Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM6CDA9CBBD4E668C70A53BD4F7D7CDE00CF73C49E1D8C5300C858682BFBB02BCB
HistoryDec 06, 2018 - 3:35 a.m.

Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security SiteProtector System

2018-12-0603:35:02
www.ibm.com
20

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

JSON

Summary

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Version 8.0.5.16 used by IBM Security SiteProtector System. IBM Security SiteProtector System has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2017-3736 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key.
CVSS Base Score: 5.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134397&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2017-3732 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2016-0705 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service.
CVSS Base Score: 3.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-1656 DESCRIPTION: The IBM Java Runtime Environment’'s Diagnostic Tooling Framework for Java (DTFJ) does not protect against path traversal attacks when extracting compressed dump files.
CVSS Base Score: 7.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144882&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

CVEID: CVE-2018-2964 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE Deployment component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/146827&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2018-2973 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded JSSE component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base Score: 5.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/146835&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID: CVE-2018-12539 DESCRIPTION: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the failure to restrict the use of Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations to only the process owner. An attacker could exploit this vulnerability to execute untrusted native code and gain elevated privileges on the system.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148389&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected IBM Security SiteProtector System Affected Versions
IBM Security SiteProtector System 3.0.0
IBM Security SiteProtector System 3.1.1

Remediation/Fixes

Product VRMF Remediation/First Fix
IBM Security SiteProtector System 3.1.1.17

Apply the appropriate eXPress Updates (XPUs) as identified in the SiteProtector Console Agent view:

ServicePack3_1_1_17.xpu
Console-Setup.exe
IBM Security SiteProtector System | 3.0.0.20 |

Apply the appropriate eXPress Updates (XPUs) as identified in the SiteProtector Console Agent view:

ServicePack3_0_0_20.xpu
AgentManager_WINNT_XXX_ST_3_0_0_84.xpu
RSEvntCol_WINNT_XXX_ST_3_0_0_17.xpu
Console-Setup.exe

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm security siteprotector systemeqany

Related

ibm 160
openvas 7
nessus 15
redhat 6
aix 1
redhatcve 2
veracode 2
prion 2
osv 1
cve 2
ubuntucve 1
ibm
ibm
Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition affect IBM Operational Decision Manager
2018-11-16 14:35:01
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Developer for i and Rational Developer for AIX and Linux - July 2018
2018-11-22 17:20:01
Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect Operations Center and Client Management Service (CVE-2016-0705, CVE-2017-3732, CVE-2017-3736, CVE-2018-1656, CVE-2018-12539)
2019-02-01 00:25:01
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2018:2839-2)
2021-04-19 00:00:00
SUSE: Security Advisory (SUSE-SU-2018:3082-1)
2021-06-09 00:00:00
SUSE: Security Advisory (SUSE-SU-2018:2839-1)
2021-04-19 00:00:00
nessus
nessus
SUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2018:2839-2)
2018-10-22 00:00:00
SUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2018:2839-1)
2018-09-25 00:00:00
SUSE SLES15 Security Update : java-1_8_0-ibm (SUSE-SU-2018:3082-1)
2019-01-02 00:00:00
redhat
redhat
(RHSA-2018:2575) Important: java-1.8.0-ibm security update
2018-08-28 19:06:50
(RHSA-2018:2713) Moderate: java-1.8.0-ibm security update
2018-09-17 14:43:25
(RHSA-2018:2568) Important: java-1.8.0-ibm security update
2018-08-27 14:09:01
aix
aix
Multiple vulnerabilities in IBM Java SDK affect AIX
2018-09-19 08:42:00
redhatcve
redhatcve
CVE-2018-12539
2019-10-10 23:34:49
CVE-2018-1656
2018-08-17 20:49:15
veracode
veracode
Arbitrary Code Execution
2019-01-15 09:24:36
Directory Traversal
2019-05-16 03:24:18
prion
prion
Default configuration
2018-08-14 19:29:00
Path traversal
2018-08-20 21:29:00
osv
osv
CVE-2018-12539
2018-08-14 19:29:00
cve
cve
CVE-2018-12539
2018-08-14 19:29:00
CVE-2018-1656
2018-08-20 21:29:00
ubuntucve
ubuntucve
CVE-2018-1656
2018-08-20 00:00:00

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

JSON
Related for 6CDA9CBBD4E668C70A53BD4F7D7CDE00CF73C49E1D8C5300C858682BFBB02BCB
ibm160openvas7nessus15redhat6aix1redhatcve2veracode2prion2osv1cve2ubuntucve1