Lucene search

IBM695E118471FAE8E3CBC9E8A7E3982B7B52C0796BAEA4430F6C816FBD66036CC7

HistoryDec 21, 2019 - 5:05 a.m.

Security Bulletin: Security vulnerabilities in IBM Java Runtime affect IBM License Key Server Administration and Reporting Tool and Agent

2019-12-2105:05:02

www.ibm.com

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:P/A:P

JSON

Summary

There are multiple vulnerabilities related to IBM® Runtime Environment Java™ Technology Edition which is used and shipped by different versions of IBM License Key Server Administration and Reporting Tool (ART) and Agent.

Vulnerability Details

CVEID:CVE-2019-2933

**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base score: 3.1
CVSS Temporal Score: See: <https://exchange.xforce.ibmcloud.com/vulnerabilities/169238> for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)

CVEID:CVE-2019-2945
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Networking component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.1
CVSS Temporal Score: See: <https://exchange.xforce.ibmcloud.com/vulnerabilities/169250> for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-2958
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base score: 5.9
CVSS Temporal Score: See: <https://exchange.xforce.ibmcloud.com/vulnerabilities/169264> for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2019-2964

**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Concurrency component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: <https://exchange.xforce.ibmcloud.com/vulnerabilities/169270> for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-2989
**DESCRIPTION:**An unspecified vulnerability in Java SE could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base score: 6.8
CVSS Temporal Score: See: <https://exchange.xforce.ibmcloud.com/vulnerabilities/169295> for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N)

CVEID:CVE-2019-17631
**DESCRIPTION:**Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the failure to performs an authorization check when an actor attempts to access a resource or perform an action. An attacker could exploit this vulnerability to gain access to diagnostic operations such as causing a GC or creating a diagnostic file.
CVSS Base score: 8.4
CVSS Temporal Score: See: <https://exchange.xforce.ibmcloud.com/vulnerabilities/169513> for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM LKS Administration and Reporting Tool version 8.1.5
IBM LKS Administration and Reporting Tool version 8.1.5.1
IBM LKS Administration and Reporting Tool version 8.1.5.2
IBM LKS Administration and Reporting Tool version 8.1.5.3
IBM LKS Administration and Reporting Tool version 8.1.5.4
IBM LKS Administration and Reporting Tool version 8.1.5.5
IBM LKS Administration and Reporting Tool version 8.1.5.6
IBM LKS Administration and Reporting Tool version 8.1.6
IBM LKS Administration and Reporting Tool version 8.1.6.1
IBM LKS Administration and Reporting Tool version 8.1.6.2
IBM LKS Administration and Reporting Agent version 8.1.5
IBM LKS Administration and Reporting Agent version 8.1.5.1
IBM LKS Administration and Reporting Agent version 8.1.5.2
IBM LKS Administration and Reporting Agent version 8.1.5.3
IBM LKS Administration and Reporting Agent version 8.1.5.4
IBM LKS Administration and Reporting Agent version 8.1.5.5
IBM LKS Administration and Reporting Agent version 8.1.5.6
IBM LKS Administration and Reporting Agent version 8.1.6
IBM LKS Administration and Reporting Agent version 8.1.6.1
IBM LKS Administration and Reporting Agent version 8.1.6.2

Remediation/Fixes

Upgrade to the version 8.1.6.2 for both IBM License Key Server Administration and Reporting Tool (ART) and Agent. Refer to the Release Notes for download and upgrade instructions.

Workarounds and Mitigations

None

CPENameOperatorVersion
rational license key servereq8.1.5
rational license key servereq8.1.5.1
rational license key servereq8.1.5.2
rational license key servereq8.1.5.3
rational license key servereq8.1.5.4
rational license key servereq8.1.5.5
rational license key servereq8.1.5.6
rational license key servereq8.1.6
rational license key servereq8.1.6.1
rational license key servereq8.1.6.2

Name	Operator	Version
rational license key server	eq	8.1.5
rational license key server	eq	8.1.5.1
rational license key server	eq	8.1.5.2
rational license key server	eq	8.1.5.3
rational license key server	eq	8.1.5.4
rational license key server	eq	8.1.5.5
rational license key server	eq	8.1.5.6
rational license key server	eq	8.1.6
rational license key server	eq	8.1.6.1
rational license key server	eq	8.1.6.2