Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Automation Framework (CVE-2015-1931, CVE-2015-2601, CVE-2015-2625)

Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7SR8 that is used by Rational Automation Framework. These issues were disclosed as part of the IBM Java SDK updates in July 2015.

Vulnerability Details

CVEID: CVE-2015-2601**
DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104733 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-2625**
DESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 2.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104743 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-1931**
DESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system.
CVSS Base Score: 2.1
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Rational Automation Framework 3.0.1, 3.0.1.1, 3.0.1.2.x, 3.0.1.3.x on all supported platforms.

Remediation/Fixes

Upgrade to RAF 3.0.1.3 ifix6 or later.