Lucene search

K
ibmIBM346D16D569E536E3964A478E60D04C937A6400863FF298D85DCA3B0FBF6C0DAD
HistoryApr 01, 2022 - 11:21 p.m.

Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Oct 2021 - Includes Oracle October 2021 CPU

2022-04-0123:21:42
www.ibm.com
19
ibm sdk
java technology
oct 2021
oracle october 2021
cpu vulnerabilities
ibm copy services manager
csm 6.3.1
csm 6.3.2
embedded java
cve-2021-35560
cve-2021-35578
cve-2021-41035

EPSS

0.003

Percentile

71.9%

Summary

Multiple vulnerabilities has been identified in IBM Java. IBM SDK, Java Technology Edition Quarterly CPU - Oct 2021 - Includes Oracle October 2021 CPU (CVE-2021-35560, CVE-2021-35586, CVE-2021-35578, CVE-2021-35564, CVE-2021-35559, CVE-2021-35556, CVE-2021-35565, CVE-2021-35588, CVE-2021-41035). Copy Services Manager has a dependency on Java. Version CSM 6.3.1 and prior are therefore exposed by this vulnerability. CSM 6.3.2 ships an embedded version of Java that addresses these issues.

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Affected Product(s) Version(s)
IBM Copy Services Manager 6.3.1 and below

Remediation/Fixes

Upgrade to Copy Services Manager 6.3.2 to pick up an updated version of embedded Java.

Product

|

VRMF

|

_ Remediation / Fix Location_

—|—|—

Copy Services Manager

|

6.3.1

|

<https://www.ibm.com/support/pages/latest-downloads-ibm-copy-services-manager&gt;

Copy Services Manager

|

versions prior to 6.3.1

|

Upgrade fix pack maintenance or PTF to get the fix.

CVEID:CVE-2021-35560
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Deployment component could allow an unauthenticated attacker to take control of the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: <https://exchange.xforce.ibmcloud.com/vulnerabilities/211636&gt; for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:CVE-2021-35578
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: <https://exchange.xforce.ibmcloud.com/vulnerabilities/211654&gt; for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2021-41035
**DESCRIPTION:**Eclipse Openj9 could allow a remote attacker to gain elevated privileges on the system, caused by not throwing IllegalAccessError for MethodHandles that invoke inaccessible interface methods. By persuading a victim to execute a specially-crafted program under a security manager, an attacker could exploit this vulnerability to gain elevated privileges and execute arbitrary code on the system.
CVSS Base score: 7.7
CVSS Temporal Score: See: <https://exchange.xforce.ibmcloud.com/vulnerabilities/212010&gt; for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

Workarounds and Mitigations

None

EPSS

0.003

Percentile

71.9%