Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU for WebSphere MQ Internet Pass-Thru - Jan 2020 - Includes Oracle Jan 2020 CPU minus CVE-2020-2585, CVE-2020-2654, and CVE-2020-2590

Summary

WebSphere MQ Internet Pass-Thru has addressed the following vulnerability in IBM® Runtime Environment Java™ Version 7.0.10.50 and earlier. This issue was disclosed as part of the IBM Java SDK updates in January 2020.

Vulnerability Details

CVEID:CVE-2019-4732
**DESCRIPTION:**IBM SDK, Java Technology Edition Version 7.0.0.0 through 7.0.10.55, 7.1.0.0 through 7.1.4.55, and 8.0.0.0 through 8.0.6.0 could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. By placing a specially-crafted file in a compromised folder, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 172618.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172618 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

A JRE upgrade package to IBM Runtime Environment Java Version 7 Service Refresh 10 Fix Pack 65 for Windows, AIX, Solaris and Linux is available to download on the MQIPT SupportPac web page.

Workarounds and Mitigations

None