There are multiple vulnerabilities in IBM® SDK Java™ and IBM® Runtime Environment Java™ Versions 7 & 8 used by IBM Decision Optimization Center. IBM Decision Optimization Center have addressed the applicable CVEs.
If you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether additional Java vulnerabilities are applicable to your code. For a complete list of vulnerabilities, refer to the “IBM Java SDK Security Bulletin”, located in the References section for more information.
CVEID: CVE-2019-2816 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 4.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/163878> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2019-2762 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Utilities component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/163826> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-2769 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Utilities component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/163832> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-4473 DESCRIPTION: Multiple binaries in IBM SDK, Java Technology Edition on the AIX platform use insecure absolute RPATHs, which may facilitate code injection and privilege elevation by local users.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/163984> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-11771 DESCRIPTION: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the inclusion of unused RPATHS in AIX builds. An attacker could exploit this vulnerability to inject code and gain elevated privileges on the system.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/163989> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
IBM Decision Optimization Center 3.9 and earlier releases
IBM SDK, Java Technology Edition, Version 7 Service Refresh 10 Fix Pack 45 and earlier releases
IBM SDK, Java Technology Edition, Version 8 Service Refresh 5 Fix Pack 35 and earlier releases
The recommended solution is to download and install the IBM Java SDK as soon as practicable.
Please note that IBM SDK Java 6 is no longer supported anymore. IBM recommends upgrading to DOC 3.8.0.2, 3.9 or subsequent releases.
Before installing a newer version of IBM Java SDK, please ensure that you:
IBM Decision Optimization Center
From v3.8.0.2: IBM SDK, Java Technology Edition, Version 7 Service Refresh 10 Fix Pack 50 and subsequent releases
From v3.9.0.1: IBM SDK, Java Technology Edition, Version 8 Service Refresh 5 Fix Pack 40 and subsequent releases
You must verify that applying this fix does not cause any compatibility issues.
Here are the detailed instructions for updating IBM Java SDK.
None