU Advisory_](<http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html#AppendixJAVA>) and the X-Force database entries referenced below. \n \nThis bulletin also covers CVE-2015-5006, which describes a vulnerability in the IBM Java Security Components that are shipped as part of IBM WebSphere Real Time.\n\n**CVEID:** [_CVE-2015-4844_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4844>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107346_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107346>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4843_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4843>)** \nDESCRIPTION:** An unspecified vulnerability related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107342_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107342>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4805_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4805>)** \nDESCRIPTION:** An unspecified vulnerability related to the Serialization component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107345_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107345>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4860_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4860>)** \nDESCRIPTION:** An unspecified vulnerability related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107344_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107344>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4883_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4883>)** \nDESCRIPTION:** An unspecified vulnerability related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107343_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107343>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4835_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4835>)** \nDESCRIPTION:** An unspecified vulnerability related to the CORBA component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107340_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107340>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4810_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4810>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 6.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107349_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107349>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4806_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4806>)** \nDESCRIPTION:** An unspecified vulnerability related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 6.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107350_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107350>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4871_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4871>)** \nDESCRIPTION:** An unspecified vulnerability related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107351_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107351>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4902_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4902>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107352_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107352>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n \n \n**CVEID:** [CVE-2015-4911](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4911>)** \nDESCRIPTION:** An unspecified vulnerability related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107360> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-4893_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4893>)** \nDESCRIPTION:** An unspecified vulnerability related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107359_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107359>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4840_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4840>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107353_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107353>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4842_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4842>)** \nDESCRIPTION:** An unspecified vulnerability related to the JAXP component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107355_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107355>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4882_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4882>)** \nDESCRIPTION:** An unspecified vulnerability related to the CORBA component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107354_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107354>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4903_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4903>)** \nDESCRIPTION:** An unspecified vulnerability related to the RMI component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107357_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107357>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4803_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4803>)** \nDESCRIPTION:** An unspecified vulnerability related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107358_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107358>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4734_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4734>)** \nDESCRIPTION:** An unspecified vulnerability related to the JGSS component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107356_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107356>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-5006_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5006>)** \nDESCRIPTION:** IBM Java Security Components could allow an attacker with physical access to the system to obtain sensitive information from the Kerberos Credential Cache. \nCVSS Base Score: 4.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/106309_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/106309>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nThese vulnerabilities affect IBM WebSphere Real Time Version 3 Service Refresh 9 Fix Pack 10 and earlier releases\n\n## Remediation/Fixes\n\nThe fixes for these vulnerabilities are included in IBM WebSphere Real Time Version 3 Service Refresh 9 Fix Pack 20 and subsequent releases \n \n**Note regarding CVE-2015-4911** \nThis issue was addressed by IBM in June 2008. As a reminder, users should refer to the [IBM XL XP-J documentation](<https://www-01.ibm.com/support/knowledgecenter/api/content/nl/en-us/SSYKE2_7.0.0/com.ibm.java.win.70.doc/user/xml/xlxpj_reference.html>) for the `javax.xml.stream.supportDTD` property for information to help avoid this vulnerability. \n \nIBM customers should download WebSphere Real Time updates from [Fix Central](<http://www.ibm.com/support/fixcentral/>). \n \nIBM WebSphere Real Time releases can also be downloaded from [_developerWorks_](<http://www.ibm.com/developerworks/java/jdk/index.html>). \n\n**APAR numbers are as follows:**\n\n[_IV78222_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78222>) (CVE-2015-4844)_ \n_[_IV78224_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78224>) (CVE-2015-4843)_ \n_[_IV78226_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78226>) (CVE-2015-4805)_ \n_[_IV78228_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78228>) (CVE-2015-4860)_ \n_[_IV78231_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78231>) (CVE-2015-4883)_ \n_[_IX90167_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IX90167>) (CVE-2015-4835)_ \n_[_IV78233_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78233>) (CVE-2015-4810)_ \n_[_IV78234_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78234>) (CVE-2015-4806)_ \n_[_IV78236_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78236>) (CVE-2015-4871)_ \n_[_IV78237_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78237>) (CVE-2015-4902)_ \n_[_IV78239_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78239>) (CVE-2015-4872)_ \n_[_IV78241_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78241>) (CVE-2015-4893)_ \n_[_IV78242_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78242>) (CVE-2015-4840)_ \n_[_IV78243_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78243>) (CVE-2015-4842)_ \n_[_IX90168_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IX90168>) (CVE-2015-4882)_ \n_[_IV78244_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78244>) (CVE-2015-4903)_ \n_[_IV78246_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78246>) (CVE-2015-4803)_ \n_[_IV78248_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78248>) (CVE-2015-4734)_ \n_[_IV78316_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78316>) (CVE-2015-5006)\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n \n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide>) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0>) \n[_Oracle October 2015 Java SE Critical Patch Update Advisory_](<http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html#AppendixJAVA>)_ \n_[_IBM SDK, Java Technology Edition Security Alerts_](<http://www.ibm.com/developerworks/java/jdk/alerts/>)\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\nNovember 13 2015: Original version published \nNovember 19 2015: Updated note regarding CVE-2015-4911\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSSTCZ\",\"label\":\"WebSphere Real Time\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"3.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {}, "published": "2018-06-15T07:03:53", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in current releases of IBM\u00ae WebSphere Real Time", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4871", "CVE-2015-4872", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-4911", "CVE-2015-5006"], "modified": "2018-06-15T07:03:53", "id": "19A3587788FC0724B696A0B0C63467FC0F63CBAE6B6B8505750C944E934042FC", "href": "https://www.ibm.com/support/pages/node/271765", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "## Summary\n\nJava SE issues disclosed in the Oracle October 2015 Critical Patch Update, plus CVE-2015-5006 \n\n## Vulnerability Details\n\n**CVE IDs:** CVE-2015-4844 CVE-2015-4843 CVE-2015-4805 CVE-2015-4860 CVE-2015-4883 CVE-2015-4835 CVE-2015-4810 CVE-2015-4806 CVE-2015-4871 CVE-2015-4902 CVE-2015-4872 CVE-2015-4911 CVE-2015-4893 CVE-2015-4840 CVE-2015-4842 CVE-2015-4882 CVE-2015-4903 CVE-2015-4803 CVE-2015-4734 CVE-2015-5006 \n\n**DESCRIPTION:** This bulletin covers all applicable Java SE CVEs published by Oracle as part of their October 2015 Critical Patch Update. For more information please refer to [_Oracle's October 2015 CPU Advisory_](<http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html#AppendixJAVA>) and the X-Force database entries referenced below. \n \nThis bulletin also covers CVE-2015-5006, which describes a vulnerability in the IBM Java Security Components that are shipped as part of the IBM SDK, Java Technology Edition.\n\n**CVEID:** [_CVE-2015-4844_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4844>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107346_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107346>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4843_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4843>)** \nDESCRIPTION:** An unspecified vulnerability related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107342_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107342>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4805_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4805>)** \nDESCRIPTION:** An unspecified vulnerability related to the Serialization component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107345_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107345>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4860_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4860>)** \nDESCRIPTION:** An unspecified vulnerability related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107344_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107344>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4883_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4883>)** \nDESCRIPTION:** An unspecified vulnerability related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107343_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107343>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4835_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4835>)** \nDESCRIPTION:** An unspecified vulnerability related to the CORBA component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107340_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107340>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4810_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4810>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 6.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107349_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107349>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4806_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4806>)** \nDESCRIPTION:** An unspecified vulnerability related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 6.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107350_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107350>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4871_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4871>)** \nDESCRIPTION:** An unspecified vulnerability related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107351_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107351>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4902_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4902>)** \nDESCRIPTION:** An unspecified vulnerability related to the Deployment component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107352_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107352>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n \n \n**CVEID:** [CVE-2015-4911](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4911>)** \nDESCRIPTION:** An unspecified vulnerability related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107360> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2015-4893_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4893>)** \nDESCRIPTION:** An unspecified vulnerability related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107359_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107359>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4840_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4840>)** \nDESCRIPTION:** An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107353_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107353>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4842_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4842>)** \nDESCRIPTION:** An unspecified vulnerability related to the JAXP component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107355_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107355>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4882_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4882>)** \nDESCRIPTION:** An unspecified vulnerability related to the CORBA component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107354_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107354>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4903_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4903>)** \nDESCRIPTION:** An unspecified vulnerability related to the RMI component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107357_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107357>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4803_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4803>)** \nDESCRIPTION:** An unspecified vulnerability related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107358_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107358>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4734_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4734>)** \nDESCRIPTION:** An unspecified vulnerability related to the JGSS component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107356_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107356>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-5006_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5006>)** \nDESCRIPTION:** IBM Java Security Components could allow an attacker with physical access to the system to obtain sensitive information from the Kerberos Credential Cache. \nCVSS Base Score: 4.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/106309_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/106309>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nThese vulnerabilities affect IBM SDK, Java 2 Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 13 and earlier releases \nThese vulnerabilities affect IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 7 and earlier releases \nThese vulnerabilities affect IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 7 and earlier releases \nThese vulnerabilities affect IBM SDK, Java Technology Edition, Version 7 Service Refresh 9 Fix Pack 10 and earlier releases \nThese vulnerabilities affect IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 3 Fix Pack 10 and earlier releases \nThese vulnerabilities affect IBM SDK, Java Technology Edition, Version 8 Service Refresh 1 Fix Pack 10 and earlier releases \n\n## Remediation/Fixes\n\nThe fixes for these vulnerabilities are included in IBM SDK, Java 2 Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 14 and subsequent releases \nThe fixes for these vulnerabilities are included in IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 15 and subsequent releases \nThe fixes for these vulnerabilities are included in IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 15 and subsequent releases \nThe fixes for these vulnerabilities are included in IBM SDK, Java Technology Edition, Version 7 Service Refresh 9 Fix Pack 20 and subsequent releases \nThe fixes for these vulnerabilities are included in IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 3 Fix Pack 20 and subsequent releases \nThe fixes for these vulnerabilities are included in IBM SDK, Java Technology Edition, Version 8 Service Refresh 2 and subsequent releases \n \n**Note regarding CVE-2015-4911** \nThis issue was addressed by IBM in June 2008. As a reminder, users of Java 6 and above should refer to the [IBM XL XP-J documentation](<https://www-01.ibm.com/support/knowledgecenter/api/content/nl/en-us/SSYKE2_7.0.0/com.ibm.java.win.70.doc/user/xml/xlxpj_reference.html>) for the `javax.xml.stream.supportDTD` property for information to help avoid this vulnerability. \n \nFor detailed information on which CVEs affect which releases, please refer to the [_IBM SDK, Java Technology Edition Security Alerts page_](<http://www.ibm.com/developerworks/java/jdk/alerts/>). \n \nIBM SDK, Java Technology Edition releases can be downloaded, subject to the terms of the developerWorks license, from [_here_](<http://www.ibm.com/developerworks/java/jdk/index.html>) \n \nIBM customers requiring an update for an SDK shipped with an IBM product should contact [_IBM support_](<http://www.ibm.com/support/>), and/or refer to the appropriate product security bulletin. \n\n**APAR numbers are as follows:**\n\n[_IV78222_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78222>) (CVE-2015-4844)_ \n_[_IV78224_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78224>) (CVE-2015-4843)_ \n_[_IV78226_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78226>) (CVE-2015-4805)_ \n_[_IV78228_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78228>) (CVE-2015-4860)_ \n_[_IV78231_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78231>) (CVE-2015-4883)_ \n_[_IX90167_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IX90167>) (CVE-2015-4835)_ \n_[_IV78233_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78233>) (CVE-2015-4810)_ \n_[_IV78234_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78234>) (CVE-2015-4806)_ \n_[_IV78236_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78236>) (CVE-2015-4871)_ \n_[_IV78237_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78237>) (CVE-2015-4902)_ \n_[_IV78239_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78239>) (CVE-2015-4872)_ \n_[_IV78241_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78241>) (CVE-2015-4893)_ \n_[_IV78242_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78242>) (CVE-2015-4840)_ \n_[_IV78243_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78243>) (CVE-2015-4842)_ \n_[_IX90168_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IX90168>) (CVE-2015-4882)_ \n_[_IV78244_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78244>) (CVE-2015-4903)_ \n_[_IV78246_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78246>) (CVE-2015-4803)_ \n_[_IV78248_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78248>) (CVE-2015-4734)_ \n_[_IV78316_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IV78316>) (CVE-2015-5006)\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n## Important Note\n\nIBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [System z Security web site](<http://www.ibm.com/systems/z/solutions/security_subintegrity.html>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n \n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide>) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0>) \n[_Oracle October 2015 Java SE Critical Patch Update Advisory_](<http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html#AppendixJAVA>)_ \n_[_IBM SDK, Java Technology Edition Security Alerts_](<http://www.ibm.com/developerworks/java/jdk/alerts/>)\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\nNovember 13 2015: Original version published \nNovember 19 2015: Updated note regarding CVE-2015-4911\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n[{\"Product\":{\"code\":\"SSNVBF\",\"label\":\"Runtimes for Java Technology\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF035\",\"label\":\"z\\/OS\"}],\"Version\":\"8.0;7.1;7.0;6.1;6.0;5.0\",\"Edition\":\"Java SE\",\"Line of Business\":{\"code\":\"LOB36\",\"label\":\"IBM Automation\"}}]", "cvss3": {}, "published": "2018-06-15T07:03:45", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in current releases of the IBM\u00ae SDK, Java\u2122 Technology Edition", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4871", "CVE-2015-4872", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-4911", "CVE-2015-5006"], "modified": "2018-06-15T07:03:45", "id": "D395E7DA5532733EF1D6D92AC4C7C2D1C9B09220E7762FBD28142A6837623D00", "href": "https://www.ibm.com/support/pages/node/269393", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:50:24", "description": "## Summary\n\n \nJava is used by Power Hardware Management Console (HMC). HMC has addressed the applicable CVEs. \n\n\n## Vulnerability Details\n\n \nCVEID: [_CVE-2015-4843_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4843>) \nDESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107342_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107342>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\nCVEID: [_CVE-2015-4868_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4868>) \nDESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 7.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107348_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107348>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)\n\nCVEID: [_CVE-2015-4806_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4806>) \nDESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 6.