Security Bulletin: CVE-2023-30441 affects IBM® SDK, Java™ Technology Edition

Summary

CVE-2023-30441 affects IBM SDK, Java Technology Edition. An update has been released to address the vulnerability.

Vulnerability Details

CVEID:CVE-2023-30441
**DESCRIPTION:**IBM Runtime Environment, Java Technology Edition IBMJCEPlus and JSSE components could expose sensitive information using a combination of flaws and configurations.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253188 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

8.0.7.0 - 8.0.7.11

Note: Earlier 8.x releases are also affected if the security provider order has been changed to prefer the IBMJCEPlus provider over the IBMJCE provider. More information on this topic can be found here.

Remediation/Fixes

8.0.7.15

IBM SDK, Java Technology Edition releases can be downloaded, subject to the terms of the developerWorks license, from the Java Developer Center.

IBM customers requiring an update for an SDK shipped with an IBM product should contact IBM support, and/or refer to the appropriate product security bulletin.

Workarounds and Mitigations

Modify the security provider order in the jre/lib/security/java.security file to prefer the IBMJCE provider over the IBMJCEPlus provider.