Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to a denial of service and integrity impact due to multiple vulnerabilities.

Summary

IBM® SDK Java™ Technology Edition and IBM® Runtime Environment Java™ used by IBM i are vulnerable to a remote attacker causing a denial of service (CVE-2023-22081 and CVE-2023-5676) and an integrity impact (CVE-2023-22067) as described in the vulnerability details section. This bulletin identifies the steps to take to address the vulnerabilities as described in the remediation/fixes section.

Vulnerability Details

CVEID:CVE-2023-22081
**DESCRIPTION:**An unspecified vulnerability in Oracle Java SE, Oracle GraalVM for JDK related to the JSSE component could allow a remote attacker to cause no confidentiality impact, no integrity impact, and low availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268929 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-22067
**DESCRIPTION:**An unspecified vulnerability in Oracle Java SE related to the CORBA component could allow a remote attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268928 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-5676
**DESCRIPTION:**Eclipse OpenJ9 is vulnerable to a denial of service, caused by a flaw when a shutdown signal (SIGTERM, SIGINT or SIGHUP) is received before the JVM has finished initializing. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause an infinite busy hang on a spinlock or a segmentation fault.
CVSS Base score: 4.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271615 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

The vulnerabilities can be fixed by applying the latest Java PTF Group. Releases 7.5, 7.4, and 7.3, of IBM i will be fixed.

The IBM i PTF Group numbers contain the fixes for the vulnerabilities. Future PTF Groups for Java will also contain the fixes for the vulnerabilities.

SF99955 Level 8

|

<https://www.ibm.com/support/pages/uid/nas4SF99955&gt;

7.4|

SF99665 Level 21

|

<https://www.ibm.com/support/pages/uid/nas4SF99665&gt;

7.3|

SF99725 Level 31

| <https://www.ibm.com/support/pages/uid/nas4SF99725&gt;

Please see the Java document at this URL for the latest Java information for IBM i:
<https://www.ibm.com/support/pages/java-ibm-i&gt;

If you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether additional Java vulnerabilities are applicable to your code. For a complete list of vulnerabilities, refer to the “IBM Java SDK Security Vulnerabilities”, located in the References section for more information.

Important note: IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.

Workarounds and Mitigations

None