Lucene search

K
ibmIBM5C58EF391DDD33B2BBDFB3C54DD542E632EE73136FCCBDCD03C5ADA46A87A75F
HistoryAug 21, 2018 - 7:48 p.m.

Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Security Access Manager

2018-08-2119:48:44
www.ibm.com
25

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

5.1 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Versions 6, 7 & 8 and IBM® Runtime Environment Java™ Versions 6,7 & 8 used by IBM Security Access Manager software and appliances. These issues were disclosed as part of the IBM Java SDK updates in January 2018.

Vulnerability Details

CVEID: CVE-2018-2579 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137833 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-2602 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded I18n component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and low availability impact.
CVSS Base Score: 4.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137854 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID: CVE-2018-2603 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137855 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-2634 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded JGSS component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137886 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)

CVEID: CVE-2018-2633 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JNDI component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137885 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

Affected Products and Versions

IBM Tivoli Access Manager for e-business version 6.1

IBM Tivoli Access Manager for e-business version 6.1.1

IBM Security Access Manager for Web version 7.0 software release

IBM Security Access Manager for Web version 8 appliance

IBM Security Access Manager for Mobile version 8 appliance

IBM Security Access Manager version 9 appliance

Remediation/Fixes

If you run your own Java code using the IBM Java Runtime delivered with an IBM Security Access Manager software product, you should evaluate your code to determine whether the complete list of vulnerabilities are applicable to your code. For a complete list of vulnerabilities please refer to the link for “IBM Java SDK Security Bulletin" located in the “References” section for more information.

The table below provides links to patches for all affected versions. Follow the installation instructions in the README file included with the patch.

Product VRMF APAR Remediation
IBM Tivoli Access Manager for e-business 6.1 - 6.1.0.35 IJ06528 Apply Interim Fix 36:
6.1.0-ISS-TAM-IF0036
IBM Tivoli Access Manager for e-business 6.1.1 - 6.1.1.34 IJ06528 Apply Interim Fix 35:
6.1.1-ISS-TAM-IF0035
IBM Security Access Manager for Web (software) 7.0 - 7.0.0.34 (software) IJ06528 Apply Interim Fix 35:
7.0.0-ISS-SAM-IF0035
IBM Security Access Manager for Web (appliance) 8.0 - 8.0.1.7 IJ06496 Upgrade to 8.0.1.8:
8.0.1-ISS-WGA-FP0008
IBM Security Access Manager for Mobile (appliance) 8.0 - 8.0.1.7 IJ06510 Upgrade to 8.0.1.8:
8.0.1-ISS-ISAM-FP0008
IBM Security Access Manager (appliance) 9.0 - 9.0.5.0 IJ06496 Upgrade to 9.0.5.0:
9.0.5-ISS-ISAM-FP0000

For IBM Tivoli Access Manager for e-business 6.0 and earlier, IBM recommends upgrading to a fixed, supported release of the product.

Workarounds and Mitigations

None.

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

5.1 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

Related for 5C58EF391DDD33B2BBDFB3C54DD542E632EE73136FCCBDCD03C5ADA46A87A75F