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107350_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107350>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)\n\nCVEID: [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>) \nDESCRIPTION: An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\nCVEID: [_CVE-2015-4911_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4911>) \nDESCRIPTION: An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107360_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107360>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\nCVEID: [_CVE-2015-4893_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4893>) \nDESCRIPTION: An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107359_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107359>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\nCVEID: [_CVE-2015-4842_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4842>) \nDESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the JAXP component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107355_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107355>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\nCVEID: [_CVE-2015-4803_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4803>) \nDESCRIPTION: An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107358_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107358>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\n \nPower HMC V7.3.0.0 \nPower HMC V7.9.0.0 \nPower HMC V8.1.0.0 \nPower HMC V8.2.0.0 \nPower HMC V8.3.0.0 \nPower HMC V8.4.0.0 \n\n## Remediation/Fixes\n\nProduct\n\n| \n\nVRMF\n\n| \n\nAPAR\n\n| \n\nRemediation/Fix \n \n---|---|---|--- \n \nPower HMC\n\n| \n\nV7.7.3.0 SP1\n\n| \n\nMB03992\n\n| \n\n[Apply eFix MH01596](<http://www-933.ibm.com/support/fixcentral/main/selectFixes?parent=powersysmgmntcouncil&product=ibm/hmc/9100HMC&release=V7R7.3.0&platform=All&function=all>) \n \nPower HMC\n\n| \n\nV7.7.9.0 SP3\n\n| \n\nMB03993\n\n| \n\n[Apply eFix MH01597](<http://www-933.ibm.com/support/fixcentral/main/selectFixes?parent=powersysmgmntcouncil&product=ibm/hmc/9100HMC&release=V7R7.9.0&platform=All&function=all>) \n \nPower HMC\n\n| \n\nV8.8.1.0 SP3\n\n| \n\nMB03994\n\n| \n\n[Apply eFix MH01598](<http://www-933.ibm.com/support/fixcentral/main/selectFixes?parent=powersysmgmntcouncil&product=ibm/hmc/9100HMC&release=V8R8.1.0&platform=All&function=all>) \n \nPower HMC\n\n| \n\nV8.8.2.0 SP2\n\n| \n\nMB03995\n\n| \n\n[Apply eFix MH01599](<http://www-933.ibm.com/support/fixcentral/main/selectFixes?parent=powersysmgmntcouncil&product=ibm/hmc/9100HMC&release=V8R8.2.0&platform=All&function=all>) \n \nPower HMC\n\n| \n\nV8.8.3.0 SP1\n\n| \n\nMB03996\n\n| \n\n[Apply eFix MH01600](<http://www-933.ibm.com/support/fixcentral/main/selectFixes?parent=powersysmgmntcouncil&product=ibm/hmc/9100HMC&release=V8R8.3.0&platform=All&function=all>) \n \nPower HMC\n\n| \n\nV8.8.4.0\n\n| \n\nMB03997\n\n| \n\n[Apply eFix MH01601](<http://www-933.ibm.com/support/fixcentral/main/selectFixes?parent=powersysmgmntcouncil&product=ibm/hmc/9100HMC&release=V8R8.4.0&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\nOriginal 2016-01-22\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n[{\"Product\":{\"code\":\"SSB6AA\",\"label\":\"Power System Hardware Management Console Physical Appliance\"},\"Business Unit\":{\"code\":\"BU054\",\"label\":\"Systems w\\/TPS\"},\"Component\":\"HMC\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"Version Independent\",\"Edition\":\"Enterprise\",\"Line of Business\":{\"code\":\"LOB08\",\"label\":\"Cognitive Systems\"}}]", "cvss3": {}, "published": "2021-09-23T01:31:39", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Java affect Power Hardware Management Console (CVE-2015-4843 CVE-2015-4868 CVE-2015-4806 CVE-2015-4872 CVE-2015-4911 CVE-2015-4893 CVE-2015-4842 CVE-2015-4803)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4803", "CVE-2015-4806", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4868", "CVE-2015-4872", "CVE-2015-4893", "CVE-2015-4911"], "modified": "2021-09-23T01:31:39", "id": "64A319721BCD5C45FE57AF618AA40445A09DBA9F41D614384B72F65F556F6799", "href": "https://www.ibm.com/support/pages/node/666723", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:02:28", "description": "## Summary\n\nMultiple Java vulnerabilities have been fixed in the IBM Security Directory Server.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2015-4844](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4844>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107346> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [CVE-2015-4843](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4843>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107342> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [CVE-2015-4805](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4805>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Serialization component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107345> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [CVE-2015-4860](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4860>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107344> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [CVE-2015-4883](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4883>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107343> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [CVE-2015-4881](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4881>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the CORBA component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107341> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [CVE-2015-4835](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4835>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the CORBA component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107340> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [CVE-2015-4868](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4868>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 7.6 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107348> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [CVE-2015-4810](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4810>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 6.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107349> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [CVE-2015-4806](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4806>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 6.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107350> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [CVE-2015-4871](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4871>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107351> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [CVE-2015-4902](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4902>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Deployment component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107352> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [CVE-2015-4872](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107361> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [CVE-2015-4911](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4911>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107360> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [CVE-2015-4893](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4893>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107359> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [CVE-2015-4840](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4840>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107353> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [CVE-2015-4842](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4842>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the JAXP component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107355> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [CVE-2015-4882](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4882>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the CORBA component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107354> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [CVE-2015-4903](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4903>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the RMI component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107357> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [CVE-2015-4803](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4803>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107358> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [CVE-2015-4734](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4734>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the JGSS component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107356> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [CVE-2015-5006](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5006>)** \nDESCRIPTION:** IBM Java Security Components could allow an attacker with physical access to the system to obtain sensitive information from the Kerberos Credential Cache. \nCVSS Base Score: 4.6 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/106309> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Tivoli Directory Server 6.1.0, 6.2.0, 6.3.0 \n\nIBM Security Directory Server 6.3.1, 6.4\n\n## Remediation/Fixes\n\nProduct Version\n\n| Fix Availability \n---|--- \nIBM Tivoli Directory Server 6.1| [IBM Tivoli Directory Server 6.1.0.72](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Directory+Server&release=6.1.0.72&platform=All&function=all>) \nIBM Tivoli Directory Server 6.2| [IBM Tivoli Directory Server 6.2.0.48](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Directory+Server&release=6.2.0.48&platform=All&function=all>) \nIBM Tivoli Directory Server 6.3| [IBM Tivoli Directory Server 6.3.0.41](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Directory+Server&release=6.3.0.41&platform=All&function=all>) \nIBM Security Directory Server 6.3.1| [IBM Security Directory Server 6.3.1.15](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/IBM+Security+Directory+Server&release=6.3.1.15&platform=All&function=all>) \nIBM Security Directory Server 6.4| [IBM Security Directory Server 6.4.0.6](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/IBM+Security+Directory+Server&release=6.4.0.6&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\nInitial Version 1-14-2016\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSVJJU\",\"label\":\"IBM Security Directory Server\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"6.0;6.1;6.2;6.3;6.3.1;6.4\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {}, "published": "2018-06-16T21:39:03", "type": "ibm", "title": "Security Bulletin: Multiple Java Vulnerabilities fixed in IBM Security Directory Server", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4871", "CVE-2015-4872", "CVE-2015-4881", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-4911", "CVE-2015-5006"], "modified": "2018-06-16T21:39:03", "id": "83F6DE1F56CBBBC340354AE2C6DB43997FA85BE8EDDFBF5367DC01A5F749DDFE", "href": "https://www.ibm.com/support/pages/node/539177", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T21:59:49", "description": "## Summary\n\nMultiple security vulnerablilities exist in the JREs shipped with CICS TG for client applications. CICS TG itself is not vulnerable to all these risks but client side applications using the CICS TG supplied JREs might be.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4844_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4844>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107346_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107346>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-4843_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4843>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107342_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107342>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4805_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4805>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Serialization component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107345_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107345>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4860_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4860>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107344_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107344>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4883_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4883>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107343_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107343>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4881_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4881>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the CORBA component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107341_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107341>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4835_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4835>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the CORBA component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107340_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107340>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4868_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4868>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 7.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107348_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107348>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4810_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4810>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 6.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107349_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107349>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4806_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4806>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 6.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107350_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107350>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4871_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4871>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107351_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107351>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4902_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4902>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Deployment component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107352_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107352>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4911_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4911>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107360_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107360>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4893_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4893>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107359_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107359>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4840_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4840>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107353_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107353>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4842_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4842>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the JAXP component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107355_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107355>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4882_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4882>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the CORBA component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107354_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107354>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4903_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4903>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the RMI component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107357_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107357>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4803_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4803>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107358_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107358>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4734_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4734>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the JGSS component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107356_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107356>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-5006_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5006>)** \nDESCRIPTION:** IBM Java Security Components could allow an attacker with physical access to the system to obtain sensitive information from the Kerberos Credential Cache. \nCVSS Base Score: 4.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/106309_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/106309>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nCICS Transaction Gateway for Multiplatforms v7.2, v8.0, v8.1, v9.0 and v9.1. Inclusion in this list does not imply that all the products are supported. See the[ IBM Support Lifecycle](<http://www-01.ibm.com/software/support/lifecycle/>) page for product end of support dates. \n\n## Remediation/Fixes\n\nUpdated JRE's have been made available on Fix Central. Upgrade the JRE used by CICS TG Java client applications and/or the CICS TG Gateway daemon. Updated JREs which can used with CICS TG Java client applications and the Gateway daemon are made available on Fix Central:_ \n_[http://www.ibm.com/support/fixcentral/swg/identifyFixes?query.parent=ibm~Other software&query.product=ibm~WebSphere~CICS Transaction Gateway for Multiplatforms&query.release=All&query.platform=All ](<http://www.ibm.com/support/fixcentral/swg/identifyFixes?query.parent=ibm~Other%20software&query.product=ibm~WebSphere~CICS%20Transaction%20Gateway%20for%20Multiplatforms&query.release=All&query.platform=All>)\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSGMJ2\",\"label\":\"CICS Transaction Gateway\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\"CTG\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"9.1;9.0;8.1;8.0;7.2\",\"Edition\":\"All\",\"Line of Business\":{\"code\":\"LOB35\",\"label\":\"Mainframe SW\"}}]", "cvss3": {}, "published": "2018-06-15T07:04:51", "type": "ibm", "title": "Security Bulletin: CICS Transaction Gateway for Multiplatforms", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4871", "CVE-2015-4872", "CVE-2015-4881", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-4911", "CVE-2015-5006"], "modified": "2018-06-15T07:04:51", "id": "245644ACD5BEB28C229BEA9479968403DF841BCB92D18DCCEBD4671EB2954D21", "href": "https://www.ibm.com/support/pages/node/539109", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T21:59:56", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Versions 6 and 7 that are used by IBM Security Guardium (versions 9x and 10 respectively). These issues were disclosed as part of the IBM Java SDK updates for October 2015.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2015-4868](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4868>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 7.6 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107348> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [CVE-2015-4810](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4810>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 6.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107349> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [CVE-2015-4806](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4806>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 6.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107350> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [CVE-2015-4871](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4871>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107351> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [CVE-2015-4902](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4902>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Deployment component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107352> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [CVE-2015-4872](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107361> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [CVE-2015-4911](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4911>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107360> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [CVE-2015-4893](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4893>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107359> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [CVE-2015-4840](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4840>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107353> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [CVE-2015-4842](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4842>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the JAXP component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107355> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [CVE-2015-4882](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4882>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the CORBA component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107354> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [CVE-2015-4903](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4903>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the RMI component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107357> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [CVE-2015-4803](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4803>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107358> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [CVE-2015-4734](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4734>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the JGSS component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107356> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [CVE-2015-5006](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5006>)** \nDESCRIPTION:** IBM Java Security Components could allow an attacker with physical access to the system to obtain sensitive information from the Kerberos Credential Cache. \nCVSS Base Score: 4.6 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/106309> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2015-4844](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4844>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107346> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [CVE-2015-4843](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4843>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107342> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [CVE-2015-4805](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4805>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Serialization component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107345> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [CVE-2015-4860](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4860>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107344> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [CVE-2015-4883](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4883>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107343> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [CVE-2015-4881](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4881>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the CORBA component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107341> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [CVE-2015-4835](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4835>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the CORBA component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107340> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n## Affected Products and Versions\n\nIBM Security Guardium 9x \nIBM Security Guardium 10\n\n## Remediation/Fixes\n\nIBM InfoSphere Guardium \n\n| _9.x_| _PSIRT 63859_| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Security%2BSystems&product=ibm/Information+Management/InfoSphere+Guardium&release=All&platform=All&function=fixId&fixids=SqlGuard_9.0p6017_SecurityUpdate&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Security%2BSystems&product=ibm/Information+Management/InfoSphere+Guardium&release=All&platform=All&function=fixId&fixids=SqlGuard_9.0p6017_SecurityUpdate&includeSupersedes=0&source=fc>) \n_ _ \n---|---|---|--- \nIBM InfoSphere Guardium | _10_| _PSIRT 63859_| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Security%2BSystems&product=ibm/Information+Management/InfoSphere+Guardium&release=All&platform=All&function=fixId&fixids=SqlGuard_10.0p6017_SecurityUpdate&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Security%2BSystems&product=ibm/Information+Management/InfoSphere+Guardium&release=All&platform=All&function=fixId&fixids=SqlGuard_10.0p6017_SecurityUpdate&includeSupersedes=0&source=fc>) \n \n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n[_Complete CVSS v3 Guide_](<http://www.first.org/cvss/user-guide>) \n[_On-line Calculator v3_](<http://www.first.org/cvss/calculator/3.0>)\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSMPHH\",\"label\":\"IBM Security Guardium\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"10.0;9.0;9.1;9.