Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Security SiteProtector System (CVE-2016-3426)

Summary

There is a vulnerability in IBM® Runtime Environment Java™ Technology Edition, Version 7 that is used by IBM Security SiteProtector System. The issue was disclosed as part of the IBM Java SDK updates in April 2016

Vulnerability Details

CVEID: CVE-2016-3426 **
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112457 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM Security SiteProtector System 3.0 and 3.1.1

Remediation/Fixes

Apply the appropriate eXPress Updates (XPUs) as identified in the SiteProtector Console Agent view:

For SiteProtector 3.0:

SiteProtector Core Component

|

ServicePack3_0_0_13.xpu

—|—

Event Collector Component

|

RSEvntCol_WINNT_XXX_ST_3_0_0_11.xpu

Agent Manager Component

|

AgentManager_WINNT_XXX_ST_3_0_0_70.xpu

For SiteProtector 3.1.1:

SiteProtector Core Component

|

ServicePack3_1_1_8.xpu

—|—

Alternatively, the packages can be manually obtained from the IBM Security License Key and Download Center using the following URL:
<https://ibmss.flexnetoperations.com/service/ibms/login&gt;

Workarounds and Mitigations

None