Security Bulletin: Vulnerability in IBM Java SDK affects Cloud Pak System [CVE-2021-28167]

Summary

Vulnerability in IBM Java SDK affects OS Image for Red Hat Linux Systems shipped with Cloud Pak System. Cloud Pak System has addressed vulnerability. [CVE-2021-28167]

Vulnerability Details

CVEID:CVE-2021-28167
**DESCRIPTION:**Eclipse Openj9 could allow a remote attacker to bypass security restrictions, caused by a flaw in the jdk.internal.reflect.ConstantPool API. By sending a specially-crafted request, an attacker could exploit this vulnerability to call static methods or access static members without running the class initialization method.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/200533 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

For unsupported version/release/platform IBM recommends upgrading to a fixed, supported /release/platform of the product. Notice for IBM Cloud Pak System W3700 (5725-X32), IBM Cloud Pak System W3500 (5725-Z16), IBM Cloud Pak System W3550 (5725-Z17), IBM Cloud Pak System Software v2.3.0.0, v2.3.1.0, IBM Cloud Pak System Software Suite v2.3.0.0, v2.3.1.0 as per IBM Withdrawal announcement ENUS922-058.

Cloud Pak System upgraded Java to IBM SDK Java 8.0.7.0 along with Cloud Pak System v2.3.3.4.

For IBM Cloud Pak System V2.3.0 through to V2.3.3.3 Interim Fix 1.

upgrade to IBM Cloud Pak System V2.3.3.4 or later at IBM Fix Central.

Information on upgrading at : <http://www.ibm.com/support/docview.wss?uid=ibm10887959&gt;

Workarounds and Mitigations

None