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {}, "published": "2018-06-16T21:38:46", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4871", "CVE-2015-4872", "CVE-2015-4881", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-4911", "CVE-2015-5006"], "modified": "2018-06-16T21:38:46", "id": "10EF79AC52F94215AAE9A9390071778FDE4F6F8BF449438F29D04F1AC5201E39", "href": "https://www.ibm.com/support/pages/node/537629", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-30T21:40:59", "description": "## Problem\n\nCognos Command Center Security Bulletins.\n\n## Resolving The Problem\n\n## Tab navigation\n\n * 10.2.x\n * 10.1\n\nSecurity bulletins for Cognos Command Center 10.2.x \n--- \n**Published / Updated**| **Title** \nMay 2018| [Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVE-2018-2579, CVE-2018-2602, CVE-2018-2603, CVE-2018-2633, CVE-2018-1417, CVE-2018-2783, CVE-2018-2794)](<http://www-01.ibm.com/support/docview.wss?uid=swg22016473>) \nMarch 2018| [Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVE-2017-10295, CVE-2017-10345, CVE-2017-10355, CVE-2017-10356)](<https://www.ibm.com/support/docview.wss?uid=swg22013651>) \nNovember 2017| [Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVE-2017-10115, CVE-2017-10116)](<https://www.ibm.com/support/docview.wss?uid=swg22009304>) \nJuly 2017| [Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center](<https://www.ibm.com/support/docview.wss?uid=swg22005425>) \nMarch 2017| [Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center](<https://www.ibm.com/support/docview.wss?uid=swg22001158>) \nFebruary 2016| [Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVS-2015-7575)](<https://www.ibm.com/support/docview.wss?uid=swg21975832>) \nDecember 2015| [Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVE-2015-5006, CVE-2015-4872)](<https://www.ibm.com/support/docview.wss?uid=swg21972446>) \nDecember 2015| [Vulnerability in RC4 stream cipher affects IBM Cognos Command Center (CVE-2015-2808)](<https://www.ibm.com/support/docview.wss?uid=swg21713646>) \nOctober 2015| [ Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931)](<https://www.ibm.com/support/docview.wss?uid=swg21967158>) \nJune 2015| [Vulnerability in Diffie-Hellman ciphers affects IBM Cognos Command Center (CVE-2015-4000)](<https://www.ibm.com/support/docview.wss?uid=swg21960508>) \nApril 2015| [Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVE-2014-6593, CVE-2015-0138)](<https://www.ibm.com/support/docview.wss?uid=swg21697659>) \nJanuary 2015| [Vulnerability in SSLv3 affects IBM Cognos Command Center (CVE-2014-3566)](<https://www.ibm.com/support/docview.wss?uid=swg21690689>)", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 6.0}, "published": "2018-06-15T23:52:08", "type": "ibm", "title": "Security Bulletins - Cognos Command Center", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3566", "CVE-2014-6593", "CVE-2015-0138", "CVE-2015-1931", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2808", "CVE-2015-4000", "CVE-2015-4872", "CVE-2015-5006", "CVE-2017-10115", "CVE-2017-10116", "CVE-2017-10295", "CVE-2017-10345", "CVE-2017-10355", "CVE-2017-10356", "CVE-2018-1417", "CVE-2018-2579", "CVE-2018-2602", "CVE-2018-2603", "CVE-2018-2633", "CVE-2018-2783", "CVE-2018-2794"], "modified": "2018-06-15T23:52:08", "id": "FC4C804F44282D78247FA90BC4C8C855819430A02725094AC97DBD89D0227589", "href": "https://www.ibm.com/support/pages/node/568995", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-01T01:38:22", "description": "## Summary\n\nMultiple vulnerabilities in the DS8000 Hardware Management Console are covered in this bulletin. \nThese include: \n\\- IBM\u00ae Runtime Environment Java\u2122 Technology Edition that is used by the DS8000 \nHardware Management Console. These issues were disclosed as part of the IBM Java SDK critical patch updates in October 2015 \n\\- GNU C Library (glibc) disclosures \n\\- strongSwan disclosure \n\\- Network Time Protocol (NTP) disclosures\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n \n \n**CVEID:** [_CVE-2013-2207_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2207>)** \nDESCRIPTION:** The GNU C Library (glibc) could allow a local attacker to bypass security restrictions, caused by an error in the pt_chown() function. An attacker could exploit this vulnerability to gain unauthorized access to the pseudoterminal of other users. \nCVSS Base Score: 2.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/86914_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/86914>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:N/I:P/A:N) \n\n**CVEID:** [_CVE-2015-1781_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1781>)** \nDESCRIPTION:** GNU C Library (glibc) is vulnerable to a buffer overflow, caused by improper bounds checking by the gethostbyname_r() and other related functions. By sending a specially-crafted argument, a remote attacker could overflow a buffer and execute arbitrary code on the system elevated privileges or cause the application to crash. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/102500_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/102500>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:P)\n\n \n \n**CVEID:** [_CVE-2015-7547_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547>)** \nDESCRIPTION:** GNU C Library (glibc) is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the nss_dns backend for the getaddrinfo() function when performing dual A/AAAA DNS queries. By sending a specially crafted DNS response, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/110662_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/110662>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2015-4171_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4171>)** \nDESCRIPTION:** strongSwan could allow a remote authenticated attacker to obtain sensitive information, caused by an error in IKEv2 connections related to server authentication with a certificate and EAP or pre-shared keys. An attacker could exploit this vulnerability to obtain user credentials and other sensitive information. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/103885_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/103885>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2015-7691_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691>)** \nDESCRIPTION:** Network Time Protocol (NTP) is vulnerable to a denial of service, caused by an error in ntp_crypto.c. An attacker could exploit this vulnerability using a packet containing an extension field with an invalid value for the length of its value field to cause ntpd to crash. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107449_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107449>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2015-7703_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703>)** \nDESCRIPTION:** Network Time Protocol (NTP) could allow a remote attacker to traverse directories on the system, caused by the failure to enforce local access only of the \"pidfile\" and \"driftfile\" configuration directives. An attacker could exploit this vulnerability to view arbitrary files on the system. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107445_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107445>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2015-7848_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848>)** \nDESCRIPTION:** Network Time Protocol (NTP) is vulnerable to a denial of service, caused by an multiple integer overflows when processing malicious packets. By sending a specially crafted private mode packet, an attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107443_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107443>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2015-7850_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850>)** \nDESCRIPTION:** Network Time Protocol (NTP) is vulnerable to a denial of service, caused by an error in the remote configuration functionality. By sending a specially crafted configuration file, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107441_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107441>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2015-7851_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851>)** \nDESCRIPTION:** Network Time Protocol (NTP) could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to the save_config function containing directory traversal sequences to view arbitrary files on the system. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107440_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107440>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2015-7855_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855>)** \nDESCRIPTION:** Network Time Protocol (NTP) is vulnerable to a denial of service, caused by ASSERT botch instead of returning FAIL on some invalid values by the decodenetnum() function. An attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107448_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107448>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nDS8700/DS8800 R6.3 DS8870 R7.x DS8000 R8.X\n\n## Remediation/Fixes\n\n**IBM strongly suggests that you install the vulnerability patch identified immediately below: ** \n. \n \nThe patch **CVE_1Q2016_v1.0** is available May 20th 2016 and can be applied to systems which are at **or above **the levels shown below: \n \nUsers at code levels earlier than these are advised to upgrade to the recommended code levels and then apply the patch. See <http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004456> \n \n**NOTE: This patch supercedes ****the patch CVE_3Q2015_v1.0 and contains all the remediations listed in **[**http://www-01.ibm.com/support/docview.wss?uid=ssg1S1005375**](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1005375>)** as well as those noted in this bulletin.** \n \nPlease contact IBM support to install this patch if required. \n \n. \n\n**Product**| **VRMF**| **Remediation/First Fix** \n---|---|--- \nDS8880| 88.0.X.X (R8.0) | May 20th 2016 \nDS8870| 87.51.14.X (R7.5) | May 20th 2016 \nDS8870| 87.41.17.X (R7.4) | May 20th 2016 \nDS8800| 86.31.167.X (R6.3)| May 20th 2016 \nDS8700| 76.31.143.X(R6.3)| May 20th 2016 \n \nThis bulletin will be updated to indicate code levels which include these fixes\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\nMay 23 2016 - Publish to support site \nMay 25 2016 -Minor changes and typographic corrections. Added link to CVSS3 \nMay 31 2016. Add impacted version section and clarify patchable versions. Remove headers from CVEID section\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n[{\"Product\":{\"code\":\"ST5GLJ\",\"label\":\"DS8880\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"Version Independent\",\"Edition\":\"N\\/A\",\"Line of Business\":{\"code\":\"LOB26\",\"label\":\"Storage\"}},{\"Product\":{\"code\":\"ST8NCA\",\"label\":\"Disk systems->DS8870\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB26\",\"label\":\"Storage\"}},{\"Product\":{\"code\":\"STUVMB\",\"label\":\"Disk systems->DS8700\"},\"Business Unit\":{\"code\":\"BU054\",\"label\":\"Systems w\\/TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB26\",\"label\":\"Storage\"}},{\"Product\":{\"code\":\"STXN8P\",\"label\":\"IBM DS8800\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB26\",\"label\":\"Storage\"}},{\"Product\":{\"code\":\"ST5GLJ\",\"label\":\"DS8880\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB26\",\"label\":\"Storage\"}}]", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-24T17:06:20", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities impact System Storage DS8000 Hardware Management Console (HMC)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2207", "CVE-2015-1781", "CVE-2015-4171", "CVE-2015-4872", "CVE-2015-7547", "CVE-2015-7691", "CVE-2015-7703", "CVE-2015-7848", "CVE-2015-7850", "CVE-2015-7851", "CVE-2015-7855"], "modified": "2022-05-24T17:06:20", "id": "E432D69FD747FEBA35F4B0BF60914AF5A4926D2D00F81B81D0023873400BEE1C", "href": "https://www.ibm.com/support/pages/node/691263", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T22:05:24", "description": "## Summary\n\nIBM Tivoli System Automation for Multiplatforms is shipped as a component of IBM Cloud Orchestrator, IBM Cloud Orchestrator Enterprise, IBM SmartCloud Orchestrator, and IBM SmartCloud Orchestrator Enterprise. Information about security vulnerabilities affecting IBM Tivoli System Automation for Multiplatforms has been published in security bulletins.\n\n## Vulnerability Details\n\nConsult the security bulletins for IBM Tivoli System Automation for Multiplatforms for vulnerability details and information about fixes. \n \n\n\n * [Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms (CVE-2016-0466, CVE-2015-7575)](<http://www-01.ibm.com/support/docview.wss?uid=swg21977127>)\n * [Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms (CVE-2015-4872, CVE-2015-4911, CVE-2015-4893, CVE-2015-4803, CVE-2015-4734, CVE-2015-5006)](<http://www.ibm.com/support/docview.wss?uid=swg21971479&myns=swgtiv&mynp=OCSSRM2X&mync=E&cm_sp=swgtiv-_-OCSSRM2X-_-E>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation for Multiplatforms (CVE-2015-2017)](<http://www.ibm.com/support/docview.wss?uid=swg21970548>) \n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg21967199>)\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation for Multiplatforms (CVE-2015-1283)](<http://www-01.ibm.com/support/docview.wss?uid=swg21967199>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation for Multiplatforms (CVE-2015-3183)](<http://www-01.ibm.com/support/docview.wss?uid=swg21967197>) \n \n\n * [Security Bulletin: Multiple vulnerabilities in IBM Java SDK including Logjam affect IBM Tivoli System Automation for Multiplatforms (CVE-2015-4000, CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-4749)](<http://www.ibm.com/support/docview.wss?uid=swg21963330>) \n \n\n * [Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects IBM Tivoli System Automation for Multiplatforms (CVE-2015-4000)](<www.ibm.com/support/docview.wss?uid=swg21960862>) \n \n\n * [Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms (CVE-2015-0488, CVE-2015-0478, CVE-2015-2808, CVE-2015-1916, CVE-2015-1914, CVE-2015-0204)](<http://www.ibm.com/support/docview.wss?uid=swg21957951>) \n \n\n * [Security Bulletin: Vulnerability in WebSphere Application Server affects IBM Tivoli System Automation for Multiplatforms (CVE-2015-1920)](<http://www.ibm.com/support/docview.wss?uid=swg21957952>) \n \n\n * [Security Bulletin: Vulnerability in IBM Tivoli System Automation for Multiplatforms (CVE-2014-0453)](<http://www-01.ibm.com/support/docview.wss?uid=swg21680562>) \n \n\n * [Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Tivoli System Automation for Multiplatforms (CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21882749>). \n \n\n * Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms (CVE-2014-3566, CVE-2014-6468, CVE-2014-6457) \n \n\n * [Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms (CVE-2014-6593, CVE-2015-0410, CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21698239>)\n\n## Affected Products and Versions\n\n**Principal Product and Version**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Cloud Orchestrator 2.5, 2.5.0.1, 2.5.0.1 Interim Fix1, 2.4, 2.4.0.1, 2.4.0.2 and 2.4.0.3 \n\nIBM Cloud Orchestrator Enterprise 2.5.0.1, 2.5.0.1 Interim Fix1, 2.4, 2.4.0.1, 2.4.0.2 and 2.4.0.3\n\n| IBM Tivoli System Automation for Multiplatforms 4.1 \nIBM SmartCloud Orchestrator 2.3, 2.3.0.1 \n\nIBM SmartCloud Orchestrator Enterprise 2.3 and 2.3.0.1\n\n| IBM Tivoli System Automation for Multiplatforms 3.2.2 \n \n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n* 20 May 2016: Last update new bulletins \n* 30 April 2015: Original copy published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Internal Use Only\n\nCVE-Ids: CVE-2014-6593, CVE-2015-0410, CVE-2015-0138, CVE-2014-3566, CVE-2014-6468, CVE-2014-6457, CVE-2015-2808, CVE-2014-0453, CVE-2015-1920, CVE-2015-0488, CVE-2015-0478, CVE-2015-2808, CVE-2015-1916, CVE-2015-1914, CVE-2015-0204, CVE-2015-4000,CVE-2015-4000, CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-4749, CVE-2015-3183, CVE-2015-1283, CVE-2015-2017, CVE-2015-4872, CVE-2015-4911, CVE-2015-4893, CVE-2015-4803, CVE-2015-4734, CVE-2015-5006 CVE-2016-0466, CVE-2015-7575 \nChange History \n[Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms (CVE-2014-3566, CVE-2014-6468, CVE-2014-6457)](<http://www.ibm.com/support/docview.wss?uid=swg21691929>) \n<http://www.ibm.com/support/docview.wss?uid=swg21691929> \n \n* 08 February 2016: Add new bulletin for CVE-2015-4872; CVE-2015-4911; CVE-2015-4893; CVE-2015-4803; CVE-2015-4734; CVE-2015-5006 \n* 27 January 2016: Added Security Bulletin for CVE-2015-2017 and updated version in affected products \n* 19 October 2015: Added Security Bulletins for WAS (CVE-2015-1283; CVE-2015-3183) and link to Security Bulletin: Multiple vulnerabilities in IBM Java SDK including Logjam affect IBM Tivoli System Automation for Multiplatforms (CVE-2015-4000; CVE-2015-2613; CVE-2015-2601; CVE-2015-2625; CVE-2015-1931; CVE-2015-4749) \n* 19 August 2015: added IBM Cloud Orchestrator 2.5 product version and links to IBM\u00ae SDK JavaTM Technology Edition July 2015 including Logjam on top of vulnerability details \n* 31 July 2015: added links to Diffie-Hellman; IBM Runtime Environment and IBM\u00ae SDK JavaTM Technology Edition April 2015\n\n[{\"Product\":{\"code\":\"SS4KMC\",\"label\":\"IBM SmartCloud Orchestrator\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"Security\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"2.3;2.3.0.1;2.4;2.4.0.1;2.4.0.2;2.4.0.3;2.5;2.5.0.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T22:33:02", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Tivoli System Automation for Multiplatforms shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0453", "CVE-2014-3566", "CVE-2014-6457", "CVE-2014-6468", "CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0204", "CVE-2015-0410", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-1283", "CVE-2015-1914", "CVE-2015-1916", "CVE-2015-1920", "CVE-2015-1931", "CVE-2015-2017", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2808", "CVE-2015-3183", "CVE-2015-4000", "CVE-2015-4734", "CVE-2015-4749", "CVE-2015-4803", "CVE-2015-4872", "CVE-2015-4893", "CVE-2015-4911", "CVE-2015-5006", "CVE-2015-7575", "CVE-2016-0466"], "modified": "2018-06-17T22:33:02", "id": "5D0CC6456D2278646647F1A4FEFECEB673F2B5D1F99FBBC5755735CEF5AA6268", "href": "https://www.ibm.com/support/pages/node/261391", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:01:50", "description": "## Summary\n\nThere are multiple security vulnerabilities in various components used by IBM Security Identity Manager Virtual Appliance\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2016-0402_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0402>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the Networking component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109947_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109947>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n\n**CVEID:** [_CVE-2016-0448_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0448>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the JMX component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109949_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109949>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)\n\n \n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n \n \n**CVEID:** [_CVE-2015-3195_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3195>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a memory leak in a malformed X509_ATTRIBUTE structure. An attacker could exploit this vulnerability to obtain CMS data and other sensitive information. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/108504_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/108504>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n**CVEID:** [_CVE-2015-3196_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3196>)** \nDESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a race condition when PSK identity hints are received by a multi-threaded client and the SSL_CTX structure is updated with the incorrect value. An attacker could exploit this vulnerability to possibly corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/108505_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/108505>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n \n \n**CVEID:** [_CVE-2015-5312_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5312>)** \nDESCRIPTION:** An unspecified error in Libxml2 related to an entity expansion flaw has an unknown impact and attack vector. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/108319_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/108319>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n\n**CVEID:** [_CVE-2015-7497_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7497>)** \nDESCRIPTION:** Libxml2 is vulnerable to a denial of service, caused by a heap-based buffer overflow in the xmlDictComputeFastQKey() function. A remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/108320_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/108320>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2015-7498_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7498>)** \nDESCRIPTION:** An unspecified error in Libxml2 related to the processing of entities after encoding conversion failures have occured has an unknown impact and attack vector. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/108321_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/108321>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2015-7499_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7499>)** \nDESCRIPTION:** An unspecified error in Libxml2 related to some parser errors has an unknown impact and attack vector. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/108322_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/108322>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2015-7500_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7500>)** \nDESCRIPTION:** Libxml2 is vulnerable to a denial of service, caused by a memory access error when handling invalid entity boundaries. A remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/108323_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/108323>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2015-7941_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7941>)** \nDESCRIPTION:** Libxml2 is vulnerable to a denial of service, caused by a heap-based buffer overflow in the xmlParseEntityDecl or xmlParseConditionalSections function. By using specially-crafted XML data, a remote attacker could exploit this vulnerability to trigger an out-of-bounds read and cause the system to crash. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/108071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/108071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2015-7942_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7942>)** \nDESCRIPTION:** Libxml2 is vulnerable to a denial of service, caused by a heap-based buffer overflow in the xmlParseConditionalSections function. By using specially-crafted XML data, a remote attacker could exploit this vulnerability to trigger an out-of-bounds read and cause the system to crash. