Lucene search

K
ibmIBM361E60C13CAC480F4B230437F8B912FD72A2B054A880D08962CBE176EA72D547
HistoryOct 08, 2020 - 12:56 p.m.

Security Bulletin: IBM Kenexa LCMS Premier On Premise - IBM SDK, Java Technology Edition Quarterly CPU - Jul 2020 - Includes Oracle Jul 2020 CPU plus one additional vulnerability

2020-10-0812:56:36
www.ibm.com
12

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

Summary

We have identified that the IBM Kenexa LCMS Premier is affected by one or more security vulnerabilities. These have been addressed in LCMS Premier 14.0 version.

Vulnerability Details

CVEID:CVE-2020-14583
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 8.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185061 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID:CVE-2020-14593
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the 2D component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185071 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

CVEID:CVE-2020-14621
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185099 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2020-14556
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185034 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2020-14581
**DESCRIPTION:**An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the 2D component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185059 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2020-14579
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185057 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2020-14578
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185056 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2020-14577
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185055 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2019-17639
**DESCRIPTION:**Eclipse OpenJ9 could allow a remote attacker to obtain sensitive information, caused by the premature return of the current method with an undefined return value. By invoking the System.arraycopy method with a length longer than the length of the source or destination array can, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185437 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Kenexa LCMS Premier on premise 14.0 and Below

Remediation/Fixes

IBM recommends updating to the latest release for customers who are using an affected version. The new version is available at IBM Passport Advantage web site.

Once on version 14.0, please proceed to download and apply the provided fix via Fix Central.

Steps to Download from Fix Central

  • Log in to Fix Central (<https://www-945.ibm.com/support/fixcentral/&gt;)
  • Select "IBM Kenexa LCMS Premier” from the Product Selector dropdown
  • Select “14.0” from the Installed version dropdown
  • Select “Windows” from the Platform dropdown
  • Click “Continue”
  • Select "Browse for Fixes” and click “Continue”

Download the following 2 files:

  • p_14.0.0058_2020-09-18_18-06.zip or above
  • p_14.0.0058_JDK-ONLY_8.0.6.15_2020-09-18_18-16.zip

Steps to Follow in Version 14.0 ONLY:

Perform Backups:

1. Stop LCMS Services

2. Perform Backups:

In the LCMS installation directory, perform a backup of the existing JDK directories by renaming the Java directories ibmsdk32 and ibmsdk64. We suggest appending "_backup” to the end.


Important Note: If the Step 1 (stopping of services) did not complete, you might have issues renaming the folders. Please ensure all LCMS services are no longer running prior to renaming/taking backup


Step 1: Deploy the latest LCMS patch: p_14.0.0058_2020-09-18_18-06.zip or above

1. Remove all plugins:

a. From ConfigWiz.exe, check “Advanced” checkbox, then click “Stop Services”

b. Move all jar and all zip files from plugin folder to somewhere else

c. From ConfigWiz.exe, click “Add/Remove Plugins”.

2. Install the latest patch:

a. Move or copy this plugin file into the plugin folder.

b. From ConfigWiz.exe, click “Advanced” checkbox, then click “Add/Remove Plugins”.

Step 2: Deploy the JDK_Only patch/plugin: p_14.0.0058_JDK-ONLY_8.0.6.15_2020-09-18_18-16.zip [This is on-time activity]

1. Step#1 must complete to starts the JDK 8.0.6.15 upgrade

2. Add the JDK_Only patch/pligin in “plugins” folder [example: p_14.0.0058_JDK-ONLY_8.0.6.15_2020-09-18_18-16.zip] & LCMS patch need not be removed from plugin folder

3. From ConfigWiz.exe, click “Advanced” checkbox, then click “Add/Remove Plugins”

4. For plugins that have JDK upgrade: ◦ ConfigWiz.exe must be closed for JDK upgrade to complete [A popup will display as an alert to close the ConfigWiz]. Anything else that might be using LCMS files or directories must also be closed.

5. From ConfigWiz.exe, check “Advanced” checkbox, then click “Starts Services”

Note:

1. In future, while deploying the upcoming patches, ensure JDK_Only patch/plugin deployment- “Add/Remove Plugins” needs to be run twice as part of step#1.1 [Remove all plugins]

2. Once, Step 1 & 2 are done, you will not be able to revert to the precious version of the JDK. However, applying the upcoming/future patches will only ensure that JDK is maintained with latest version or installed with upgraded version

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm kenexa lcms premiereq14.0

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

Related for 361E60C13CAC480F4B230437F8B912FD72A2B054A880D08962CBE176EA72D547