Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility

Summary

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Versions 7 and 8 used by IBM Installation Manager and IBM Packaging Utility. The IBM Installation Manager and IBM Packaging Utility have addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2019-4473 DESCRIPTION: Multiple binaries in IBM SDK, Java Technology Edition on the AIX platform use insecure absolute RPATHs, which may facilitate code injection and privilege elevation by local users.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/163984&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2019-11771 DESCRIPTION: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the inclusion of unused RPATHS in AIX builds. An attacker could exploit this vulnerability to inject code and gain elevated privileges on the system.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/163989&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Installation Manager and IBM Packaging Utility versions 1.9 and earlier.

Remediation/Fixes

Product

| VRMF | APAR | Remediation/First Fix
—|—|—|—
IBM Installation Manager and IBM Packaging Utility | 1.9.x | IJ17982
IJ17983 | 1.9.1 IBM Installation Manager Remediation
1.9.1 IBM Packaging Utility Remediation
IBM Installation Manager and IBM Packaging Utility | 1.8.x |

IJ17982
IJ17983

| 1.8.9.6 IBM Installation Manager Remediation
1.8.9.6 IBM Packaging Utility Remediation

Workarounds and Mitigations

None