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/108073_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/108073>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2015-8241_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8241>)** \nDESCRIPTION:** libxml2 is vulnerable to a buffer overflow, caused by improper bounds checking by the XML parser in xmlNextChar. By using a malformed XML file, a local attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/108169_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/108169>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n**CVEID:** [_CVE-2015-8242_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8242>)** \nDESCRIPTION:** libxml2 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the HTML parser in push mode in xmlSAX2TextNode. By using a malformed XML file, a local attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/108170_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/108170>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n**CVEID:** [_CVE-2015-8317_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8317>)** \nDESCRIPTION:** libxml2 is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the xmlParseXMLDecl function. By using a malformed XML file, a local attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/108316_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/108316>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nIBM Security Identity Manager Virtual Appliance versions 7.0.0.0, 7.0.0.1, 7.0.0.2, 7.0.0.3, 7.0.1\n\n## Remediation/Fixes\n\nEnsure that the version listed below is installed on the system. \n\nProduct Version| Fix level \n---|--- \nIBM Security Identity Manager (ISIM) Virtual Appliance releases 7.0.0.0, 7.0.0.1, 7.0.0.2, 7.0.0.3, 7.0.1| If current release version is 7.0.0.0, 7.0.0.1, 7.0.0.2 or 7.0.0.3, apply: \nIBM Security Identity Manager (ISIM) 7.0.1 release [7.0.1-ISS-SIM-FP0000](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Identity+Manager&release=7.0.1&platform=All&function=all>) \n \nthen apply: \nIBM Security Identity Manager (ISIM) [7.0.1.0-ISS-SIM-IF0002](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Identity+Manager&release=7.0.1.0&platform=All&function=all>) \n \nNote: 7.0.1.0-ISS-SIM-IF0002 contains the content of 7.0.1.0-ISS-SIM-IF0001. It is not required to install both interim fixes. \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n2016/03/30: Initial Draft\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSRMWJ\",\"label\":\"IBM Security Identity Manager\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Identity Manager Virtual Appliance\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"7.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-16T21:40:57", "type": "ibm", "title": "Security Bulletin: Fixes for Multiple Security Vulnerabilities in IBM Security Identity Manager Virtual Appliance available", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.1, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3195", "CVE-2015-3196", "CVE-2015-4872", "CVE-2015-5312", "CVE-2015-7497", "CVE-2015-7498", "CVE-2015-7499", "CVE-2015-7500", "CVE-2015-7941", "CVE-2015-7942", "CVE-2015-8241", "CVE-2015-8242", "CVE-2015-8317", "CVE-2016-0402", "CVE-2016-0448"], "modified": "2018-06-16T21:40:57", "id": "AACF6F6443D6B1F43A3B1EB2158C0974A7E3740F82735809A14DB68D406E34ED", "href": "https://www.ibm.com/support/pages/node/546727", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2022-06-28T22:14:11", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Version 1.5 and 1.7 that is used by FSM. These issues were disclosed as part of the IBM Java SDK updates in October 2015. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-4844_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4844>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107346_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107346>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2015-4806_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4806>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 6.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107350_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107350>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4902_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4902>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Deployment component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107352_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107352>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4893_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4893>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107359_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107359>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4842_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4842>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the JAXP component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107355_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107355>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4882_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4882>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the CORBA component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107354_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107354>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4903_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4903>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the RMI component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107357_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107357>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4803_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4803>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107358_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107358>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4843_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4843>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107342_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107342>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4805_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4805>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Serialization component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107345_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107345>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4860_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4860>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107344_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107344>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4883_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4883>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107343_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107343>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4835_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4835>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the CORBA component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107340_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107340>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4734_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4734>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the JGSS component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107356_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107356>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nFlex System Manager 1.3.4.x \nFlex System Manager 1.3.3.x \nFlex System Manager 1.3.2.x\n\n## Remediation/Fixes\n\nIBM recommends updating the FSM and all affected remote Common Agent Services (CAS) endpoints using the instructions referenced in this table. \n \n \n\n\nProduct| VRMF| \n\nAPAR | Remediation \n---|---|---|--- \nFlex System Manager| 1.3.4.x| \n\nIT14621 | Navigate to the [_Support Portal_](<https://www.ibm.com/support/entry/portal/support/>)_ _and search for technote \n[793333631](<http://www-01.ibm.com/support/docview.wss?uid=nas74c6a4cb2c614bdea8625803d00545a86>) for instructions on installing updates for FSM version 1.3.4 and Agents. \nFlex System Manager| 1.3.3.x| \n\nIT14621\n\n| Navigate to the [_Support Portal_](<https://www.ibm.com/support/entry/portal/support/>)_ _and search for technote \n[793333631](<http://www-01.ibm.com/support/docview.wss?uid=nas74c6a4cb2c614bdea8625803d00545a86>) for instructions on installing updates for FSM version 1.3.3 and Agents. \nFlex System Manager| 1.3.2.x| \n\nIT14621\n\n| Navigate to the [_Support Portal_](<https://www.ibm.com/support/entry/portal/support/>)_ _and search for technote \n[793333631](<http://www-01.ibm.com/support/docview.wss?uid=nas74c6a4cb2c614bdea8625803d00545a86>) for instructions on installing updates for FSM version 1.3.2 and Agents. \n \n \nFor 1.1.x.x, 1.2.x.x, 1.3.0.x and 1.3.1.x IBM recommends upgrading to a fixed, supported version/release of the product. \n\n\nYou should verify applying this fix does not cause any compatibility issues. The fix disables older encrypted protocols by default.\n\nIBM recommends that you review your entire environment to identify other areas where you have enabled weak encryption and take appropriate mitigation and remediation actions.\n\n## Workarounds and Mitigations\n\nnone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n09 October 2016 : Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Internal Use Only\n\nAdv 4021 / PRID 64138\n\n[{\"Product\":{\"code\":\"HW94A\",\"label\":\"Flex System Manager Node\"},\"Business Unit\":{\"code\":\"BU054\",\"label\":\"Systems w\\/TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"Version Independent\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}}]", "cvss3": {}, "published": "2018-06-18T01:33:35", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Flex System Manager (FSM)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4872", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903"], "modified": "2018-06-18T01:33:35", "id": "7050868C4E43344032EEEC3BD66165B3495441215B8697E295343464376234CA", "href": "https://www.ibm.com/support/pages/node/629797", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-26T13:50:37", "description": "## Summary\n\nSeveral vulnerabilities have been addressed for: IBM SDK Java Technology Edition Quarterly CPU Oct 2015, including Oracle Oct 2015 CPU; IBM SDK Java Technology Edition Quarterly CPU Jan 2016, including Oracle Jan 2016 CPU; Java specific SLOTH Weak MD5 Signature Hash; and several OpenSSL vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7575_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575>) \n**DESCRIPTION:** The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. \nCVSS Base Score: 7.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109415_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109415>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) \n\n**CVEID:** [_CVE-2016-0494_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0494>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109944_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109944>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2016-0483_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0483>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE Java SE Embedded and Jrockit related to the AWT component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109945_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109945>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-8472_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8472>) \n**DESCRIPTION:** libpng is vulnerable to a buffer overflow, caused by improper bounds checking by the png_get_PLTE() and png_set_PLTE() functions. By persuading a victim to open a specially crafted PNG image, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. \nCVSS Base Score: 6.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109392_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109392>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)\n\n**CVEID:** [_CVE-2016-0475_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0475>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE Java SE Embedded and Jrockit related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109946_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109946>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [_CVE-2016-0466_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0466>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE Java SE Embedded and Jrockit related to the JAXP component could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109948_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109948>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2016-0402_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0402>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the Networking component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109947_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109947>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-7575_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575>) \n**DESCRIPTION:** The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. \nCVSS Base Score: 7.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109415_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109415>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)\n\n**CVEID:** [_CVE-2016-0448_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0448>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the JMX component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109949_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109949>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-5041_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5041>) \n**DESCRIPTION:** A flaw in the IBM J9 JVM allows code to invoke non-public interface methods under these circumstances. Untrusted code could potentially exploit this. This could lead to sensitive data being exposed to an attacker, or the attacker being able to inject bad data. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/106719_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/106719>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)\n\n**CVEID:** [_CVE-2015-7981_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7981>) \n**DESCRIPTION:** libpng could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read in the png_convert_to_rfc1123 function. An attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107740_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107740>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2015-8540_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8540>) \n**DESCRIPTION:** libpng is vulnerable to a buffer overflow, caused by a read underflow in png_check_keyword in pngwutil.c. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109219_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109219>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2015-8126_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8126>) \n**DESCRIPTION:** libpng is vulnerable to a buffer overflow, caused by improper bounds checking by the png_set_PLTE() and png_get_PLTE() functions. By persuading a victim to open a specially-crafted PNG file, a remote attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base Score: 7.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/108010_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/108010>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2015-4844_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4844>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107346_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107346>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4843_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4843>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107342_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107342>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4805_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4805>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Serialization component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107345_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107345>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4860_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4860>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107344_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107344>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4883_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4883>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107343_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107343>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4881_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4881>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the CORBA component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107341_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107341>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4835_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4835>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the CORBA component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107340_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107340>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4868_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4868>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 7.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107348_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107348>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4810_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4810>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 6.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107349_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107349>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4806_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4806>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 6.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107350_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107350>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4871_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4871>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107351_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107351>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4902_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4902>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Deployment component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107352_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107352>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4911_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4911>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107360_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107360>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4893_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4893>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107359_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107359>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4840_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4840>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107353_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107353>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4842_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4842>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the JAXP component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107355_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107355>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4882_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4882>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the CORBA component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107354_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107354>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4903_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4903>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the RMI component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107357_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107357>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4803_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4803>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107358_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107358>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4734_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4734>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the JGSS component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107356_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107356>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-5006_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5006>) \n**DESCRIPTION:** IBM Java Security Components could allow an attacker with physical access to the system to obtain sensitive information from the Kerberos Credential Cache. \nCVSS Base Score: 4.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/106309_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/106309>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2015-3193_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3193>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the x86_64 Montgomery squaring procedure. An attacker with online access to an unpatched system could exploit this vulnerability to obtain private key information. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/108502_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/108502>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2015-3194_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3194>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when verifying certificates via a malformed routine. An attacker could exploit this vulnerability using signature verification routines with an absent PSS parameter to cause any certificate verification operation to crash. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/108503_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/108503>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2015-3195_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3195>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a memory leak in a malformed X509_ATTRIBUTE structure. An attacker could exploit this vulnerability to obtain CMS data and other sensitive information. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/108504_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/108504>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2015-3196_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3196>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a race condition when PSK identity hints are received by a multi-threaded client and the SSL_CTX structure is updated with the incorrect value. An attacker could exploit this vulnerability to possibly corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/108505_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/108505>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2015-1794_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1794>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by an error when a client receives a ServerKeyExchange for an anonymous DH ciphersuite with the value of p set to 0. An attacker could exploit this vulnerability to trigger a segfault and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/108539_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/108539>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\n * IBM Cognos Insight 10.2.0\n * IBM Cognos Insight 10.2.1\n * IBM Cognos Insight 10.2.2\n\n## Remediation/Fixes\n\n \nThe recommended solution is to apply the fix for versions listed as soon as practical. \n \n**Cognos Insight Standard Edition 10.2 Fix Pack 1 Interim Fix 5**\n\nLink:_ _[_http://www-01.ibm.com/support/docview.wss?uid=swg24041845_](<http://www-01.ibm.com/support/docview.wss?uid=swg24041845>)\n\n**Cognos Insight Standard Edition 10.2.1 Fix Pack 2 Interim Fix 5**\n\nLink:_ _[_http://www-01.ibm.com/support/docview.wss?uid=swg24041847_](<http://www-01.ibm.com/support/docview.wss?uid=swg24041847>)\n\n**Cognos Insight Standard Edition 10.2.2 Fix Pack 5**\n\n[_http://www-01.ibm.com/support/docview.wss?uid=swg24041745_](<http://www-01.ibm.com/support/docview.wss?uid=swg24041745>)\n\n**Cognos Insight Standard Edition 10.2.2 Fix Pack 5 IF1**\n\nLink: [_http://www.ibm.com/support/docview.wss?uid=swg24041909_](<http://www.ibm.com/support/docview.wss?uid=swg24041909>)\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSVJ22\",\"label\":\"Cognos Insight\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"10.2.2;10.2.1;10.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2020-02-24T07:27:10", "type": "ibm", "title": "Security Bulletin:Multiple Security Vulnerabilities exist in IBM Cognos Insight", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1794", "CVE-2015-3193", "CVE-2015-3194", "CVE-2015-3195", "CVE-2015-3196", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4871", "CVE-2015-4872", "CVE-2015-4881", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-4911", "CVE-2015-5006", "CVE-2015-5041", "CVE-2015-7575", "CVE-2015-7981", "CVE-2015-8126", "CVE-2015-8472", "CVE-2015-8540", "CVE-2016-0402", "CVE-2016-0448", "CVE-2016-0466", "CVE-2016-0475", "CVE-2016-0483", "CVE-2016-0494"], "modified": "2020-02-24T07:27:10", "id": "01545BBBB6B56A1AC3585E8A2BF8E87AD6E3B38925ACB3EDBB6DE4177CC56BBF", "href": "https://www.ibm.com/support/pages/node/546035", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-10T17:51:56", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM SDK, Java Technology Edition Quarterly CPU - Oct 2015 - Includes Oracle Oct 2015 CPU + CVE-2015-5006; IBM SDK, Java Technology Edition Quarterly CPU - Jan 2016 - Includes Oracle Jan 2016 CPU + 3 IBM CVEs; IBM SDK, Java Technology Edition Quarterly CPU - Apr 2016 - Includes Oracle Apr 2016 CPU + 3 IBM CVEs and OpenSSL vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-1794_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1794>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by an error when a client receives a ServerKeyExchange for an anonymous DH ciphersuite with the value of p set to 0. An attacker could exploit this vulnerability to trigger a segfault and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/108539_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/108539>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2015-3193_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3193>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the x86_64 Montgomery squaring procedure. An attacker with online access to an unpatched system could exploit this vulnerability to obtain private key information. