Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to a denial of service and bypassing security restrictions due to multiple vulnerabilities.

Summary

IBM® SDK Java™ Technology Edition and IBM® Runtime Environment Java™ used by IBM i are vulnerable to a remote attacker causing availability impact (CVE-2024-21085), denial of service (CVE-2023-38264), and bypassing security restrictions (CVE-2024-3933) as described in the vulnerability details section. This bulletin identifies the steps to take to address the vulnerabilities as described in the remediation/fixes section.

Vulnerability Details

CVEID:CVE-2024-21085
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low availability impacts.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/288000 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-38264
**DESCRIPTION:**The IBM SDK, Java Technology Edition’s Object Request Broker (ORB) 7.1.0.0 through 7.1.5.21 and 8.0.0.0 through 8.0.8.21 is vulnerable to a denial of service attack in some circumstances due to improper enforcement of the JEP 290 MaxRef and MaxDepth deserialization filters. IBM X-Force ID: 260578.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260578 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-3933
**DESCRIPTION:**Eclipse Openj9 could allow a local authenticated attacker to bypass security restrictions, caused by the failure to restrict access to a buffer with an incorrect length value when executing an arraycopy sequence while the Concurrent Scavenge Garbage Collection cycle is active and the source and destination memory regions for arraycopy overlap. By sending a specially crafted request, an attacker could exploit this vulnerability to gain read and write to addresses beyond the end of the array range.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/292491 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L)

Affected Products and Versions

Remediation/Fixes

The vulnerabilities can be fixed by applying the latest Java PTF Group. Releases 7.5, 7.4, and 7.3, of IBM i will be fixed.

The IBM i PTF Group numbers contain the fixes for the vulnerabilities. Future PTF Groups for Java will also contain the fixes for the vulnerabilities.

SF99955 Level 10

|

<https://www.ibm.com/support/pages/uid/nas4SF99955&gt;

7.4|

SF99665 Level 23

|

<https://www.ibm.com/support/pages/uid/nas4SF99665&gt;

7.3|

SF99725 Level 33

| <https://www.ibm.com/support/pages/uid/nas4SF99725&gt;

**Please see the Java document at this URL for the latest Java information for IBM i:
<https://www.ibm.com/support/pages/java-ibm-i&gt; **

If you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether additional Java vulnerabilities are applicable to your code. For a complete list of vulnerabilities, refer to the “IBM Java SDK Security Vulnerabilities”, located in the References section for more information.

Important note: IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.

Workarounds and Mitigations

None