Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM399718E68B1AC921F1F63310793CB30CE98BCB15C409BBB99985FB5BE97A027F
HistoryJul 02, 2019 - 2:50 a.m.

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Privileged Identity Manager

2019-07-0202:50:01
www.ibm.com
17

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

JSON

Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition used by IBM Security Privileged Identity Manager (ISPIM). These issues were disclosed as part of the IBM Java SDK updates in July 2018, April 2018, January 2018, October 2017.

Vulnerability Details

July 2018

CVEID: CVE-2016-0705 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service.
CVSS Base Score: 3.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-1656 DESCRIPTION: The IBM Java Runtime Environment’'s Diagnostic Tooling Framework for Java (DTFJ) does not protect against path traversal attacks when extracting compressed dump files.
CVSS Base Score: 7.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144882&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

CVEID: CVE-2018-2973 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded JSSE component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base Score: 5.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/146835&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID: CVE-2017-3732 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2016-0705 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service.
CVSS Base Score: 3.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-1517 DESCRIPTION: A flaw in the java.math component in IBM SDK, Java Technology Edition may allow an attacker to inflict a denial-of-service attack with specially crafted String data.
CVSS Base Score: 5.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141681&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-2964 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE Deployment component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/146827&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2018-2973 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded JSSE component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base Score: 5.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/146835&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID: CVE-2018-12539 DESCRIPTION: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the failure to restrict the use of Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations to only the process owner. An attacker could exploit this vulnerability to execute untrusted native code and gain elevated privileges on the system.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148389&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

April 2018

CVEID: CVE-2018-2783 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Security component could allow an unauthenticated attacker to cause high confidentiality impact, high integrity impact, and no availability impact.
CVSS Base Score: 7.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141939&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

January 2018

CVEID: CVE-2018-2677 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded AWT component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/137932&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-2641 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded AWT component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base Score: 6.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/137893&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N)

October 2017

CVEID: CVE-2017-10388 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Libraries component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/133813&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

Product VRMF
IBM Security Privileged Identity Manager 2.1.0 - 2.1.0.7
IBM Security Privileged Identity Manager 2.0.2 - 2.0.2.10

Remediation/Fixes

Product VRMF Remediation
IBM Security Privileged Identity Manager 2.1.0 - 2.1.0.7 _2.1.0-ISS-ISPIM-VA-FP0008 _
IBM Security Privileged Identity Manager 2.0.2 - 2.0.2.10 2.0.2-ISS-ISPIM-VA-FP0011

Workarounds and Mitigations

None

Related

ibm 133
nessus 16
openvas 7
redhat 6
aix 1
veracode 6
prion 7
osv 1
cve 6
redhatcve 5
ubuntucve 5
debiancve 3
openssl 1
f5 2
ibm
ibm
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium Data Redaction
2018-11-20 15:55:01
Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security SiteProtector System
2018-12-06 03:35:02
Security Bulletin: There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 6, Version 7, Version 8, that is used by IBM Workload Scheduler. These issues were disclosed as part of the IBM Java SDK updates in July 2018.
2018-11-30 13:30:01
nessus
nessus
SUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2018:2839-2)
2018-10-22 00:00:00
SUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2018:2839-1)
2018-09-25 00:00:00
SUSE SLES15 Security Update : java-1_8_0-ibm (SUSE-SU-2018:3082-1)
2019-01-02 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2018:2839-2)
2021-04-19 00:00:00
SUSE: Security Advisory (SUSE-SU-2018:3082-1)
2021-06-09 00:00:00
SUSE: Security Advisory (SUSE-SU-2018:2839-1)
2021-04-19 00:00:00
redhat
redhat
(RHSA-2018:2575) Important: java-1.8.0-ibm security update
2018-08-28 19:06:50
(RHSA-2018:2568) Important: java-1.8.0-ibm security update
2018-08-27 14:09:01
(RHSA-2018:2713) Moderate: java-1.8.0-ibm security update
2018-09-17 14:43:25
aix
aix
Multiple vulnerabilities in IBM Java SDK affect AIX
2018-09-19 08:42:00
veracode
veracode
Man-in-the-Middle (MitM)
2019-05-02 06:37:53
Arbitrary Code Execution
2019-01-15 09:24:36
Denial Of Service (DoS)
2019-01-15 09:25:17
prion
prion
Code injection
2017-10-19 17:29:00
Default configuration
2018-08-14 19:29:00
Code injection
2018-01-18 02:29:00
osv
osv
CVE-2018-12539
2018-08-14 19:29:00
cve
cve
CVE-2018-12539
2018-08-14 19:29:00
CVE-2018-2677
2018-01-18 02:29:00
CVE-2017-10388
2017-10-19 17:29:00
redhatcve
redhatcve
CVE-2018-12539
2019-10-10 23:34:49
CVE-2018-1656
2018-08-17 20:49:15
CVE-2018-1517
2019-10-26 18:44:04
ubuntucve
ubuntucve
CVE-2017-10388
2017-10-19 00:00:00
CVE-2018-1656
2018-08-20 00:00:00
CVE-2018-2677
2018-01-17 00:00:00
debiancve
debiancve
CVE-2016-0705
2016-03-03 20:59:00
CVE-2017-10388
2017-10-19 17:29:00
CVE-2018-2677
2018-01-18 02:29:00
openssl
openssl
Vulnerability in OpenSSL CVE-2016-0705
2016-03-01 00:00:00
f5
f5
SOL93122894 - OpenSSL vulnerability CVE-2016-0705
2016-03-24 00:00:00
K93122894 : OpenSSL vulnerability CVE-2016-0705
2016-03-25 00:00:00

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

JSON
Related for 399718E68B1AC921F1F63310793CB30CE98BCB15C409BBB99985FB5BE97A027F
ibm133nessus16openvas7redhat6aix1veracode6prion7osv1cve6redhatcve5ubuntucve5debiancve3openssl1f52