Security Bulletin: IBM Tivoli Application Dependency Discovery Manager affected by unspecified vulnerability due to IBM Java and its runtime

Summary

IBM Tivoli Application Dependency Discovery Manager is vulnerable to denial of service due to use of IBM Java and runtimes (CVE-2023-22045, CVE-2023-22049, CVE-2023-22081, CVE-2023-22067, CVE-2023-5676)

Vulnerability Details

CVEID:CVE-2023-22045
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low confidentiality impacts.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261047 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2023-22049
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow a remote attacker to cause low integrity impacts.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261048 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-22081
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JSSE component could allow a remote attacker to cause no confidentiality impact, no integrity impact, and low availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268929 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-22067
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the CORBA component could allow a remote attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268928 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-5676
**DESCRIPTION:**Eclipse OpenJ9 is vulnerable to a denial of service, caused by a flaw when a shutdown signal (SIGTERM, SIGINT or SIGHUP) is received before the JVM has finished initializing. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause an infinite busy hang on a spinlock or a segmentation fault.
CVSS Base score: 4.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271615 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

In order to fix this vulnerability, Java needs to be upgraded to 8.0.8.15 for TADDM versions 7.3.0.7 - 7.3.0.10.

Check java version installed on TADDM servers using the below command:

$COLLATION_HOME/external/<jdk- folder according to OS>/bin/java -version

• For TADDM 7.3.0.0 - 7.3.0.4 (JAVA 7), Please upgrade to IBM Tivoli Application Dependency Discovery Manager Version 7.3.0.7 or later (IBM Recommends the latest release 7.3.0.11).

• For TADDM 7.3.0.5 - 7.3.0.6 (Java 8) Please upgrade to IBM Tivoli Application Dependency Discovery Manager Version 7.3.0.7 or later (IBM Recommends the latest release 7.3.0.11).

• For TADDM 7.3.0.7 - 7.3.0.10 (JAVA 8), if the above command output contains**“SR6 FP10”**or “8.0.6.10” or higher as build in Java™ SE Runtime Environment information, apply e-fix for the new IBM SDK only,**efix_jdk8.0.7.20_FP10221123.zip **given in Table-1 below.

• For all other cases: Please contact IBM Support and open a case with TADDM version and a link to this bulletin.

Table-1:

Please review the eFix readme in etc/efix_readme.txt. The fixes for the respective FixPack(s) can be downloaded and applied directly.

Fix|

VRMF

| APAR|How to acquire fix
—|—|—|—
efix_jdk_8.0.8.15_FP10221123.zip|

7.3.0.7 - 7.3.0.10

| None| Download eFix

Table-2:

Below are the JRE:

Fix|

VRMF

| APAR|How to acquire fix
—|—|—|—
ibm-java-jre-80-win-i386|

7.3.0.7 - 7.3.0.10

| None| Download eFix

Workarounds and Mitigations

None