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/108502_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/108502>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2015-3194_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3194>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when verifying certificates via a malformed routine. An attacker could exploit this vulnerability using signature verification routines with an absent PSS parameter to cause any certificate verification operation to crash. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/108503_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/108503>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2015-3195_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3195>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a memory leak in a malformed X509_ATTRIBUTE structure. An attacker could exploit this vulnerability to obtain CMS data and other sensitive information. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/108504_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/108504>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2015-3196_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3196>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a race condition when PSK identity hints are received by a multi-threaded client and the SSL_CTX structure is updated with the incorrect value. An attacker could exploit this vulnerability to possibly corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/108505_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/108505>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2015-3197_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3197>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to conduct man-in-the-middle attacks, caused by an error related to the negotiation of disabled SSLv2 ciphers by malicious SSL/TLS clients. An attacker could exploit this vulnerability to conduct man-in-the-middle attacks. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/110235_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/110235>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)\n\n**CVEID:** [_CVE-2015-4803_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4803>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107358_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107358>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4893_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4893>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107359_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107359>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4911_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4911>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107360_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107360>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-5006_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5006>) \n**DESCRIPTION:** IBM Java Security Components could allow an attacker with physical access to the system to obtain sensitive information from the Kerberos Credential Cache. \nCVSS Base Score: 4.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/106309_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/106309>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2016-0466_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0466>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE Java SE Embedded and Jrockit related to the JAXP component could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109948_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109948>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2016-0448_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0448>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the JMX component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109949_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109949>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2016-0702_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0702>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111144_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111144>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2016-0705_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0705>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111140_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111140>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-0799_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0799>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a memory error in the BIO_*printf() functions. An attacker could exploit this vulnerability using specially crafted data to trigger an out-of-bounds read. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111143_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111143>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2016-2107_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2107>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error when the connection uses an AES CBC cipher and the server support AES-NI. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt traffic. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112854_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112854>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2016-2176_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2176>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, By sending an overly long ASN.1 string to the X509_NAME_oneline() function, an attacker could exploit this vulnerability to return arbitrary stack data in the buffer. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112858_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112858>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2016-2842_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2842>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by the failure to verify that a certain memory allocation succeeds by the doapr_outch function. A remote attacker could exploit this vulnerability using a specially crafted string to cause an out-of-bounds write or consume an overly large amount of resources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111304_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111304>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2016-3427_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java, SE Java SE Embedded and JRockit related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112459_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112459>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n## Affected Products and Versions\n\nIBM Cognos Express 10.1.x \n\nIBM Cognos Express 10.2.1\n\nIBM Cognos Express 10.2.2\n\n## Remediation/Fixes\n\n**IBM Cogonos Express 10.2.1**\n\n \nThe recommended solution is to apply the fix for versions listed as soon as practical. \n\n\n[**IBM Cogonos Express 10.2.1 FP4 IF 1**](<http://www.ibm.com/support/docview.wss?uid=swg24042909>)\n\n**IBM Cognos Express 10.2.2 **\n\n \nIBM Cognos TM1 and IBM Cognos Business Intelligence are shipped as components of IBM Cognos Express. Information about a security vulnerability affecting IBM Cognos TM1 and IBM Cognos Business Intelligence** **has been published in their respective Security Bulletins. \n \n[Security Bulletin: IBM Cognos TM1 is affected by multiple vulnerabilities](<http://www-01.ibm.com/support/docview.wss?uid=swg21987174>) \n \n[Security Bulletin: IBM Cognos Business Intelligence Sever 2016Q2 Security Updater : IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities](<http://www-01.ibm.com/support/docview.wss?uid=swg21984323>)\n\n**IBM Cognos Express 10.1.x**\n\n \nIBM Cognos Express 10.1.x customers should upgrade to a more current version and apply the corresponding update. Please contact Customer Support with any questions. \n \n<https://www-947.ibm.com/support/entry/myportal/product/cognos/cognos_express?productContext=-15869866>\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n[{\"Product\":{\"code\":\"SSDL22\",\"label\":\"IBM Planning Analytics Express\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"10.1;10.2.1;10.2.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-10T12:20:27", "type": "ibm", "title": "Security Bulletin: Multiple Security Vulnerabilities exist in IBM Cognos Express.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1794", "CVE-2015-3193", "CVE-2015-3194", "CVE-2015-3195", "CVE-2015-3196", "CVE-2015-3197", "CVE-2015-4803", "CVE-2015-4893", "CVE-2015-4911", "CVE-2015-5006", "CVE-2016-0448", "CVE-2016-0466", "CVE-2016-0702", "CVE-2016-0705", "CVE-2016-0799", "CVE-2016-2107", "CVE-2016-2176", "CVE-2016-2842", "CVE-2016-3427"], "modified": "2022-11-10T12:20:27", "id": "4E95B5EB959CBE5490B90287812FD445A690A3158E83D37882EADCE4A7BCD44F", "href": "https://www.ibm.com/support/pages/node/554777", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-25T19:28:24", "description": "## Summary\n\nMultiple N Series Products incorporate the Oracle Java Platform, Standard Edition (Java SE) software libraries. Java SE (JDK and JRE) versions below 8u65, 7u91 and 6u105 and OpenJDK versions below 1.7.0.91 and 1.8.0.65 are susceptible to multiple vulnerabilities, potentially leading to an unauthorized Operating System takeover, a partial denial of service (DOS), an unauthorized read, update, insert or delete access to a subset of Java SE accessible data. \n\n## Vulnerability Details\n\n**CVE Information: (copy/paste-able; will update after page submission. Provided by system to make it easy to cut and paste data.)**\n\n**CVEID:** [_CVE-2015-4844_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4844>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107346_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107346>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4843_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4843>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107342_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107342>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4805_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4805>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Serialization component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107345_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107345>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4860_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4860>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107344_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107344>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4883_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4883>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107343_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107343>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4881_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4881>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the CORBA component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107341_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107341>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4835_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4835>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the CORBA component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107340_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107340>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4868_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4868>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 7.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107348_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107348>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4810_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4810>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 6.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107349_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107349>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)\n\n**CVEID:** [_CVE-2015-4806_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4806>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 6.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107350_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107350>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4871_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4871>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107351_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107351>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4902_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4902>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Deployment component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107352_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107352>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4872_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4911_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4911>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107360_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107360>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4893_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4893>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107359_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107359>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4840_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4840>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the 2D component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107353_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107353>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4842_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4842>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the JAXP component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107355_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107355>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4882_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4882>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the CORBA component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107354_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107354>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4903_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4903>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the RMI component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107357_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107357>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4803_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4803>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107358_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107358>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2015-4734_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4734>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the JGSS component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107356_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107356>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nNS OnCommand Core Package: 5.2, 5.2R1, 5.2.1P1, 5.2.1P2; \nSnapManager for Oracle: 3.2, 3.3, 3.3.1, 3.4; \nSnapManager for SAP: 3.2, 3.3, 3.3.1, 3.4; \nVirtual Storage Console for VMware vSphere: 6.0, 6.1;\n\n## Remediation/Fixes\n\nFor NS OnCommand Core Package: the fix exists from microcode version: 5.2.2; \nFor_ _SnapManager for Oracle: the fix exists from microcode version 3.4P2; \nFor_ _SnapManager for SAP: the fix exists from microcode version 3.4P2; \nFor Virtual Storage Console for VMware vSphere: the fix exists from microcode version: 6.2; \n \nPlease contact IBM support or go to this [_link_](<https://www-945.ibm.com/support/fixcentral/>) to download a supported release.\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n26 June 2017: Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Internal Use Only\n\n<https://kb.netapp.com/support/s/article/ka51A00000007NQQAY/october-2015-java-platform-standard-edition-vulnerabilities-in-multiple-netapp-products?language=en_US>\n\n[{\"Product\":{\"code\":\"STQM4Q\",\"label\":\"Network Attached Storage (NAS)->SnapManager for Oracle\"},\"Business Unit\":{\"code\":\"BU054\",\"label\":\"Systems w\\/TPS\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"3.4;3.3.1;3.3;3.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}}]", "cvss3": {}, "published": "2018-06-18T00:32:30", "type": "ibm", "title": "Security Bulletin: October 2015 Java Platform Standard Edition Vulnerabilities in Multiple N Series Products", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4871", "CVE-2015-4872", "CVE-2015-4881", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-4911"], "modified": "2018-06-18T00:32:30", "id": "F6CF75F885C8ACB4B02719CD9377D583D38D5807B662456BBACFE07218EDDF34", "href": "https://www.ibm.com/support/pages/node/696967", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-30T21:39:49", "description": "## Question\n\nSecurity Bulletins for Emptoris Services Procurement\n\n## Answer\n\n**This article tracks all Security Bulletins for Emptoris Services Procurement.** \n \nIBM's Product Security Incident Response Team (PSIRT) follows the NIST guidelines for determining the severity rating of the reported vulnerability - see \"[**NVD Vulnerability Severity Ratings**](<http://nvd.nist.gov/cvss.cfm\">)\" for details.? Please use this information to take the appropriate actions. \n \nIn our effort to serve you better we recommend that you subscribe to this article for notification of new Security Bulletins and advisories posted here. \n\n\nOctober 13th 2017\n\n * [**_Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM _**](<http://www.ibm.com/support/docview.wss?uid=swg22008401>)[**_Emptoris_**](<http://www.ibm.com/support/docview.wss?uid=swg22008401>)**_[ Strategic Supply Management and IBM Emptoris Services Procurement products](<http://www.ibm.com/support/docview.wss?uid=swg22008401>)_**\n\n \nOctober 13th 2017\n\n * [**_Security Bulletin: Potential security vulnerability in selected fixpacks of WebSphere Application Server affects IBM Emptoris Strategic Supply Management suite of products and IBM Emptoris Services Procurement (CVE-2017-1501)_**](<http://www.ibm.com/support/docview.wss?uid=swg22008410>)\n\nOctober 13th 2017\n\n * [**_Security Bulletin: Multiple vulnerabilities in IBM WebSphere Application Server affects IBM Emptoris Strategic Supply Management suite of products and IBM Emptoris Services Procurement (CVE-2017-1380 CVE-2017-1382)_**](<http://www.ibm.com/support/docview.wss?uid=swg22007774>)\n\n \nOctober 13th 2017\n\n * [**_Security Bulletin: IBM Emptoris Services Procurement is affected by Information leakage vulnerability (CVE-2017-1547)_**](<http://www-01.ibm.com/support/docview.wss?uid=swg22007770>)\n\n \nOctober 13th 2017\n\n * [**_Security Bulletin: Open Source Apache Tomcat Vulnerabilities affect the IBM Emptoris Strategic Supply Management suite of products (CVE-2016-3092)_**](<http://www.ibm.com/support/docview.wss?uid=swg22005604>)\n \nJuly 14th 2017?\n\n * **[Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products.](<http://www.ibm.com/support/docview.wss?uid=swg22004442>)**\n \nJuly 14th 2017?\n\n * **[Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products.](<http://www.ibm.com/support/docview.wss?uid=swg22003479>)**\n \nJune 13th 2017?\n\n * **[Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products (CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg22004642>)**\n \nJune 13th 2017\n\n * **[Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products (CVE-2017-1121](<http://www.ibm.com/support/docview.wss?uid=swg22004706>)**\n \nJune 12th 2017\n\n * **[Security Bulletin: Vulnerability in IBM Websphere Application Server affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products (CVE-2017-1137)](<http://www.ibm.com/support/docview.wss?uid=swg22004666>)**\n \nJun 12 2017??????\n\n * [**Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products. **](<http://www-01.ibm.com/support/docview.wss?uid=swg22004666&myns=swgother&mynp=OCSSYQ72&mynp=OCSSYR6U&mynp=OCSSYQAR&mynp=OCSSYR8W&mynp=OCSSYRER&mynp=OCSSYQ89&mync=E&cm_sp=swgother-_-OCSSYQ72-OCSSYR6U-OCSSYQAR-OCSSYR8W-OCSSYRER-OCSSYQ89-_-E>)\n \n \nJan 18 2017\n\n * **[S](<http://www-01.ibm.com/support/docview.wss?uid=swg21996820>)**[**ecurity Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM WebSphere Application Server affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement** ](<http://www-01.ibm.com/support/docview.wss?uid=swg21996820>)\n \n \nJuly 14 2016\n\n * [**Security Bulletin: A JMX component vulnerability in IBM Java SDK and IBM WebSphere Application Server affects IBM Emptoris Strategic Supply Management Suite and IBM Emptoris Services Procurement (CVE-2016-3427)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21986797>)\n \n \nMarch 7 2016\n\n * [**Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM WebSphere Application Server affect IBM Emptoris Strategic Supply **](<http://www-01.ibm.com/support/docview.wss?uid=swg21978028>)**[Management](<http://www-01.ibm.com/support/docview.wss?uid=swg21978028>)**[** and IBM Emptoris Services Procurement (CVE-2015-7575 CVE-2016-0466 CVE-2015-7417)?**](<http://www-01.ibm.com/support/docview.wss?uid=swg21978028>)\n \nDecember 15 2015\n\n * [**Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server used with IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products (CVE-2015-4872)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21972272>)\n \nDecember 1st 2015\n\n * **[Security Bulletin: Vulnerability in Apache Commons affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement. (CVE-2015-7450)](<http://www-01.ibm.com/support/docview.wss?uid=swg21971731>)**\n \nNovember 06 2015\n\n * [**Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement.**](<http://www-01.ibm.com/support/docview.wss?uid=swg21969875>)\n \nAugust 26th 2015\n\n * **Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement.**\n \nJune 24th 2015\n\n * **[Security Bulletin: Vulnerability reported in WebSphere Application Server management port affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement (CVE-2015-1920)](<https://emptoris.support.ibmcloud.com/ics/support/default.asp?deptID=31019&task=knowledge&questionID=21574&languageID=>)**\n \nApril 8th 2015\n\n * **[IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management IBM Emptoris Rivermine Telecom Expense Management and IBM Emptoris Services Procurement (CVE-2014-6593 CVE-2015-0410)](<http://www-01.ibm.com/support/docview.wss?uid=swg21700707>)**\n?January 27th 2015\n * **[IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management IBM Emptoris Rivermine Telecom Expense Management and IBM Emptoris Services Procurement (CVE-2014-3566 CVE-2014-6457)](<http://www-01.ibm.com/support/docview.wss?uid=swg21695096>)**\n?January 20th 2015\n * **[IBM Security Bulletin: Multiple vulnerabilities related to XML DoS attack IBM Emptoris Services Procurement (CVE-2014-3529 CVE-2014-3574)](<http://www-01.ibm.com/support/docview.wss?uid=swg21694987>)**\nSeptember 17th 2014\n * **[IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management IBM Emptoris Rivermine Telecom Expense Management and IBM Emptoris Services Procurement (CVE-2014-4263 CVE-2014-4244)](<http://www-01.ibm.com/support/docview.wss?uid=swg21684482>)**\n\" \n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSYR6U\",\"label\":\"Emptoris Services Procurement\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"All Versions\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-12-08T16:15:01", "type": "ibm", "title": "Security Bulletins for Emptoris Services Procurement", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3529", "CVE-2014-3566", "CVE-2014-3574", "CVE-2014-4244", "CVE-2014-4263", "CVE-2014-6457", "CVE-2014-6593", "CVE-2015-0410", "CVE-2015-1920", "CVE-2015-4872", "CVE-2015-7417", "CVE-2015-7450", "CVE-2015-7575", "CVE-2016-0466", "CVE-2016-3092", "CVE-2016-3427", "CVE-2016-8919", "CVE-2017-1121", "CVE-2017-1137", "CVE-2017-1380", "CVE-2017-1382", "CVE-2017-1501", "CVE-2017-1547"], "modified": "2018-12-08T16:15:01", "id": "7996A5B21090888A5E92985E9AA52C1DFFD5B468A73A1B32557A0A11DFBE0724", "href": "https://www.ibm.com/support/pages/node/783543", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T12:50:26", "description": "IBM Java Security Components in IBM SDK, Java Technology Edition 8 before SR2, 7 R1 before SR3 FP20, 7 before SR9 FP20, 6 R1 before SR8 FP15, and 6 before SR16 FP15 allow physically proximate attackers to obtain sensitive information by reading the Kerberos Credential Cache.", "cvss3": {}, "published": "2015-12-07T20:59:00", "type": "cve", "title": "CVE-2015-5006", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5006"], "modified": "2019-06-19T15:35:00", "cpe": ["cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/o:redhat:enterprise_linux_server_eus:6.7", "cpe:/o:suse:linux_enterprise_server:11", "cpe:/o:redhat:enterprise_linux_desktop:5.0", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.4", "cpe:/a:ibm:java_2_sdk:5.0.16.13", "cpe:/o:redhat:enterprise_linux_workstation:6.0", "cpe:/o:redhat:enterprise_linux_workstation:5.