8.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.005 Low
EPSS
Percentile
74.1%
Multiple vulnerabilities exist in IBM® Runtime Environment Java™ versions, specifically Version 6 Service Refresh 16 Fix Pack 60 and earlier releases used by IBM Platform Symphony 6.1.1, Version 7 Service Refresh 10 Fix Pack 20 and earlier releases used by IBM Platform Symphony 7.1 Fix Pack 1, Version 8 Service Refresh 5 Fix Pack 10 and earlier releases used by IBM Platform Symphony 7.1.1 and IBM Spectrum Symphony 7.1.2 and 7.2.0.2. These issues were disclosed as part of the IBM Java SDK updates in April 2018.
If you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities is applicable to your code. For a complete list of vulnerabilities, refer to the link for “IBM Java SDK Security Bulletin" located in the “References” section for more information.
CVEID: CVE-2018-2814 DESCRIPTION: An unspecified vulnerability related to the Java SE VM component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141970> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2018-2794 DESCRIPTION: An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 7.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141950> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2018-2783 DESCRIPTION: An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to cause high confidentiality impact, high integrity impact, and no availability impact.
CVSS Base Score: 7.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141939> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
CVEID: CVE-2018-2799 DESCRIPTION: An unspecified vulnerability related to the Java SE JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141955> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-2798 DESCRIPTION: An unspecified vulnerability related to the Java SE AWT component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141954> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-2797 DESCRIPTION: An unspecified vulnerability related to the Java SE JMX component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141953> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-2796 DESCRIPTION: An unspecified vulnerability related to the Java SE Concurrency component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141952> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-2795 DESCRIPTION: An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141951> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-2800 DESCRIPTION: An unspecified vulnerability related to the Java SE RMI component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 4.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141956> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVEID: CVE-2018-2790 DESCRIPTION: An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 3.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141946> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)
IBM Platform Symphony 6.1.1
IBM Platform Symphony 7.1 Fix Pack 1
IBM Platform Symphony 7.1.1
IBM Spectrum Symphony 7.1.2
IBM Spectrum Symphony 7.2.0.2
Operating systems: Linux x64
Cluster type: Single grid cluster
To install or uninstall the .rpm packages for IBM Spectrum Symphony 7.1.2 and 7.2.0.2, you must have root permission and RPM version 4.2.1 or later must be installed on the host.
For Platform Symphony 6.1.1, the following example shows output for the java -version command:
> java -version
java version “1.6.0”
Java™ SE Runtime Environment (build pxa6460sr16fp65-20180505_01(SR16 FP65))
IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 Linux amd64-64 jvmxa6460sr16fp65-20180411_383947 (JIT enabled, AOT enabled)
J9VM - 20180411_383947
JIT - r9_20180411_383947
GC - GA24_Java6_SR16_20180411_1747_B383947)
JCL - 20180504_01
For Platform Symphony 7.1 Fix Pack 1, the following example shows output for the java -version command:
> java -version
java version “1.7.0”
Java™ SE Runtime Environment (build pxa6470sr10fp25-20180430_01(SR10 FP25))
IBM J9 VM (build 2.6, JRE 1.7.0 Linux amd64-64 Compressed References 20180420_384915 (JIT enabled, AOT enabled)
J9VM - R26_Java726_SR10_20180420_1715_B384915
JIT - r11_20180420_384915
GC - R26_Java726_SR10_20180420_1715_B384915_CMPRSS
J9CL - 20010803_384915)
JCL - 20180427_01 based on Oracle jdk7u181-b09
For Platform Symphony 7.1.1, the following example shows output for the java -version command:
> java -version
java version “1.8.0_171”
Java™ SE Runtime Environment (build 8.0.5.17 - pxa6480sr5fp17-20180627_01(SR5 FP17))
IBM J9 VM (build 2.9, JRE 1.8.0 Linux amd64-64-Bit Compressed References 20180626_390413 (JIT enabled, AOT enabled)
OpenJ9 - 5cdc604
OMR - a24bc01
IBM - 21870d6)
JCL - 20180619_01 based on Oracle jdk8u171-b11
For IBM Spectrum Symphony 7.1.2, the following example shows output for the rpm -qa command:
> rpm -qa --dbpath /tmp/rpm |grep egojre
egojre-1.8.0.517-497456.x86_64
For IBM Spectrum Symphony 7.2.0.2, the following example shows output for the rpm -qa command:
> rpm -qa --dbpath /tmp/rpm |grep egojre
egojre-8.0.5.17-497456.x86_64
If required, follow these instructions to uninstall this interim fix in your cluster:
For IBM Spectrum Symphony 7.1.2 and 7.2.0.2, uninstall the existing JRE, then install the old one:
1. Uninstall the JRE fix, for example:
> rpm -e egojre-1.8.0.517-497456.x86_64 --dbpath /tmp/rpm/ --nodeps
2. For IBM Spectrum Symphony 7.2.0.2, remove the leftover link under the jre folder, for example:
> rm -rf $EGO_TOP/jre/8.0.5.17
3. Extract the egojre .rpm package from the .bin installation package, for example, for IBM Spectrum Symphony 7.1.2:
> sym-7.1.2.0_x86_64.bin --extract /opt/extract
4. Reinstall the old JRE package. Use the same dbpath and prefix as the installation, for example:
> rpm -ivh --dbpath /tmp/rpm --prefix /opt/extract/egojre-1.8.0.3.x86_64.rpm
4. Delete all subdirectories and files in the GUI work directory:
> rm -rf $EGO_TOP/gui/work/*
> rm -rf $EGO_TOP/gui/workarea/*
NOTE:If you configured the WLP_OUTPUT_DIR parameter andAPPEND_HOSTNAME_TO_WLP_OUTPUT_DIRis set totrue in the $EGO_CONFDIR/conf/wlp.conf file, you must clean up the $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/ directory.
5. Launch your browser and clear the browser cache.
6. Log on to the primary management host as the cluster administrator, start the cluster, and enable your applications:
> source profile.platform
> egosh ego start all
> soamcontrol app enable <appName>
Packages
Product | VRMF | APAR | Remediation/First Fix |
---|---|---|---|
IBM Platform Symphony | 6.1.1 | P102655 |
symSetup_jre6sr16fp65_linux-64_build497456.tar.gz
IBM Platform Symphony | 7.1 Fix Pack 1 | P102655 |
symSetup_jre7sr10fp25_linux-64_build497456.tar.gz
IBM Platform Symphony | 7.1.1 | P102655 |
symSetup_jre8sr5fp17_linux-64_build497456.tar.gz
IBM Spectrum Symphony | 7.1.2 | P102655 |
egojre-1.8.0.517.x86_64.rpm
IBM Spectrum Symphony | 7.2.0.2 | P102655 |
egojre-8.0.5.17.x86_64.rpm
None
CPE | Name | Operator | Version |
---|---|---|---|
platform symphony | eq | 6.1.1 | |
platform symphony | eq | 7.1 | |
platform symphony | eq | 1 | |
platform symphony | eq | 7.1.1 | |
ibm spectrum symphony | eq | 7.1.2 | |
ibm spectrum symphony | eq | 7.2.0.2 |
8.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.005 Low
EPSS
Percentile
74.1%