Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Application Server shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise

Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition and IBM® Runtime Environment Java™ Version used by IBM WebSphere Application Server.

IBM Cloud Orchestrator and Cloud Orchestrator Enterprise has addressed the applicable CVEs. These issues were also addressed by IBM WebSphere Application Server shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise.

Vulnerability Details

CVEID: CVE-2017-3514 DESCRIPTION: An unspecified vulnerability related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/124893 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2017-3512 DESCRIPTION: An unspecified vulnerability related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/124891 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2017-3511 DESCRIPTION: An unspecified vulnerability related to the Java SE JCE component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 7.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/124890 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2017-3526 DESCRIPTION: An unspecified vulnerability related to the Java SE JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/124904 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2017-3509 DESCRIPTION: An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 4.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/124888 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)

CVEID: CVE-2017-3544 DESCRIPTION: An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/124920 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2017-3533 DESCRIPTION: An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/124910 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2017-3539 **DESCRIPTION: *An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/124915 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)

CVEID: CVE-2017-1289 DESCRIPTION: IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources.
CVSS Base Score: 8.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125150 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)

CVEID: CVE-2016-9840 DESCRIPTION: zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120508 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-9841 DESCRIPTION: zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120509 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-9842 DESCRIPTION: zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120510 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-9843 DESCRIPTION: zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120511 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-1289 DESCRIPTION: IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources.
CVSS Base Score: 8.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125150 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)

CVEID: CVE-2017-3512 DESCRIPTION: An unspecified vulnerability related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/124891 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2017-3511 DESCRIPTION: An unspecified vulnerability related to the Java SE JCE component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 7.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/124890 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

Affected Products and Versions

Principal Product and Version(s)

|

Affected Supporting Product and Version
—|—

IBM Cloud Orchestrator V2.5.0.3 and V2.5.0.4 |

• WebSphere Application Server V8.5.5.11

IBM Cloud Orchestrator V2.4.0.3 and V2.4.0.4 |

• WebSphere Application Server V8.5.5.12

IBM Cloud Orchestrator Enterprise V2.5.0.3 and V2.5.0.4 |

• WebSphere Application Server V8.5.5 through V8.5.5.11

IBM Cloud Orchestrator Enterprise V2.4.0.3 and V2.4.0.4 |

• WebSphere Application Server V8.5.0.1 through V8.5.5.12

Remediation/Fixes

Product

| VRMF| Remediation/First Fix
—|—|—
IBM Cloud Orchestrator and Cloud Orchestrator Enterprise| V2.5, V2.5.0.1, V2.5.0.2, V2.5.0.3, V2.5.0.4| For 2.5 versions, upgrade to Fix Pack 4 (2.5.0.4) of IBM Cloud Orchestrator.
<http://www-01.ibm.com/support/docview.wss?uid=swg2C4000062&gt;
After you upgrade, apply the appropriate Interim to your environment as soon as practical. For details, see Security Bulletin:Multiple Vulnerabilities in IBM® Java SDK affects WebSphere Application Server April 2017 CPU.
IBM Cloud Orchestrator and Cloud Orchestrator Enterprise| V2.4., V2.4.0.1, V2.4.0.2, V2.4.0.3, V2.4.0.4| For 2.4 versions, upgrade to Fix Pack 4 (2.4.0.5) of IBM Cloud Orchestrator.
http://www-01.ibm.com/support/docview.wss?uid=swg2C4000063

Refer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server, IBM Business Process Manager, and Tivoli System Automation Application Manager, which are shipped with IBM Cloud Orchestrator.

Workarounds and Mitigations

None