Lucene search

IBM5D6C07138D5DD8F7D8404DD8F962F1680584AA4A43C0123C98F98E8471229466

HistoryMay 23, 2023 - 2:29 p.m.

Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to exposing sensitive information due to flaws and configurations (CVE-2023-30441).

2023-05-2314:29:00

www.ibm.com

ibm java sdk

ibm java runtime

vulnerability

sensitive information

ibm i

group ptf

fixes

cve-2023-30441

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.002 Low

EPSS

Percentile

57.2%

JSON

Summary

IBM® SDK Java™ Technology Edition and IBM® Runtime Environment Java™ used by IBM i are vulnerable to exposing sensitive information using a combination of flaws and configurations as described in the vulnerability details section. The vulnerability is fixed by applying an IBM i Group PTF for Java as described in the remediation/fixes section.

Vulnerability Details

CVEID:CVE-2023-30441
**DESCRIPTION:**IBM Runtime Environment, Java Technology Edition IBMJCEPlus and JSSE components could expose sensitive information using a combination of flaws and configurations.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253188 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM i	7.5
IBM i	7.4
IBM i	7.3
IBM i	7.2

Remediation/Fixes

The vulnerability can be fixed by applying the latest Java Group PTF. Releases 7.5, 7.4, 7.3, and 7.2 of IBM i will be fixed.

A security bulletin listing the IBM i Group PTF numbers and levels in the table below was already provided which resolves the CVE described in the vulnerability/details section. If the IBM i Group PTF number and level listed has already been applied, then no further action is required.

The IBM i Group PTF numbers contain the fix for the vulnerability. Future Group PTFs for Java will also contain the fix for the vulnerability.

IBM i Release	5770-JV1 Group PTF Number and Level	PTF Download Link
7.5

SF99955 Level 3

<https://www.ibm.com/support/pages/uid/nas4SF99955>

7.4|

SF99665 Level 16

<https://www.ibm.com/support/pages/uid/nas4SF99665>

7.3|

SF99725 Level 27

| <https://www.ibm.com/support/pages/uid/nas4SF99725>
7.2|

SF99716 Level 37

<https://www.ibm.com/support/pages/uid/nas4SF99716>

Please see the Java document at this URL for the latest Java information for IBM i:
<https://www.ibm.com/support/pages/java-ibm-i>

If you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether additional Java vulnerabilities are applicable to your code. For a complete list of vulnerabilities, refer to the “IBM Java SDK Security Vulnerabilities”, located in the References section for more information.

Important note: IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmiMatch7.5.0

ibmiMatch7.4.0

ibmiMatch7.3.0

ibmiMatch7.2.0

ibmplanning_analyticsMatch7.4.0

ibmplanning_analyticsMatch7.3.0

ibmplanning_analyticsMatch7.5.0

ibmplanning_analyticsMatch7.2.0

CPENameOperatorVersion
ibm ieq7.5.0
ibm ieq7.4.0
ibm ieq7.3.0
ibm ieq7.2.0
ibm i 7.4 preventative service planningeq7.4.0
ibm i 7.3 preventative service planningeq7.3.0
ibm i 7.5 preventative service planningeq7.5.0
ibm i 7.2 preventative service planningeq7.2.0

Name	Operator	Version
ibm i	eq	7.5.0
ibm i	eq	7.4.0
ibm i	eq	7.3.0
ibm i	eq	7.2.0
ibm i 7.4 preventative service planning	eq	7.4.0
ibm i 7.3 preventative service planning	eq	7.3.0
ibm i 7.5 preventative service planning	eq	7.5.0
ibm i 7.2 preventative service planning	eq	7.2.0