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.3", "cpe:/o:suse:linux_enterprise_software_development_kit:11", "cpe:/a:redhat:satellite:5.7", "cpe:/o:redhat:enterprise_linux_server:5.0", "cpe:/o:redhat:enterprise_linux_server:6.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.5", "cpe:/o:suse:linux_enterprise_server:12", "cpe:/o:suse:linux_enterprise_software_development_kit:12", "cpe:/a:redhat:satellite:5.6", "cpe:/o:redhat:enterprise_linux_desktop:6.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.2"], "id": "CVE-2015-5006", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5006", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:suse:linux_enterprise_server:11:sp3:*:*:*:vmware:*:*", "cpe:2.3:o:suse:linux_enterprise_server:11:sp2:*:*:ltss:*:*:*", "cpe:2.3:o:suse:linux_enterprise_server:12:*:*:*:*:*:*:*", "cpe:2.3:o:suse:linux_enterprise_software_development_kit:11:sp3:*:*:*:*:*:*", "cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:satellite:5.7:*:*:*:*:*:*:*", "cpe:2.3:o:suse:linux_enterprise_software_development_kit:11:sp4:*:*:*:*:*:*", "cpe:2.3:o:suse:linux_enterprise_server:11:sp3:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:suse:linux_enterprise_server:11:sp4:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:satellite:5.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:6.7:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:java_2_sdk:5.0.16.13:*:*:*:technology:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-05-13T16:43:04", "description": "Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allows remote attackers to affect integrity via unknown vectors related to Security.", "cvss3": {}, "published": "2015-10-21T23:59:00", "type": "cve", "title": "CVE-2015-4872", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4872"], "modified": "2022-05-13T14:38:00", "cpe": ["cpe:/a:oracle:jdk:1.7.0", "cpe:/a:oracle:jre:1.6.0", "cpe:/a:oracle:jdk:1.6.0", "cpe:/a:oracle:jdk:1.8.0", "cpe:/a:oracle:jre:1.8.0", "cpe:/a:oracle:jre:1.7.0", "cpe:/a:oracle:jrockit:r28.3.7"], "id": "CVE-2015-4872", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4872", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:oracle:jdk:1.8.0:update51:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.8.0:update60:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update85:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update_101:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update101:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_85:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.8.0:update_51:*:*:*:*:*:*", "cpe:2.3:a:oracle:jrockit:r28.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.8.0:update_60:*:*:*:*:*:*"]}], "ubuntucve": [{"lastseen": "2022-08-04T14:14:48", "description": "Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE\nEmbedded 8u51; and JRockit R28.3.7 allows remote attackers to affect\nintegrity via unknown vectors related to Security.", "cvss3": {}, "published": "2015-10-21T00:00:00", "type": "ubuntucve", "title": "CVE-2015-4872", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4872"], "modified": "2015-10-21T00:00:00", "id": "UB:CVE-2015-4872", "href": "https://ubuntu.com/security/CVE-2015-4872", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "f5": [{"lastseen": "2021-06-08T19:14:50", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the** Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "cvss3": {}, "published": "2015-11-20T00:00:00", "type": "f5", "title": "SOL93203055 - Java vulnerability CVE-2015-4872", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4872"], "modified": "2015-11-20T00:00:00", "id": "SOL93203055", "href": "http://support.f5.com/kb/en-us/solutions/public/k/93/sol93203055.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-06-08T00:16:03", "description": "\nF5 Product Development has assigned INSTALLER-1946 (Traffix) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 \n11.4.0 - 11.6.0| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 \n11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 \n11.0.0 - 11.6.0| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 \n11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.0.0 - 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| None| Low| Java\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the** Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "cvss3": {}, "published": "2015-11-21T01:12:00", "type": "f5", "title": "Java vulnerability CVE-2015-4872", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4872"], "modified": "2016-01-09T02:33:00", "id": "F5:K93203055", "href": "https://support.f5.com/csp/article/K93203055", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "debiancve": [{"lastseen": "2023-01-29T18:08:19", "description": "Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allows remote attackers to affect integrity via unknown vectors related to Security.", "cvss3": {}, "published": "2015-10-21T23:59:00", "type": "debiancve", "title": "CVE-2015-4872", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4872"], "modified": "2015-10-21T23:59:00", "id": "DEBIANCVE:CVE-2015-4872", "href": "https://security-tracker.debian.org/tracker/CVE-2015-4872", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "nessus": [{"lastseen": "2023-01-11T15:03:12", "description": "The version of Oracle JRockit installed on the remote Windows host is R28 prior to R28.3.8. It is, therefore, affected by multiple vulnerabilities :\n\n - Multiple denial of service vulnerabilities exist due to multiple unspecified flaws in the JAXP subcomponent. A remote attacker can exploit these flaws to cause a denial of service condition. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\n - An unspecified flaw exists in the Security subcomponent that allows a remote attacker to impact integrity.\n (CVE-2015-4872)", "cvss3": {}, "published": "2015-10-21T00:00:00", "type": "nessus", "title": "Oracle JRockit R28 < R28.3.8 Multiple Vulnerabilities (October 2015 CPU)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4803", "CVE-2015-4872", "CVE-2015-4893", "CVE-2015-4911"], "modified": "2019-11-20T00:00:00", "cpe": ["cpe:/a:oracle:jrockit"], "id": "ORACLE_JROCKIT_CPU_OCT_2015.NASL", "href": "https://www.tenable.com/plugins/nessus/86474", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86474);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/11/20\");\n\n script_cve_id(\n \"CVE-2015-4803\",\n \"CVE-2015-4872\",\n \"CVE-2015-4893\",\n \"CVE-2015-4911\"\n );\n\n script_name(english:\"Oracle JRockit R28 < R28.3.8 Multiple Vulnerabilities (October 2015 CPU)\");\n script_summary(english:\"Checks the version of jvm.dll.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A programming platform installed on the remote Windows host is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle JRockit installed on the remote Windows host is\nR28 prior to R28.3.8. It is, therefore, affected by multiple\nvulnerabilities :\n\n - Multiple denial of service vulnerabilities exist due to\n multiple unspecified flaws in the JAXP subcomponent. A\n remote attacker can exploit these flaws to cause a\n denial of service condition. (CVE-2015-4803,\n CVE-2015-4893, CVE-2015-4911)\n\n - An unspecified flaw exists in the Security subcomponent\n that allows a remote attacker to impact integrity.\n (CVE-2015-4872)\");\n # http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?75a4a4fb\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Oracle JRockit version R28.3.8 or later as referenced in\nthe October 2015 Oracle Critical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-4872\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jrockit\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_jrockit_installed.nasl\");\n script_require_keys(\"installed_sw/Oracle JRockit\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\napp = \"Oracle JRockit\";\ninstall = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);\nver = install['version'];\ntype = install['type'];\npath = install['path'];\n\nif (ver =~ \"^28(\\.3)?$\") audit(AUDIT_VER_NOT_GRANULAR, app, ver);\nif (ver !~ \"^28\\.3($|[^0-9])\") audit(AUDIT_NOT_INST, app + \" 28.3.x\");\n\n# Affected :\n# 28.3.7.x\nif (ver =~ \"^28\\.3\\.7($|[^0-9])\")\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity > 0)\n {\n # The DLL we're looking at is a level deeper in the JDK, since it\n # keeps a subset of the JRE in a subdirectory.\n if (type == \"JDK\") path += \"\\jre\";\n path += \"\\bin\\jrockit\\jvm.dll\";\n\n report =\n '\\n Type : ' + type +\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : 28.3.8' +\n '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, app, ver, path);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-01-11T15:04:25", "description": "Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nRed Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nIBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4835, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4872, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902, CVE-2015-4903, CVE-2015-5006)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue.\n\nAll users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 6 SR16-FP15 release. All running instances of IBM Java must be restarted for the update to take effect.", "cvss3": {}, "published": "2015-11-24T00:00:00", "type": "nessus", "title": "RHEL 5 / 6 : java-1.6.0-ibm (RHSA-2015:2508)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4872", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-5006"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-accessibility", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-javacomm", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-plugin", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-src", "cpe:/o:redhat:enterprise_linux:5", "cpe:/o:redhat:enterprise_linux:6", "cpe:/o:redhat:enterprise_linux:6.7"], "id": "REDHAT-RHSA-2015-2508.NASL", "href": "https://www.tenable.com/plugins/nessus/87049", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:2508. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87049);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2015-4734\",\n \"CVE-2015-4803\",\n \"CVE-2015-4805\",\n \"CVE-2015-4806\",\n \"CVE-2015-4835\",\n \"CVE-2015-4842\",\n \"CVE-2015-4843\",\n \"CVE-2015-4844\",\n \"CVE-2015-4860\",\n \"CVE-2015-4872\",\n \"CVE-2015-4882\",\n \"CVE-2015-4883\",\n \"CVE-2015-4893\",\n \"CVE-2015-4902\",\n \"CVE-2015-4903\",\n \"CVE-2015-5006\"\n );\n script_xref(name:\"RHSA\", value:\"2015:2508\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"RHEL 5 / 6 : java-1.6.0-ibm (RHSA-2015:2508)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"Updated java-1.6.0-ibm packages that fix several security issues are\nnow available for Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nIBM Java SE version 6 includes the IBM Java Runtime Environment and\nthe IBM Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Further\ninformation about these flaws can be found on the IBM Java Security\nalerts page, listed in the References section. (CVE-2015-4734,\nCVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4835,\nCVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860,\nCVE-2015-4872, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893,\nCVE-2015-4902, CVE-2015-4903, CVE-2015-5006)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nAll users of java-1.6.0-ibm are advised to upgrade to these updated\npackages, containing the IBM Java SE 6 SR16-FP15 release. All running\ninstances of IBM Java must be restarted for the update to take effect.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://developer.ibm.com/javasdk/support/security-vulnerabilities/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2015:2508\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4902\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4843\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4842\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4872\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4860\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4844\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4893\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4883\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4734\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4882\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4903\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4806\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4805\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4803\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4835\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-5006\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-4883\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/11/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-javacomm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:2508\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", reference:\"java-1.6.0-ibm-1.6.0.16.15-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.6.0-ibm-accessibility-1.6.0.16.15-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"java-1.6.0-ibm-accessibility-1.6.0.16.15-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-ibm-accessibility-1.6.0.16.15-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"java-1.6.0-ibm-demo-1.6.0.16.15-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"java-1.6.0-ibm-devel-1.6.0.16.15-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.6.0-ibm-javacomm-1.6.0.16.15-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-ibm-javacomm-1.6.0.16.15-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"java-1.6.0-ibm-jdbc-1.6.0.16.15-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.6.0-ibm-plugin-1.6.0.16.15-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-ibm-plugin-1.6.0.16.15-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"java-1.6.0-ibm-src-1.6.0.16.15-1jpp.1.el5\")) flag++;\n\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-ibm-1.6.0.16.15-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.6.0-ibm-1.6.0.16.15-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-ibm-1.6.0.16.15-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-ibm-demo-1.6.0.16.15-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.6.0-ibm-demo-1.6.0.16.15-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-ibm-demo-1.6.0.16.15-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-ibm-devel-1.6.0.16.15-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.6.0-ibm-devel-1.6.0.16.15-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-ibm-devel-1.6.0.16.15-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-ibm-javacomm-1.6.0.16.15-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-ibm-javacomm-1.6.0.16.15-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-ibm-jdbc-1.6.0.16.15-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.6.0-ibm-jdbc-1.6.0.16.15-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-ibm-jdbc-1.6.0.16.15-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-ibm-plugin-1.6.0.16.15-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-ibm-plugin-1.6.0.16.15-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-ibm-src-1.6.0.16.15-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.6.0-ibm-src-1.6.0.16.15-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-ibm-src-1.6.0.16.15-1jpp.1.el6_7\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.6.0-ibm / java-1.6.0-ibm-accessibility / java-1.6.0-ibm-demo / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:04:12", "description": "Updated java-1.8.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 7 Supplementary.\n\nRed Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nIBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4871, CVE-2015-4872, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902, CVE-2015-4903, CVE-2015-5006)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue.\n\nAll users of java-1.8.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 8 SR2 release. All running instances of IBM Java must be restarted for the update to take effect.", "cvss3": {}, "published": "2015-11-24T00:00:00", "type": "nessus", "title": "RHEL 7 : java-1.8.0-ibm (RHSA-2015:2509)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4871", "CVE-2015-4872", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-5006"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-plugin", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-src", "cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:7.2", "cpe:/o:redhat:enterprise_linux:7.3", "cpe:/o:redhat:enterprise_linux:7.4", "cpe:/o:redhat:enterprise_linux:7.5"], "id": "REDHAT-RHSA-2015-2509.NASL", "href": "https://www.tenable.com/plugins/nessus/87050", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:2509. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87050);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2015-4734\",\n \"CVE-2015-4803\",\n \"CVE-2015-4805\",\n \"CVE-2015-4806\",\n \"CVE-2015-4810\",\n \"CVE-2015-4835\",\n \"CVE-2015-4840\",\n \"CVE-2015-4842\",\n \"CVE-2015-4843\",\n \"CVE-2015-4844\",\n \"CVE-2015-4860\",\n \"CVE-2015-4871\",\n \"CVE-2015-4872\",\n \"CVE-2015-4882\",\n \"CVE-2015-4883\",\n \"CVE-2015-4893\",\n \"CVE-2015-4902\",\n \"CVE-2015-4903\",\n \"CVE-2015-5006\"\n );\n script_xref(name:\"RHSA\", value:\"2015:2509\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"RHEL 7 : java-1.8.0-ibm (RHSA-2015:2509)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"Updated java-1.8.0-ibm packages that fix several security issues are\nnow available for Red Hat Enterprise Linux 7 Supplementary.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nIBM Java SE version 8 includes the IBM Java Runtime Environment and\nthe IBM Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Further\ninformation about these flaws can be found on the IBM Java Security\nalerts page, listed in the References section. (CVE-2015-4734,\nCVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810,\nCVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843,\nCVE-2015-4844, CVE-2015-4860, CVE-2015-4871, CVE-2015-4872,\nCVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902,\nCVE-2015-4903, CVE-2015-5006)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nAll users of java-1.8.0-ibm are advised to upgrade to these updated\npackages, containing the IBM Java SE 8 SR2 release. All running\ninstances of IBM Java must be restarted for the update to take effect.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2015:2509\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4734\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4803\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4805\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4806\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4810\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4835\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4840\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4842\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4843\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4844\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4860\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4871\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4872\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4882\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4883\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4893\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4902\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4903\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-5006\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-4883\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/11/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:2509\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", reference:\"java-1.8.0-ibm-1.8.0.2.0-1jpp.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.8.0-ibm-demo-1.8.0.2.0-1jpp.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-ibm-demo-1.8.0.2.0-1jpp.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"java-1.8.0-ibm-devel-1.8.0.2.0-1jpp.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.8.0-ibm-jdbc-1.8.0.2.0-1jpp.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-ibm-jdbc-1.8.0.2.0-1jpp.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-ibm-plugin-1.8.0.2.0-1jpp.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.8.0-ibm-src-1.8.0.2.0-1jpp.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-ibm-src-1.8.0.2.0-1jpp.1.el7\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.8.0-ibm / java-1.8.0-ibm-demo / java-1.8.0-ibm-devel / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:04:12", "description": "Updated java-1.7.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 Supplementary.\n\nRed Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nIBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4871, CVE-2015-4872, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902, CVE-2015-4903, CVE-2015-5006)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue.\n\nAll users of java-1.7.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7 SR9-FP20 release. All running instances of IBM Java must be restarted for the update to take effect.", "cvss3": {}, "published": "2015-11-24T00:00:00", "type": "nessus", "title": "RHEL 5 : java-1.7.0-ibm (RHSA-2015:2507)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4871", "CVE-2015-4872", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-5006"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.7.0-ibm", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-ibm-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-ibm-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-ibm-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-ibm-plugin", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-ibm-src", "cpe:/o:redhat:enterprise_linux:5"], "id": "REDHAT-RHSA-2015-2507.NASL", "href": "https://www.tenable.com/plugins/nessus/87048", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:2507. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87048);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2015-4734\",\n \"CVE-2015-4803\",\n \"CVE-2015-4805\",\n \"CVE-2015-4806\",\n \"CVE-2015-4810\",\n \"CVE-2015-4835\",\n \"CVE-2015-4840\",\n \"CVE-2015-4842\",\n \"CVE-2015-4843\",\n \"CVE-2015-4844\",\n \"CVE-2015-4860\",\n \"CVE-2015-4871\",\n \"CVE-2015-4872\",\n \"CVE-2015-4882\",\n \"CVE-2015-4883\",\n \"CVE-2015-4893\",\n \"CVE-2015-4902\",\n \"CVE-2015-4903\",\n \"CVE-2015-5006\"\n );\n script_xref(name:\"RHSA\", value:\"2015:2507\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"RHEL 5 : java-1.7.0-ibm (RHSA-2015:2507)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"Updated java-1.7.0-ibm packages that fix several security issues are\nnow available for Red Hat Enterprise Linux 5 Supplementary.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nIBM Java SE version 7 includes the IBM Java Runtime Environment and\nthe IBM Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Further\ninformation about these flaws can be found on the IBM Java Security\nalerts page, listed in the References section. (CVE-2015-4734,\nCVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810,\nCVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843,\nCVE-2015-4844, CVE-2015-4860, CVE-2015-4871, CVE-2015-4872,\nCVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902,\nCVE-2015-4903, CVE-2015-5006)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nAll users of java-1.7.0-ibm are advised to upgrade to these updated\npackages, containing the IBM Java SE 7 SR9-FP20 release. All running\ninstances of IBM Java must be restarted for the update to take effect.