Lucene search

IBM52E5A485598DE0E5CE9D3853C91CE6AC5F6ACDE43558D2C68BA5EA40D0E04FB4

HistoryAug 12, 2024 - 4:26 a.m.

Security Bulletin: Multiple Security Vulnerabilities in IBM Java Runtime affect IBM License Key Server Administration and Reporting Tool and its Agent

2024-08-1204:26:56

www.ibm.com

ibm java runtime

ibm license key server administration

reporting tool

ibm common licensing

cve-2024-21094

cve-2024-21085

cve-2024-21011

cve-2023-38264

interim fix pack

jre update

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.2

Confidence

High

JSON

Summary

Multiple vulnerabilities affect IBM® SDK, Java™ Technology Edition in IBM License Key Server Administration and Reporting Tool (ART) and Administration Agent. For more information please refer to Oracle’s CPU Advisory and the X-Force database entries referenced below.

Vulnerability Details

CVEID:CVE-2024-21094
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287959 for the current score.
CVSS Vector:

CVEID:CVE-2024-21085
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low availability impacts.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/288000 for the current score.
CVSS Vector:

CVEID:CVE-2024-21011
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low availability impact.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/288020 for the current score.
CVSS Vector:

CVEID:CVE-2023-38264
**DESCRIPTION:**The IBM SDK, Java Technology Edition’s Object Request Broker (ORB) 7.1.0.0 through 7.1.5.21 and 8.0.0.0 through 8.0.8.21 is vulnerable to a denial of service attack in some circumstances due to improper enforcement of the JEP 290 MaxRef and MaxDepth deserialization filters. IBM X-Force ID: 260578.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260578 for the current score.
CVSS Vector:

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Common Licensing	Agent 9.0
IBM Common Licensing	ART 9.0

Remediation/Fixes

Download and apply Interim Fix Pack IBM_Common_Licensing_ICL_9.0.0.1 from Fix Central

Users are strongly advised to update to the latest version (IBM Common Licensing 9.0.0.1) to mitigate any potential risks associated with this vulnerability.

Workarounds and Mitigations

Update the JRE to 8.0.8.25

How do you update the IBM SDK for Java (JRE) for existing IBM License Key Server Administration and Reporting Tool (ART) and IBM License Key Server Administration Agent? Please refer below article for more details.

<https://www.ibm.com/support/pages/node/7009503>

Affected configurations

Vulners

Node

ibmcommon_licensingMatch9.0

VendorProductVersionCPE
ibmcommon_licensing9.0cpe:2.3:a:ibm:common_licensing:9.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	common_licensing	9.0	cpe:2.3:a:ibm:common_licensing:9.0:::::::*

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.2

Confidence

High

JSON

Related for 52E5A485598DE0E5CE9D3853C91CE6AC5F6ACDE43558D2C68BA5EA40D0E04FB4