Security Bulletin: July 2015 Java Platform Standard Edition Vulnerabilities in Multiple N series Products

Summary

Multiple N series products incorporate the Oracle Java Platform, Standard Edition (Java SE) software libraries. Java SE (JDK and JRE) versions below 8u51, 7u85 and 6u101 and OpenJDK versions below 1.7.0.85 and 1.8.0.51 are susceptible to multiple vulnerabilities, potentially leading to an unauthorized Operating System takeover, a partial denial of service (DOS), an unauthorized read, update, insert or delete access to a subset of Java SE accessible data. Multiple N series products have addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2015-2638**
DESCRIPTION:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104727 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-4733**
DESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104726 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-4732**
DESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104725 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-2590**
DESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104724 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-4731**
DESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104723 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-2628**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the CORBA component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104722 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-4760**
DESCRIPTION:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104721 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-4736**
DESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104728 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-4748**
DESCRIPTION:** An unspecified vulnerability related to the Security component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 7.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104729 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-2664**
DESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 6.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104731 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-2632**
DESCRIPTION:** An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104732 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-2637**
DESCRIPTION:** An unspecified vulnerability and JavaSX related to the 2D component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104738 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-2619**
DESCRIPTION:** An unspecified vulnerability and JavaSX related to the 2D component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104737 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-2621**
DESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JMX component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104735 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-2613**
DESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104734 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-2601**
DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104733 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-2659**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the Security component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104736 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-4749**
DESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104740 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-2596**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Hotspot component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104739 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-4729**
DESCRIPTION:** An unspecified vulnerability related to the Deployment component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104741 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVEID: CVE-2015-2625**
DESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 2.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104743 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)

Affected Products and Versions

NS OnCommand Core Package: 5.2, 5.2R1, 5.2.1P1, 5.2.1P2;
NS OnCommand Unified Manager for DataONTAP: 6.1R1;
N series VASA Provider: 1.0, 1.0.1;
SnapManager for Oracle: 3.2, 3.3, 3.3.1, 3.4;
SnapManager for SAP: 3.2, 3.3, 3.3.1, 3.4;
Virtual Storage Console for VMware vSphere: 4.2.1, 5.0, 6.0, 6.1;

Remediation/Fixes

For_ SnapManager for Oracle: the fix exists from microcode version 3.4P2;
For _SnapManager for SAP: the fix exists from microcode version 3.4P2;
For Virtual Storage Console for VMware vSphere: the fix exists from microcode version: 6.2;

Please contact IBM support or go to this link to download a supported release. For customers who are using N series VASA Provider, NS OnCommand Unified Manager for DataONTAP or NS OnCommand Core Package, please contact IBM support.

Workarounds and Mitigations

None.