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.ibm.com/developerworks/java/jdk/alerts/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2015:2507\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4810\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4902\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4843\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4842\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4840\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4872\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4860\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4844\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4893\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4883\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4734\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4882\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4903\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4806\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4805\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4803\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4835\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4871\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-5006\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-4883\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/11/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-ibm-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-ibm-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:2507\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", reference:\"java-1.7.0-ibm-1.7.0.9.20-1jpp.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"java-1.7.0-ibm-demo-1.7.0.9.20-1jpp.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"java-1.7.0-ibm-devel-1.7.0.9.20-1jpp.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"java-1.7.0-ibm-jdbc-1.7.0.9.20-1jpp.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-ibm-plugin-1.7.0.9.20-1jpp.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-ibm-plugin-1.7.0.9.20-1jpp.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"java-1.7.0-ibm-src-1.7.0.9.20-1jpp.1.el5\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-ibm / java-1.7.0-ibm-demo / java-1.7.0-ibm-devel / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:03:45", "description": "Updated java-1.7.1-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 6 and 7 Supplementary.\n\nRed Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nIBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4871, CVE-2015-4872, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902, CVE-2015-4903, CVE-2015-5006)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue.\n\nAll users of java-1.7.1-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7R1 SR3-FP20 release. All running instances of IBM Java must be restarted for the update to take effect.", "cvss3": {}, "published": "2015-11-24T00:00:00", "type": "nessus", "title": "RHEL 6 / 7 : java-1.7.1-ibm (RHSA-2015:2506)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4871", "CVE-2015-4872", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-5006"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-plugin", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-src", "cpe:/o:redhat:enterprise_linux:6", "cpe:/o:redhat:enterprise_linux:6.7", "cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:7.2", "cpe:/o:redhat:enterprise_linux:7.3", "cpe:/o:redhat:enterprise_linux:7.4", "cpe:/o:redhat:enterprise_linux:7.5"], "id": "REDHAT-RHSA-2015-2506.NASL", "href": "https://www.tenable.com/plugins/nessus/87047", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:2506. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87047);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2015-4734\",\n \"CVE-2015-4803\",\n \"CVE-2015-4805\",\n \"CVE-2015-4806\",\n \"CVE-2015-4810\",\n \"CVE-2015-4835\",\n \"CVE-2015-4840\",\n \"CVE-2015-4842\",\n \"CVE-2015-4843\",\n \"CVE-2015-4844\",\n \"CVE-2015-4860\",\n \"CVE-2015-4871\",\n \"CVE-2015-4872\",\n \"CVE-2015-4882\",\n \"CVE-2015-4883\",\n \"CVE-2015-4893\",\n \"CVE-2015-4902\",\n \"CVE-2015-4903\",\n \"CVE-2015-5006\"\n );\n script_xref(name:\"RHSA\", value:\"2015:2506\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"RHEL 6 / 7 : java-1.7.1-ibm (RHSA-2015:2506)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"Updated java-1.7.1-ibm packages that fix several security issues are\nnow available for Red Hat Enterprise Linux 6 and 7 Supplementary.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nIBM Java SE version 7 Release 1 includes the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Further\ninformation about these flaws can be found on the IBM Java Security\nalerts page, listed in the References section. (CVE-2015-4734,\nCVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810,\nCVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843,\nCVE-2015-4844, CVE-2015-4860, CVE-2015-4871, CVE-2015-4872,\nCVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902,\nCVE-2015-4903, CVE-2015-5006)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nAll users of java-1.7.1-ibm are advised to upgrade to these updated\npackages, containing the IBM Java SE 7R1 SR3-FP20 release. All running\ninstances of IBM Java must be restarted for the update to take effect.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://developer.ibm.com/javasdk/support/security-vulnerabilities/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2015:2506\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4810\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4902\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4843\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4842\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4840\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4872\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4860\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4844\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4893\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4883\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4734\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4882\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4903\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4806\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4805\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4803\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4835\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4871\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-5006\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-4883\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/11/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x / 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:2506\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.1-ibm-plugin-1.7.1.3.20-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-plugin-1.7.1.3.20-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el6_7\")) flag++;\n\n\n if (rpm_check(release:\"RHEL7\", reference:\"java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-plugin-1.7.1.3.20-1jpp.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el7\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.1-ibm / java-1.7.1-ibm-demo / java-1.7.1-ibm-devel / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:05:34", "description": "This update for java-1_8_0-ibm fixes the following issues :\n\n - Version update to 8.0-2.0 (bsc#955131): CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4902 CVE-2015-4903 CVE-2015-4911 CVE-2015-5006\n\n - Add backcompat symlinks for sdkdir.\n\n - Provide %{name} instead of %{sdklnk} only in\n _jvmprivdir. (bsc#941939)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2015-12-16T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2015:2268-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4871", "CVE-2015-4872", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-4911", "CVE-2015-5006"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:java-1_8_0-ibm", "p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-alsa", "p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-plugin", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2015-2268-1.NASL", "href": "https://www.tenable.com/plugins/nessus/87405", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2015:2268-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87405);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2015-4734\",\n \"CVE-2015-4803\",\n \"CVE-2015-4805\",\n \"CVE-2015-4806\",\n \"CVE-2015-4810\",\n \"CVE-2015-4835\",\n \"CVE-2015-4840\",\n \"CVE-2015-4842\",\n \"CVE-2015-4843\",\n \"CVE-2015-4844\",\n \"CVE-2015-4860\",\n \"CVE-2015-4871\",\n \"CVE-2015-4872\",\n \"CVE-2015-4882\",\n \"CVE-2015-4883\",\n \"CVE-2015-4893\",\n \"CVE-2015-4902\",\n \"CVE-2015-4903\",\n \"CVE-2015-4911\",\n \"CVE-2015-5006\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"SUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2015:2268-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for java-1_8_0-ibm fixes the following issues :\n\n - Version update to 8.0-2.0 (bsc#955131): CVE-2015-4734\n CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810\n CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843\n CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872\n CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4902\n CVE-2015-4903 CVE-2015-4911 CVE-2015-5006\n\n - Add backcompat symlinks for sdkdir.\n\n - Provide %{name} instead of %{sdklnk} only in\n _jvmprivdir. (bsc#941939)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=941939\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=955131\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4734/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4803/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4805/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4806/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4810/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4835/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4840/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4842/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4843/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4844/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4860/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4871/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4872/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4882/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4883/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4893/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4902/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4903/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4911/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-5006/\");\n # https://www.suse.com/support/update/announcement/2015/suse-su-20152268-1.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6501e6ec\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 12-SP1 :\n\nzypper in -t patch SUSE-SLE-SDK-12-SP1-2015-965=1\n\nSUSE Linux Enterprise Server 12-SP1 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP1-2015-965=1\n\nTo bring your system up-to-date, use 'zypper patch'.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-alsa-1.8.0_sr2.0-4.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-plugin-1.8.0_sr2.0-4.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"java-1_8_0-ibm-1.8.0_sr2.0-4.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_8_0-ibm\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:04:52", "description": "The version of Java SDK installed on the remote AIX host is affected by multiple vulnerabilities in the following components :\n\n - 2D\n - CORBA\n - Deployment\n - JAXP\n - JGSS\n - Libraries\n - RMI\n - Security\n - Serialization", "cvss3": {}, "published": "2015-12-15T00:00:00", "type": "nessus", "title": "AIX Java Advisory : java_oct2015_advisory.asc (October 2015 CPU)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4871", "CVE-2015-4872", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-4911", "CVE-2015-5006"], "modified": "2022-03-08T00:00:00", "cpe": ["cpe:/o:ibm:aix", "cpe:/a:oracle:jre", "cpe:/a:oracle:jdk"], "id": "AIX_JAVA_OCT2015_ADVISORY.NASL", "href": "https://www.tenable.com/plugins/nessus/87374", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87374);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2015-4734\",\n \"CVE-2015-4803\",\n \"CVE-2015-4805\",\n \"CVE-2015-4806\",\n \"CVE-2015-4810\",\n \"CVE-2015-4835\",\n \"CVE-2015-4840\",\n \"CVE-2015-4842\",\n \"CVE-2015-4843\",\n \"CVE-2015-4844\",\n \"CVE-2015-4860\",\n \"CVE-2015-4871\",\n \"CVE-2015-4872\",\n \"CVE-2015-4882\",\n \"CVE-2015-4883\",\n \"CVE-2015-4893\",\n \"CVE-2015-4902\",\n \"CVE-2015-4903\",\n \"CVE-2015-4911\",\n \"CVE-2015-5006\"\n );\n script_bugtraq_id(\n 77126,\n 77148,\n 77160,\n 77162,\n 77163,\n 77164,\n 77181,\n 77192,\n 77194,\n 77200,\n 77207,\n 77209,\n 77211,\n 77221,\n 77229,\n 77238,\n 77241,\n 77242,\n 77645\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"AIX Java Advisory : java_oct2015_advisory.asc (October 2015 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote AIX host has a version of Java SDK installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Java SDK installed on the remote AIX host is affected\nby multiple vulnerabilities in the following components :\n\n - 2D\n - CORBA\n - Deployment\n - JAXP\n - JGSS\n - Libraries\n - RMI\n - Security\n - Serialization\");\n # http://aix.software.ibm.com/aix/efixes/security/java_oct2015_advisory.asc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3ec7968e\");\n # https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=5.0.0.0&platform=AIX+32-bit,+pSeries&function=all\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1889ff01\");\n # https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=5.0.0.0&platform=AIX+64-bit,+pSeries&function=all\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5ba751ee\");\n # https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=6.0.0.0&platform=AIX+32-bit,+pSeries&function=all\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ce533d8f\");\n # https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=6.0.0.0&platform=AIX+64-bit,+pSeries&function=all\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?17d05c61\");\n # https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.0.0.0&platform=AIX+32-bit,+pSeries&function=all\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d4595696\");\n # https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.0.0.0&platform=AIX+64-bit,+pSeries&function=all\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9abd5252\");\n # https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.1.0.0&platform=AIX+32-bit,+pSeries&function=all\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4ee03dc1\");\n # https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.1.0.0&platform=AIX+64-bit,+pSeries&function=all\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8f7a066c\");\n # https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=8.0.0.0&platform=AIX+32-bit,+pSeries&function=all\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?52d4ddf3\");\n # https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=8.0.0.0&platform=AIX+64-bit,+pSeries&function=all\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?343fa903\");\n script_set_attribute(attribute:\"solution\", value:\n\"Fixes are available by version and can be downloaded from the IBM AIX\nwebsite.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jre\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jdk\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"AIX Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\ninclude(\"aix.inc\");\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\noslevel = get_kb_item_or_exit(\"Host/AIX/version\");\nif ( oslevel != \"AIX-5.3\" && oslevel != \"AIX-6.1\" && oslevel != \"AIX-7.1\" && oslevel != \"AIX-7.2\" )\n{\n oslevel = ereg_replace(string:oslevel, pattern:\"-\", replace:\" \");\n audit(AUDIT_OS_NOT, \"AIX 5.3 / 6.1 / 7.1 / 7.2\", oslevel);\n}\n\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nflag = 0;\n\n#Java5 5.0.0.620\nif (aix_check_package(release:\"5.3\", package:\"Java5.sdk\", minpackagever:\"5.0.0.0\", maxpackagever:\"5.0.0.619\", fixpackagever:\"5.0.0.620\") > 0) flag++;\nif (aix_check_package(release:\"6.1\", package:\"Java5.sdk\", minpackagever:\"5.0.0.0\", maxpackagever:\"5.0.0.619\", fixpackagever:\"5.0.0.620\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:\"Java5.sdk\", minpackagever:\"5.0.0.0\", maxpackagever:\"5.0.0.619\", fixpackagever:\"5.0.0.620\") > 0) flag++;\nif (aix_check_package(release:\"7.2\", package:\"Java5.sdk\", minpackagever:\"5.0.0.0\", maxpackagever:\"5.0.0.619\", fixpackagever:\"5.0.0.620\") > 0) flag++;\nif (aix_check_package(release:\"5.3\", package:\"Java5_64.sdk\", minpackagever:\"5.0.0.0\", maxpackagever:\"5.0.0.619\", fixpackagever:\"5.0.0.620\") > 0) flag++;\nif (aix_check_package(release:\"6.1\", package:\"Java5_64.sdk\", minpackagever:\"5.0.0.0\", maxpackagever:\"5.0.0.619\", fixpackagever:\"5.0.0.620\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:\"Java5_64.sdk\", minpackagever:\"5.0.0.0\", maxpackagever:\"5.0.0.619\", fixpackagever:\"5.0.0.620\") > 0) flag++;\nif (aix_check_package(release:\"7.2\", package:\"Java5_64.sdk\", minpackagever:\"5.0.0.0\", maxpackagever:\"5.0.0.619\", fixpackagever:\"5.0.0.620\") > 0) flag++;\n\n#Java6 6.0.0.510\nif (aix_check_package(release:\"5.3\", package:\"Java6.sdk\", minpackagever:\"6.0.0.0\", maxpackagever:\"6.0.0.509\", fixpackagever:\"6.0.0.510\") > 0) flag++;\nif (aix_check_package(release:\"6.1\", package:\"Java6.sdk\", minpackagever:\"6.0.0.0\", maxpackagever:\"6.0.0.509\", fixpackagever:\"6.0.0.510\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:\"Java6.sdk\", minpackagever:\"6.0.0.0\", maxpackagever:\"6.0.0.509\", fixpackagever:\"6.0.0.510\") > 0) flag++;\nif (aix_check_package(release:\"7.2\", package:\"Java6.sdk\", minpackagever:\"6.0.0.0\", maxpackagever:\"6.0.0.509\", fixpackagever:\"6.0.0.510\") > 0) flag++;\nif (aix_check_package(release:\"5.3\", package:\"Java6_64.sdk\", minpackagever:\"6.0.0.0\", maxpackagever:\"6.0.0.509\", fixpackagever:\"6.0.0.510\") > 0) flag++;\nif (aix_check_package(release:\"6.1\", package:\"Java6_64.sdk\", minpackagever:\"6.0.0.0\", maxpackagever:\"6.0.0.509\", fixpackagever:\"6.0.0.510\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:\"Java6_64.sdk\", minpackagever:\"6.0.0.0\", maxpackagever:\"6.0.0.509\", fixpackagever:\"6.0.0.510\") > 0) flag++;\nif (aix_check_package(release:\"7.2\", package:\"Java6_64.sdk\", minpackagever:\"6.0.0.0\", maxpackagever:\"6.0.0.509\", fixpackagever:\"6.0.0.510\") > 0) flag++;\n\n#Java7 7.0.0.270\nif (aix_check_package(release:\"6.1\", package:\"Java7.sdk\", minpackagever:\"7.0.0.0\", maxpackagever:\"7.0.0.269\", fixpackagever:\"7.0.0.270\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:\"Java7.sdk\", minpackagever:\"7.0.0.0\", maxpackagever:\"7.0.0.269\", fixpackagever:\"7.0.0.270\") > 0) flag++;\nif (aix_check_package(release:\"7.2\", package:\"Java7.sdk\", minpackagever:\"7.0.0.0\", maxpackagever:\"7.0.0.269\", fixpackagever:\"7.0.0.270\") > 0) flag++;\nif (aix_check_package(release:\"6.1\", package:\"Java7_64.sdk\", minpackagever:\"7.0.0.0\", maxpackagever:\"7.0.0.269\", fixpackagever:\"7.0.0.270\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:\"Java7_64.sdk\", minpackagever:\"7.0.0.0\", maxpackagever:\"7.0.0.269\", fixpackagever:\"7.0.0.270\") > 0) flag++;\nif (aix_check_package(release:\"7.2\", package:\"Java7_64.sdk\", minpackagever:\"7.0.0.0\", maxpackagever:\"7.0.0.269\", fixpackagever:\"7.0.0.270\") > 0) flag++;\n\n#Java7.1 7.1.0.150\nif (aix_check_package(release:\"6.1\", package:\"Java7.sdk\", minpackagever:\"7.1.0.0\", maxpackagever:\"7.1.0.149\", fixpackagever:\"7.1.0.150\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:\"Java7.sdk\", minpackagever:\"7.1.0.0\", maxpackagever:\"7.1.0.149\", fixpackagever:\"7.1.0.150\") > 0) flag++;\nif (aix_check_package(release:\"7.2\", package:\"Java7.sdk\", minpackagever:\"7.1.0.0\", maxpackagever:\"7.1.0.149\", fixpackagever:\"7.1.0.150\") > 0) flag++;\nif (aix_check_package(release:\"6.1\", package:\"Java7_64.sdk\", minpackagever:\"7.1.0.0\", maxpackagever:\"7.1.0.149\", fixpackagever:\"7.1.0.150\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:\"Java7_64.sdk\", minpackagever:\"7.1.0.0\", maxpackagever:\"7.1.0.149\", fixpackagever:\"7.1.0.150\") > 0) flag++;\nif (aix_check_package(release:\"7.2\", package:\"Java7_64.sdk\", minpackagever:\"7.1.0.0\", maxpackagever:\"7.1.0.149\", fixpackagever:\"7.1.0.150\") > 0) flag++;\n\n#Java8.0 8.0.0.70\nif (aix_check_package(release:\"6.1\", package:\"Java8.sdk\", minpackagever:\"8.0.0.0\", maxpackagever:\"8.0.0.69\", fixpackagever:\"8.0.0.70\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:\"Java8.sdk\", minpackagever:\"8.0.0.0\", maxpackagever:\"8.0.0.69\", fixpackagever:\"8.0.0.70\") > 0) flag++;\nif (aix_check_package(release:\"7.2\", package:\"Java8.sdk\", minpackagever:\"8.0.0.0\", maxpackagever:\"8.0.0.69\", fixpackagever:\"8.0.0.70\") > 0) flag++;\nif (aix_check_package(release:\"6.1\", package:\"Java8_64.sdk\", minpackagever:\"8.0.0.0\", maxpackagever:\"8.0.0.69\", fixpackagever:\"8.0.0.70\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:\"Java8_64.sdk\", minpackagever:\"8.0.0.0\", maxpackagever:\"8.0.0.69\", fixpackagever:\"8.0.0.70\") > 0) flag++;\nif (aix_check_package(release:\"7.2\", package:\"Java8_64.sdk\", minpackagever:\"8.0.0.0\", maxpackagever:\"8.0.0.69\", fixpackagever:\"8.0.0.70\") > 0) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : aix_report_get()\n );\n}\nelse\n{\n tested = aix_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Java5 / Java6 / Java7 / Java8\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:04:38", "description": "Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nRed Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nIBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-4805, CVE-2015-4806, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4872, CVE-2015-4883, CVE-2015-4902, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue.\n\nIBM Java SDK and JRE 5.0 will not receive software updates after September 2015. This date is referred to as the End of Service (EOS) date. Customers are advised to migrate to current versions of IBM Java at this time. IBM Java SDK and JRE versions 6 and 7 are available via the Red Hat Enterprise Linux 5 and 6 Supplementary content sets and will continue to receive updates based on IBM's lifecycle policy, linked to in the References section.\n\nCustomers can also consider OpenJDK, an open source implementation of the Java SE specification. OpenJDK is available by default on supported hardware architectures.\n\nAll users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM J2SE 5.0 SR16-FP14 release. All running instances of IBM Java must be restarted for this update to take effect.", "cvss3": {}, "published": "2015-11-30T00:00:00", "type": "nessus", "title": "RHEL 5 / 6 : java-1.5.0-ibm (RHSA-2015:2518)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4902", "CVE-2015-4903"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm", "p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-accessibility", "p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-javacomm", "p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-plugin", "p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-src", "cpe:/o:redhat:enterprise_linux:5", "cpe:/o:redhat:enterprise_linux:6", "cpe:/o:redhat:enterprise_linux:6.7"], "id": "REDHAT-RHSA-2015-2518.NASL", "href": "https://www.tenable.com/plugins/nessus/87099", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:2518. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87099);\n script_version(\"2.