Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Oct 2022 - Includes Oracle October 2022 CPU and IBM Java - OpenJ9 CVE-2022-3676

Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Versions 8** that are used by Rational Software Architect Designer and Rational Software Architect Designer for Websphere Software. These issues were disclosed as part of the IBM Java SDK updates in Oct 2022 and IBM Java - OpenJ9 CVE-2022-3676

Vulnerability Details

CVEID:CVE-2022-21626
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238689 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-21624
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to update, insert or delete data resulting in a low integrity impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238699 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2022-21619
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to update, insert or delete data resulting in a low integrity impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238698 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2022-3676
**DESCRIPTION:**Eclipse Openj9 could allow a remote attacker to bypass security restrictions, caused by improper runtime type check by the interface calls. By sending a specially-crafted request using bytecode, an attacker could exploit this vulnerability to access or modify memory.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239608 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

Update the IBM SDK, Java Technology Edition of the product to address this vulnerability:

9.7 to 9.7.0.3 ,9.7.1 and 9.7.1.1
9.6 to 9.6.1.4

| IBM Java SDK/JRE 8 SR7 FP20 IFixes
Rational Software Architect Designer for WebSphere Software (RSAD4WS)|

9.7 to 9.7.0.3 ,9.7.1 and 9.7.1.1
9.6 to 9.6.1.4

| IBM Java SDK/JRE 8 SR7 FP20 IFixes

Installation Instructions:

For instructions on installing this update using Installation Manager, review the topic Updating Installed Product Packages in the IBM Knowledge Center.

Instructions to download and install the update from the compressed files:

1. Download the update files from Fix Central by following the link listed in the download table above

2. Extract the compressed files in an appropriate directory.

For example, choose to extract to C:\temp\update

3. Start IBM Installation Manager.

4. On the Start page of Installation Manager, click File > Preferences, and then clickRepositories. The Repositories page opens.

5. On the Repositories page, click Add Repository.

6. In the Add repository window, browse to or enter the file path to the repository.config file, which is located in the directory where you extracted the compressed files and then click OK.

For example, enter C:\temp\update\repository.config.

7. Click OK to close the Preference page.

8. Install the update as described in the the topic Updating Installed Product Packages in the IBM Knowledge Center for your product and version.

Workarounds and Mitigations

None