There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 8 used by AIX. AIX has addressed the applicable CVEs.
CVEID:CVE-2023-22081
**DESCRIPTION:**An unspecified vulnerability in Oracle Java SE, Oracle GraalVM for JDK related to the JSSE component could allow a remote attacker to cause no confidentiality impact, no integrity impact, and low availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268929 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2023-22067
**DESCRIPTION:**An unspecified vulnerability in Oracle Java SE related to the CORBA component could allow a remote attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268928 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2023-5676
**DESCRIPTION:**Eclipse OpenJ9 is vulnerable to a denial of service, caused by a flaw when a shutdown signal (SIGTERM, SIGINT or SIGHUP) is received before the JVM has finished initializing. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause an infinite busy hang on a spinlock or a segmentation fault.
CVSS Base score: 4.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271615 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) |
---|---|
AIX | 7.2 |
AIX | 7.3 |
VIOS | 3.1 |
VIOS | 4.1 |
The following fileset levels (VRMF) are vulnerable, if the respective Java version is installed:
For Java8: Less than 8.0.0.815
Note: To find out whether the affected Java filesets are installed on your systems, refer to the lslpp command found in AIX user’s guide.
Example: lslpp -L | grep -i java
IBM strongly recommends addressing the vulnerability now.
Note: Recommended remediation is to always install the most recent Java package available for the respective Java version.
IBM SDK, Java Technology Edition, Version 8 Service Refresh 8 Fix Pack 15 and subsequent releases:
None