Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MessageSight (CVE-2015-2590, CVE-2015-2613, CVE-2015-2625)

Summary

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition, Versions 7 and 7R1 that are used by IBM MessageSight. These issues were disclosed as part of the IBM Java SDK updates in July 2015.

Vulnerability Details

CVEID: CVE-2015-2590 DESCRIPTION: An unspecified vulnerability related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104724 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-2613 DESCRIPTION: An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.

CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104734 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-2625

DESCRIPTION: An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information.

CVSS Base Score: 2.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104743 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM MessageSight 1.2.0.1 and earlier

Remediation/Fixes

Product

| VRMF| APAR| Remediation/First Fix
—|—|—|—
IBM MessageSight| 1.1.0.1| IT10430 | 1.1.0.1-IBM-IMA-IFIT10430
IBM MessageSight| 1.2.0.1| IT10430 | 1.2.0-IBM-IMA-Physical-FP0002
1.2.0-IBM-IMA-VirtualEdition-FP0002
1.2.0-IBM-IMA-SoftLayerVirtual-FP0002
1.2.0-IBM-IMA-BareMetal-FP0002

Workarounds and Mitigations

None