Security Bulletin: Vulnerability in IBM® SDK, Java™ Technology Edition may affect IBM Operations Analytics Predictive Insights

Summary

IBM Operations Analytics Predictive Insights uses BM® SDK, Java™ Technology Edition, and vulnerability CVE-2022-40609 may expose Java process to a variety of malicious attacks

Vulnerability Details

CVEID:CVE-2022-40609
**DESCRIPTION:**IBM SDK, Java Technology Edition 7.1.5.18 and 8.0.8.0 could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By sending specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 236069.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236069 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

Step One: If not applied already, apply 1.3.6 Interim Fix 6, then apply 1.3.6 Interim Fix 7

Note: iFix6 is a requirement for the application of iFix7.

Both iFix6 and iFix7 can be found in FixCentral: https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Tivoli/IBM+SmartCloud+Analytics±+Predictive+Insights&release=1.3.6

_Step Two: Java 8.0.8.5 Installation Instructions _

As the user that installed the Predictive Insights UI component, e.g. scadmin
1. Download ibm-java-x86_64-sdk-8.0-8.5.bin (161.93 MB) file from Fix Central: Java 8.0.8.5(Service Refresh 8 Fix Pack 5 for IBM SDKs for Java Technology version 8.0, for Linux 64-bit,x86_64 )
2. As the user that installed the Predictive Insights UI, stop the UI server used by IBM Operations Analytics Predictive Insights
<UI_HOME>/bin/pi.sh -stop
where UI_HOME is typically /opt/IBM/scanalytics/UI
3. cd <UI_HOME>
4. Rename JAVA SDK installation folder
mv ibm-java-x86_64-80 ibm-java-x86_64-80_orig
5. As the root user, or a user with sudo access, run the ibm-java-x86_64-sdk-8.0-8.5.bin to install the SDK into the <UI_HOME> folder.
When prompted for “Where would you like to install?”, supply the full path <UI_HOME>/ibm-java-x86_64-80
This will create a new ibm-java-x86_64-80 folder in <UI_HOME>
6. If necessary, change the ownership of the newly installed SDK
e.g. chown -R scadmin:scadmin /opt/IBM/scanalytics/UI/ibm-java*
7. As the user that installed the Predictive Insights UI, start the UI server
<UI_HOME>/bin/pi.sh -start

Remove Update Instructions ( if you want to revert the Java 8.0.8.5 installation)

As the user that installed the Predictive Insights UI component, e.g. scadmin
1. As the user that installed the Predictive Insights UI, stop the UI server used by IBM Operations Analytics Predictive Insights
<UI_HOME>/bin/pi.sh -stop
2. As the root user, or a user with sudo access, run the ibm-java-x86_64-sdk-8.0-8.5.bin and follow the prompts to uninstall the Java that was installed to <UI_HOME>
3. As the user that installed the Predictive Insights UI, replace the JAVA SDK installation folder with the original
mv ibm-java-x86_64-80_orig ibm-java-x86_64-80
4. As the user that installed the Predictive Insights UI, start UI server
<UI_HOME>/bin/pi.sh -start

Workarounds and Mitigations

None