9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7 Service Refresh 10 Fix Pack 1 that is used by IBM Operations Analytics Predictive Insights 1.3.5 and earlier.
There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 8 Service Refresh 4 Fix Pack 1 that is used by IBM Operations Analytics Predictive Insights 1.3.6.
These issues were disclosed as part of the IBM Java SDK updates in Jul 2017.
If you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities are applicable to your code. For a complete list of vulnerabilities please refer to the link for “IBM Java SDK Security Bulletin" located in the “References” section for more information.
CVEID: CVE-2017-10102**
DESCRIPTION:** An unspecified vulnerability related to the Java SE RMI component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/128863 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVEID: CVE-2017-10116**
DESCRIPTION:** An unspecified vulnerability related to the Java SE, Java SE Embedded, JRockit Security component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/128877 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2017-10078**
DESCRIPTION:** An unspecified vulnerability related to the Java SE Scripting component could allow an authenticated attacker to cause high confidentiality impact, high integrity impact, and no availability impact.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/128840 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
CVEID: CVE-2017-10115**
DESCRIPTION:** An unspecified vulnerability related to the Java SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/128876 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2017-10125**
DESCRIPTION:** An unspecified vulnerability related to the Java SE Deployment component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/128885 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVEID: CVE-2017-10243**
DESCRIPTION:** Microsoft Office software could allow a remote attacker to execute arbitrary code on the system, caused by improper handling of objects in memory. By persuading a victim to open specially-crafted content, an attacker could exploit this vulnerability to execute arbitrary code on the system with privileges of the victim.
CVSS Base Score: 7.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125293 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2017-10108**
DESCRIPTION:** An unspecified vulnerability related to the Java SE, Java SE Embedded, JRockit Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/128869 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2017-10053**
DESCRIPTION:** An unspecified vulnerability related to the Java SE, Java SE Embedded, JRockit 2D component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/128822 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2017-1376**
DESCRIPTION:** A flaw in the IBM J9 VM class verifier allows untrusted code to disable the security manager and elevate its privileges.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/126873 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
IBM Operations Analytics Predictive Insights 1.3.6 and earlier
Product
| VRMF| Remediation/First Fix
—|—|—
IBM Operations Analytics Predictive Insights| 1.3.0,
1.3.1,
1.3.2| Upgrade to 1.3.6
and see work around B
IBM Operations Analytics Predictive Insights| 1.3.3,
1.3.5| See work around A
IBM Operations Analytics Predictive Insights| 1.3.6| See work around B
Installation Instructions – work around A
----------------------------------------------------------
As the user that installed the Predictive Insights UI component, e.g scadmin
1. Download java-sdk-7.0.10.10 from Fix Central
2. Stop the UI server used by IBM Operations Analytics Predictive Insights
/<UI_HOME>/bin/pi.sh -stop
where UI_HOME is typically /opt/IBM/scanalytics/UI
3. cd <UI_HOME>
4. Rename JAVA SDK installation folder
mv ibm-java-x86_64-70 ibm-java-x86_64-70_orig
5. untar ibm-java-sdk-7.0-10.10-linux-x86_64.tgz into <UI_HOME> folder (this will create a new ibm-java-x86_64-70 folder in <UI_HOME>)
6. start UI server
<UI_HOME>/bin/pi.sh -start
Remove Update Instructions – work around A
----------------------------------------------------------------
As the user that installed the Predictive Insights UI component, e.g scadmin
1. Stop the UI server used by IBM Operations Analytics Predictive Insights
<UI_HOME>/bin/pi.sh -stop
where UI_HOME is typically /opt/IBM/scanalytics/UI
3. cd <UI_HOME>
4. mv ibm-java-x86_64-70 ibm-java-x86_64-70_iFix
5. Replace the JAVA SDK installation folder with the original
mv ibm-java-x86_64-70_orig ibm-java-x86_64-70
5. start UI server
<UI_HOME>/bin/pi.sh -start
Installation Instructions – work around B
--------------------------------------------------------
As the user that installed the Predictive Insights UI component, e.g scadmin
1. Download java-sdk-8.0.4.10 from Fix Central
2. Stop the UI server used by IBM Operations Analytics Predictive Insights
/<UI_HOME>/bin/pi.sh -stop
where UI_HOME is typically /opt/IBM/scanalytics/UI
3. cd <UI_HOME>
4. Rename JAVA SDK installation folder
mv ibm-java-x86_64-80 ibm-java-x86_64-80_orig
5. untar ibm-java-sdk-8.0-4.10-linux-x86_64.tgz into <UI_HOME> folder (this will create a new ibm-java-x86_64-80 folder in <UI_HOME>)
6. start UI server
<UI_HOME>/bin/pi.sh -start
Remove Update Instructions – work around B
----------------------------------------------------------------
As the user that installed the Predictive Insights UI component, e.g scadmin
1. Stop the UI server used by IBM Operations Analytics Predictive Insights
<UI_HOME>/bin/pi.sh -stop
where UI_HOME is typically /opt/IBM/scanalytics/UI
3. cd <UI_HOME>
4. mv ibm-java-x86_64-80 ibm-java-x86_64-80_iFix
5. Replace the JAVA SDK installation folder with the original
mv ibm-java-x86_64-80_orig ibm-java-x86_64-80
5. start UI server
<UI_HOME>/bin/pi.sh -start
CPE | Name | Operator | Version |
---|---|---|---|
ibm operations analytics - predictive insights | eq | any |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P