Lucene search

K
ibmIBM52E5A485598DE0E5CE9D3853C91CE6AC5F6ACDE43558D2C68BA5EA40D0E04FB4
HistoryAug 12, 2024 - 4:26 a.m.

Security Bulletin: Multiple Security Vulnerabilities in IBM Java Runtime affect IBM License Key Server Administration and Reporting Tool and its Agent

2024-08-1204:26:56
www.ibm.com
8
ibm java runtime
ibm license key server administration
reporting tool
ibm common licensing
cve-2024-21094
cve-2024-21085
cve-2024-21011
cve-2023-38264
interim fix pack
jre update

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

5.1

Confidence

High

Summary

Multiple vulnerabilities affect IBM® SDK, Java™ Technology Edition in IBM License Key Server Administration and Reporting Tool (ART) and Administration Agent. For more information please refer to Oracle’s CPU Advisory and the X-Force database entries referenced below.

Vulnerability Details

**CVEID:**CVE-2024-21094 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287959 for the current score.
CVSS Vector:

**CVEID:**CVE-2024-21085 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low availability impacts.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/288000 for the current score.
CVSS Vector:

**CVEID:**CVE-2024-21011 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low availability impact.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/288020 for the current score.
CVSS Vector:

**CVEID:**CVE-2023-38264 DESCRIPTION: The IBM SDK, Java Technology Edition’s Object Request Broker (ORB) 7.1.0.0 through 7.1.5.21 and 8.0.0.0 through 8.0.8.21 is vulnerable to a denial of service attack in some circumstances due to improper enforcement of the JEP 290 MaxRef and MaxDepth deserialization filters. IBM X-Force ID: 260578.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260578 for the current score.
CVSS Vector:

Affected Products and Versions

Affected Product(s) Version(s)
IBM Common Licensing Agent 9.0
IBM Common Licensing ART 9.0

Remediation/Fixes

Download and apply Interim Fix Pack IBM_Common_Licensing_ICL_9.0.0.1 from Fix Central

Users are strongly advised to update to the latest version (IBM Common Licensing 9.0.0.1) to mitigate any potential risks associated with this vulnerability.

Workarounds and Mitigations

Update the JRE to 8.0.8.25

How do you update the IBM SDK for Java (JRE) for existing IBM License Key Server Administration and Reporting Tool (ART) and IBM License Key Server Administration Agent? Please refer below article for more details.

https://www.ibm.com/support/pages/node/7009503

Affected configurations

Vulners
Node
ibmcommon_licensingMatch9.0
VendorProductVersionCPE
ibmcommon_licensing9.0cpe:2.3:a:ibm:common_licensing:9.0:*:*:*:*:*:*:*

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

5.1

Confidence

High