IBM4D0056EC4D5672FF48E356CFCC82780C64C9FB240D745F2F627F178D9CF22F0CSecurity Bulletin: Multiple vulnerabilities in IBM® Java SDK affect Liberty for Java for IBM Bluemix April 2016 CPU (CVE-2016-3426, CVE-2016-3427)
9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
Summary
There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed in the Oracle April 2016 Critical Patch Update, plus four additional vulnerabilities. These may affect some configurations of Liberty for Java for IBM Bluemix.
Vulnerability Details
This bulletin covers all applicable Java SE CVEs published by Oracle as part of their April 2016 Critical Patch Update which affects IBM SDK, Java Technology Edition. There are other advisories included in the IBM Java SDK but Liberty for Java for IBM Bluemix is not vulnerable to them. You will need to evaluate your own code to determine if you are vulnerable. Please refer to the Reference section for more information on the advisories not applicable to Liberty for Java for IBM Bluemix. **
CVEID:** CVE-2016-3427**
DESCRIPTION:** An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112459 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
**
CVEID:** CVE-2016-3426**
DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112457 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Products and Versions
This vulnerability affects all versions of Liberty for Java in IBM Bluemix up to and including v2.7.
Remediation/Fixes
To upgrade to Liberty for Java v2.8-20160430-1011 or higher, you must re-stage or re-push your application. To check which version of the Liberty for Java runtime your Bluemix application is using, navigate to the “Files” menu item for your application through the Bluemix UI. In the “logs” directory, check the “staging_task.log”.
You can also find this file through the command-line Cloud Foundry client by running the following command:
cf files <appname> logs/staging_task.log
You can see
-----> Liberty Buildpack Version: _________
To re-stage your application using the command-line Cloud Foundry client, use the following command:
cf restage <appname>
To re-push your application using the command-line Cloud Foundry client, use the following command:
cf push <appname>
| CPE | Name | Operator | Version |
|---|---|---|---|
| liberty for java for ibm cloud | eq | any |
Related
9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C