IBM4469424F7018921010B32966440CB773F0F4B32AAE97DE02A8043200BE55D120Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Explorer for z/OS V3.0 (CVE-2016-0363 and CVE-2016-0376)
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
Summary
There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition that is used by IBM Explorer for z/OS V3.0. These problems were disclosed as part of the IBM Java SDK updates in April 2016.
Vulnerability Details
If you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities are applicable to your code. For a complete list of vulnerabilities, refer to the IBM Java SDK Security Bulletin for more information.
CVEID: CVE-2016-0363** *DESCRIPTION: IBM SDK, Java Technology Edition contains a vulnerability in the IBM ORB implementation that might allow untrusted code running under a security manager to elevate its privileges. This vulnerability was originally reported as CVE-2013-3009.
CVSS Base Score: 8.1
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/112016 _for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2016-0376** *DESCRIPTION: A vulnerability in IBM Java SDK could allow a remote attacker to execute arbitrary code on the system. This vulnerability allows code running under a security manager to escalate its privileges by modifying or removing the security manager. This vulnerability was originally reported as CVE-2013-5456.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112152 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
Principal Product and Version(s)
IBM Explorer for z/OS V3.0
Remediation/Fixes
IBM has provided patches for the affected version.
Installation instructions and the IBM Explorer for z/OS Version 3.0.0.4 update can be obtained at the following location:
Mainframe Development - Download Eclipse Tools
For users of CICS Explorer, V5.3.0.4 or higher should also be installed. CICS Explorer was rebuilt as a result of the affect this security vulnerability had on IBM Explorer for z/OS 3.0, upon which CICS Explorer is built. CICS Explorer itself was not affected by the security vulnerability so there was no associated APAR. There were no updates to the CICS Tools plug-ins that are associated with this security vulnerability. See Latest version of CICS Explorer and CICS Tools plug-ins for CICS Explorer.
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm explorer for z/os | eq | 3.0.0 | |
| cics transaction server | eq | any |
Related
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C