Lucene search

IBM44BBDADD105197938F540FD4CE3785F014A665D16F7814593D2D617671C1231B

HistoryOct 07, 2022 - 4:09 p.m.

Security Bulletin: Vulnerability in IBM® Java SDK affects Liberty for Java for IBM Cloud due to July 2022 CPU plus deferred CVE-2021-2163

2022-10-0716:09:39

www.ibm.com

ibm java sdk

liberty for java

ibm cloud

cve-2021-2163

vulnerability

upgrades

CVSS2

2.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:N/I:P/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.002

Percentile

60.9%

JSON

Summary

There are multiple vulnerabilities in the IBM® SDK, Java™ Technology Edition that is shipped with Liberty for Java for IBM Cloud. These might affect some configurations of Liberty for Java for IBM Cloud. These products have addressed the applicable CVEs. If you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities is applicable to your code. For a complete list of vulnerabilities, refer to the link for “IBM Java SDK Security Bulletin” located in the References section for more information.

Vulnerability Details

CVEID:CVE-2021-2163
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/200292 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N)

Affected Products and Versions

These vulnerabilities affect all versions of Liberty for Java for IBM Cloud up to and including v3.73.

Remediation/Fixes

To upgrade to Liberty for Java for IBM Cloud v3.74-20220913-1224 or higher, you must re-stage or re-push your application

To find the current version of Liberty for Java for IBM Cloud being used, from the command-line Cloud Foundry client by running the following commands:

cf ssh <appname> -c “cat staging_info.yml”

Look for similar lines:

{“detected_buildpack”:“Liberty for Java™ (WAR, liberty-xxx, v3.74-20220913-1224, xxx, env)“,”start_command”:“.liberty/initial_startup.rb”}

To re-stage your application using the command-line Cloud Foundry client, use the following command:

cf restage <appname>

To re-push your application using the command-line Cloud Foundry client, use the following command:

cf push <appname>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmthese_vulnerabilities_affectMatchany

VendorProductVersionCPE
ibmthese_vulnerabilities_affectanycpe:2.3:a:ibm:these_vulnerabilities_affect:any:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	these_vulnerabilities_affect	any	cpe:2.3:a:ibm:these_vulnerabilities_affect:any:::::::*

CVSS2

2.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:N/I:P/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.002

Percentile

60.9%

JSON

Related for 44BBDADD105197938F540FD4CE3785F014A665D16F7814593D2D617671C1231B