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2015-4805\",\n \"CVE-2015-4806\",\n \"CVE-2015-4843\",\n \"CVE-2015-4844\",\n \"CVE-2015-4860\",\n \"CVE-2015-4872\",\n \"CVE-2015-4883\",\n \"CVE-2015-4902\",\n \"CVE-2015-4903\"\n );\n script_xref(name:\"RHSA\", value:\"2015:2518\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"RHEL 5 / 6 : java-1.5.0-ibm (RHSA-2015:2518)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"Updated java-1.5.0-ibm packages that fix several security issues are\nnow available for Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nIBM J2SE version 5.0 includes the IBM Java Runtime Environment and the\nIBM Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Further\ninformation about these flaws can be found on the IBM Java Security\nalerts page, listed in the References section. (CVE-2015-4805,\nCVE-2015-4806, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860,\nCVE-2015-4872, CVE-2015-4883, CVE-2015-4902, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nIBM Java SDK and JRE 5.0 will not receive software updates after\nSeptember 2015. This date is referred to as the End of Service (EOS)\ndate. Customers are advised to migrate to current versions of IBM Java\nat this time. IBM Java SDK and JRE versions 6 and 7 are available via\nthe Red Hat Enterprise Linux 5 and 6 Supplementary content sets and\nwill continue to receive updates based on IBM's lifecycle policy,\nlinked to in the References section.\n\nCustomers can also consider OpenJDK, an open source implementation of\nthe Java SE specification. OpenJDK is available by default on\nsupported hardware architectures.\n\nAll users of java-1.5.0-ibm are advised to upgrade to these updated\npackages, containing the IBM J2SE 5.0 SR16-FP14 release. All running\ninstances of IBM Java must be restarted for this update to take\neffect.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://developer.ibm.com/javasdk/support/security-vulnerabilities/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://developer.ibm.com/javasdk/support/lifecycle/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2015:2518\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4902\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4843\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4872\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4860\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4844\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4883\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4903\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4806\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4805\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-4883\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/11/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-javacomm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:2518\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", reference:\"java-1.5.0-ibm-1.5.0.16.14-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.5.0-ibm-accessibility-1.5.0.16.14-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"java-1.5.0-ibm-accessibility-1.5.0.16.14-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.5.0-ibm-accessibility-1.5.0.16.14-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"java-1.5.0-ibm-demo-1.5.0.16.14-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"java-1.5.0-ibm-devel-1.5.0.16.14-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.5.0-ibm-javacomm-1.5.0.16.14-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.5.0-ibm-javacomm-1.5.0.16.14-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.5.0-ibm-jdbc-1.5.0.16.14-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390\", reference:\"java-1.5.0-ibm-jdbc-1.5.0.16.14-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.5.0-ibm-plugin-1.5.0.16.14-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"java-1.5.0-ibm-src-1.5.0.16.14-1jpp.1.el5\")) flag++;\n\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.5.0-ibm-1.5.0.16.14-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.5.0-ibm-1.5.0.16.14-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.5.0-ibm-1.5.0.16.14-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.5.0-ibm-demo-1.5.0.16.14-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.5.0-ibm-demo-1.5.0.16.14-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.5.0-ibm-demo-1.5.0.16.14-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.5.0-ibm-devel-1.5.0.16.14-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.5.0-ibm-devel-1.5.0.16.14-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.5.0-ibm-devel-1.5.0.16.14-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.5.0-ibm-javacomm-1.5.0.16.14-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.5.0-ibm-javacomm-1.5.0.16.14-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.5.0-ibm-jdbc-1.5.0.16.14-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.5.0-ibm-plugin-1.5.0.16.14-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.5.0-ibm-src-1.5.0.16.14-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.5.0-ibm-src-1.5.0.16.14-1jpp.1.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.5.0-ibm-src-1.5.0.16.14-1jpp.1.el6_7\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.5.0-ibm / java-1.5.0-ibm-accessibility / java-1.5.0-ibm-demo / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:05:36", "description": "The java-1_7_1-ibm package was updated to version 7.1-3.20 to fix several security and non security issues :\n\n - bnc#955131: Version update to 7.1-3.20: CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4902 CVE-2015-4903 CVE-2015-4911 CVE-2015-5006\n\n - Add backcompat symlinks for sdkdir\n\n - bnc#941939: Fix to provide %{name} instead of %{sdklnk} only in _jvmprivdir\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2015-12-04T00:00:00", "type": "nessus", "title": "SUSE SLES11 Security Update : java-1_7_1-ibm (SUSE-SU-2015:2182-1) (FREAK)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0204", "CVE-2015-0458", "CVE-2015-0459", "CVE-2015-0469", "CVE-2015-0477", "CVE-2015-0478", "CVE-2015-0480", "CVE-2015-0488", "CVE-2015-0491", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4871", "CVE-2015-4872", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-4911", "CVE-2015-5006"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:java-1_7_1-ibm", "p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-alsa", "p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-jdbc", "p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-plugin", "cpe:/o:novell:suse_linux:11"], "id": "SUSE_SU-2015-2182-1.NASL", "href": "https://www.tenable.com/plugins/nessus/87200", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2015:2182-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87200);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2015-0204\",\n \"CVE-2015-0458\",\n \"CVE-2015-0459\",\n \"CVE-2015-0469\",\n \"CVE-2015-0477\",\n \"CVE-2015-0478\",\n \"CVE-2015-0480\",\n \"CVE-2015-0488\",\n \"CVE-2015-0491\",\n \"CVE-2015-4734\",\n \"CVE-2015-4803\",\n \"CVE-2015-4805\",\n \"CVE-2015-4806\",\n \"CVE-2015-4810\",\n \"CVE-2015-4835\",\n \"CVE-2015-4840\",\n \"CVE-2015-4842\",\n \"CVE-2015-4843\",\n \"CVE-2015-4844\",\n \"CVE-2015-4860\",\n \"CVE-2015-4871\",\n \"CVE-2015-4872\",\n \"CVE-2015-4882\",\n \"CVE-2015-4883\",\n \"CVE-2015-4893\",\n \"CVE-2015-4902\",\n \"CVE-2015-4903\",\n \"CVE-2015-4911\",\n \"CVE-2015-5006\"\n );\n script_bugtraq_id(\n 71936,\n 74072,\n 74083,\n 74094,\n 74104,\n 74111,\n 74119,\n 74141,\n 74147\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"SUSE SLES11 Security Update : java-1_7_1-ibm (SUSE-SU-2015:2182-1) (FREAK)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The java-1_7_1-ibm package was updated to version 7.1-3.20 to fix\nseveral security and non security issues :\n\n - bnc#955131: Version update to 7.1-3.20: CVE-2015-4734\n CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810\n CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843\n CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872\n CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4902\n CVE-2015-4903 CVE-2015-4911 CVE-2015-5006\n\n - Add backcompat symlinks for sdkdir\n\n - bnc#941939: Fix to provide %{name} instead of %{sdklnk}\n only in _jvmprivdir\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=941939\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=955131\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-0204/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-0458/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-0459/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-0469/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-0477/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-0478/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-0480/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-0488/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-0491/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4734/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4803/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4805/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4806/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4810/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4835/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4840/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4842/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4843/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4844/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4860/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4871/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4872/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4882/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4883/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4893/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4902/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4903/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4911/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-5006/\");\n # https://www.suse.com/support/update/announcement/2015/suse-su-20152182-1.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b032462c\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 11-SP4 :\n\nzypper in -t patch sdksp4-java-1_7_1-ibm-12245=1\n\nSUSE Linux Enterprise Server 11-SP4 :\n\nzypper in -t patch slessp4-java-1_7_1-ibm-12245=1\n\nTo bring your system up-to-date, use 'zypper patch'.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! preg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-alsa-1.7.1_sr3.20-6.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-plugin-1.7.1_sr3.20-6.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"java-1_7_1-ibm-1.7.1_sr3.20-6.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"java-1_7_1-ibm-jdbc-1.7.1_sr3.20-6.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"i586\", reference:\"java-1_7_1-ibm-alsa-1.7.1_sr3.20-6.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"i586\", reference:\"java-1_7_1-ibm-plugin-1.7.1_sr3.20-6.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_7_1-ibm\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:05:34", "description": "The java-1_7_1-ibm package was updated to versioin 7.1-3.20 to fix several security and non security issues :\n\n - bnc#955131: Version update to 7.1-3.20: CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4902 CVE-2015-4903 CVE-2015-4911 CVE-2015-5006\n\n - Add backcompat symlinks for sdkdir\n\n - bnc#941939: Fix to provide %{name} instead of %{sdklnk} only in _jvmprivdir\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2015-12-03T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2015:2168-1) (FREAK)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0204", "CVE-2015-0458", "CVE-2015-0459", "CVE-2015-0469", "CVE-2015-0477", "CVE-2015-0478", "CVE-2015-0480", "CVE-2015-0488", "CVE-2015-0491", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4871", "CVE-2015-4872", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-4911", "CVE-2015-5006"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:java-1_7_1-ibm", "p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-alsa", "p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-jdbc", "p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-plugin", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2015-2168-1.NASL", "href": "https://www.tenable.com/plugins/nessus/87181", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2015:2168-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87181);\n script_version(\"2.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2015-0204\",\n \"CVE-2015-0458\",\n \"CVE-2015-0459\",\n \"CVE-2015-0469\",\n \"CVE-2015-0477\",\n \"CVE-2015-0478\",\n \"CVE-2015-0480\",\n \"CVE-2015-0488\",\n \"CVE-2015-0491\",\n \"CVE-2015-4734\",\n \"CVE-2015-4803\",\n \"CVE-2015-4805\",\n \"CVE-2015-4806\",\n \"CVE-2015-4810\",\n \"CVE-2015-4835\",\n \"CVE-2015-4840\",\n \"CVE-2015-4842\",\n \"CVE-2015-4843\",\n \"CVE-2015-4844\",\n \"CVE-2015-4860\",\n \"CVE-2015-4871\",\n \"CVE-2015-4872\",\n \"CVE-2015-4882\",\n \"CVE-2015-4883\",\n \"CVE-2015-4893\",\n \"CVE-2015-4902\",\n \"CVE-2015-4903\",\n \"CVE-2015-4911\",\n \"CVE-2015-5006\"\n );\n script_bugtraq_id(\n 71936,\n 74072,\n 74083,\n 74094,\n 74104,\n 74111,\n 74119,\n 74141,\n 74147\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"SUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2015:2168-1) (FREAK)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The java-1_7_1-ibm package was updated to versioin 7.1-3.20 to fix\nseveral security and non security issues :\n\n - bnc#955131: Version update to 7.1-3.20: CVE-2015-4734\n CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810\n CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843\n CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872\n CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4902\n CVE-2015-4903 CVE-2015-4911 CVE-2015-5006\n\n - Add backcompat symlinks for sdkdir\n\n - bnc#941939: Fix to provide %{name} instead of %{sdklnk}\n only in _jvmprivdir\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=941939\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=955131\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-0204/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-0458/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-0459/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-0469/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-0477/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-0478/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-0480/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-0488/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-0491/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4734/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4803/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4805/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4806/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4810/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4835/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4840/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4842/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4843/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4844/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4860/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4871/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4872/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4882/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4883/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4893/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4902/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4903/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4911/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-5006/\");\n # https://www.suse.com/support/update/announcement/2015/suse-su-20152168-1.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b7ac6edd\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 12 :\n\nzypper in -t patch SUSE-SLE-SDK-12-2015-920=1\n\nSUSE Linux Enterprise Server 12 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-2015-920=1\n\nTo bring your system up-to-date, use 'zypper patch'.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-alsa-1.7.1_sr3.20-17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-plugin-1.7.1_sr3.20-17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"java-1_7_1-ibm-1.7.1_sr3.20-17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"java-1_7_1-ibm-jdbc-1.7.1_sr3.20-17.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_7_1-ibm\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:06:07", "description": "The java-1_7_0-ibm package was updated to version 7.0-9.20 to fix several security and non security issues :\n\n - bnc#955131: Version update to 7.0-9.20: CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4902 CVE-2015-4903 CVE-2015-4911 CVE-2015-5006\n\n - Add backcompat symlinks for sdkdir\n\n - bnc#941939: Fix to provide %{name} instead of %{sdklnk} only in _jvmprivdir\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2015-12-09T00:00:00", "type": "nessus", "title": "SUSE SLES11 Security Update : java-1_7_0-ibm (SUSE-SU-2015:2216-1) (FREAK)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0204", "CVE-2015-0458", "CVE-2015-0459", "CVE-2015-0469", "CVE-2015-0477", "CVE-2015-0478", "CVE-2015-0480", "CVE-2015-0488", "CVE-2015-0491", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4871", "CVE-2015-4872", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-4911", "CVE-2015-5006"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:java-1_7_0-ibm", "p-cpe:/a:novell:suse_linux:java-1_7_0-ibm-alsa", "p-cpe:/a:novell:suse_linux:java-1_7_0-ibm-devel", "p-cpe:/a:novell:suse_linux:java-1_7_0-ibm-jdbc", "p-cpe:/a:novell:suse_linux:java-1_7_0-ibm-plugin", "cpe:/o:novell:suse_linux:11"], "id": "SUSE_SU-2015-2216-1.NASL", "href": "https://www.tenable.com/plugins/nessus/87277", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2015:2216-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87277);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2015-0204\",\n \"CVE-2015-0458\",\n \"CVE-2015-0459\",\n \"CVE-2015-0469\",\n \"CVE-2015-0477\",\n \"CVE-2015-0478\",\n \"CVE-2015-0480\",\n \"CVE-2015-0488\",\n \"CVE-2015-0491\",\n \"CVE-2015-4734\",\n \"CVE-2015-4803\",\n \"CVE-2015-4805\",\n \"CVE-2015-4806\",\n \"CVE-2015-4810\",\n \"CVE-2015-4835\",\n \"CVE-2015-4840\",\n \"CVE-2015-4842\",\n \"CVE-2015-4843\",\n \"CVE-2015-4844\",\n \"CVE-2015-4860\",\n \"CVE-2015-4871\",\n \"CVE-2015-4872\",\n \"CVE-2015-4882\",\n \"CVE-2015-4883\",\n \"CVE-2015-4893\",\n \"CVE-2015-4902\",\n \"CVE-2015-4903\",\n \"CVE-2015-4911\",\n \"CVE-2015-5006\"\n );\n script_bugtraq_id(\n 71936,\n 74072,\n 74083,\n 74094,\n 74104,\n 74111,\n 74119,\n 74141,\n 74147\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"SUSE SLES11 Security Update : java-1_7_0-ibm (SUSE-SU-2015:2216-1) (FREAK)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The java-1_7_0-ibm package was updated to version 7.0-9.20 to fix\nseveral security and non security issues :\n\n - bnc#955131: Version update to 7.0-9.20: CVE-2015-4734\n CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810\n CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843\n CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872\n CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4902\n CVE-2015-4903 CVE-2015-4911 CVE-2015-5006\n\n - Add backcompat symlinks for sdkdir\n\n - bnc#941939: Fix to provide %{name} instead of %{sdklnk}\n only in _jvmprivdir\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=941939\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=955131\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-0204/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-0458/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-0459/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-0469/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-0477/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-0478/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-0480/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-0488/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-0491/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4734/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4803/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4805/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4806/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4810/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4835/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4840/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4842/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4843/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4844/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4860/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4871/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4872/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4882/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4883/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4893/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4902/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4903/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4911/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-5006/\");\n # https://www.suse.com/support/update/announcement/2015/suse-su-20152216-1.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cbe5a8cc\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 11-SP3 :\n\nzypper in -t patch sdksp3-java-1_7_0-ibm-12251=1\n\nSUSE Linux Enterprise Server for VMWare 11-SP3 :\n\nzypper in -t patch slessp3-java-1_7_0-ibm-12251=1\n\nSUSE Linux Enterprise Server 11-SP3 :\n\nzypper in -t patch slessp3-java-1_7_0-ibm-12251=1\n\nSUSE Linux Enterprise Server 11-SP2-LTSS :\n\nzypper in -t patch slessp2-java-1_7_0-ibm-12251=1\n\nTo bring your system up-to-date, use 'zypper patch'.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-ibm-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! preg(pattern:\"^(2|3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP2/3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"x86_64\", reference:\"java-1_7_0-ibm-alsa-1.7.0_sr9.20-42.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"x86_64\", reference:\"java-1_7_0-ibm-plugin-1.7.0_sr9.20-42.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"java-1_7_0-ibm-1.7.0_sr9.20-42.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"java-1_7_0-ibm-jdbc-1.7.0_sr9.20-42.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"i586\", reference:\"java-1_7_0-ibm-alsa-1.7.0_sr9.20-42.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"i586\", reference:\"java-1_7_0-ibm-plugin-1.7.0_sr9.20-42.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_7_0-ibm-alsa-1.7.0_sr9.20-42.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_7_0-ibm-plugin-1.7.0_sr9.20-42.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", reference:\"java-1_7_0-ibm-1.7.0_sr9.20-42.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", reference:\"java-1_7_0-ibm-devel-1.7.0_sr9.20-42.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", reference:\"java-1_7_0-ibm-jdbc-1.7.0_sr9.20-42.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", cpu:\"i586\", reference:\"java-1_7_0-ibm-alsa-1.7.0_sr9.20-42.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", cpu:\"i586\", reference:\"java-1_7_0-ibm-plugin-1.7.0_sr9.20-42.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_7_0-ibm\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:05:01", "description": "The java-1_7_1-ibm package was updated to versioin 7.1-3.20 to fix several security and non security issues :\n\n - bnc#955131: Version update to 7.1-3.20: CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4902 CVE-2015-4903 CVE-2015-4911 CVE-2015-5006\n\n - Add backcompat symlinks for sdkdir\n\n - bnc#941939: Fix to provide %{name} instead of %{sdklnk} only in _jvmprivdir\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2015-12-16T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2015:2168-2) (FREAK)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0204", "CVE-2015-0458", "CVE-2015-0459", "CVE-2015-0469", "CVE-2015-0477", "CVE-2015-0478", "CVE-2015-0480", "CVE-2015-0488", "CVE-2015-0491", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4871", "CVE-2015-4872", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-4911", "CVE-2015-5006"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:java-1_7_1-ibm", "p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-alsa", "p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-jdbc", "p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-plugin", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2015-2168-2.NASL", "href": "https://www.tenable.com/plugins/nessus/87404", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2015:2168-2.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87404);\n script_version(\"2.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/0