Security Bulletin: A potential vulnerability in IBM Java SDK affect InfoSphere Streams (CVE-2015-4872)

Summary

There is a potential vulnerability in IBM® SDK Java™ Technology Edition, Versions 6 SR16 FP4, 7R1 SR3 and 8 SR1 that are used by InfoSphere Streams. This issue was disclosed as part of the IBM Java SDK updates in Oct 2015.

Vulnerability Details

CVEID: CVE-2015-4872**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107361 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Affected Products and Versions

• 1.2.1.0
• 2.0.0.4 and earlier
• 3.0.0.5 and earlier
• 3.1.0.6 and earlier
• 3.2.1.3 and earlier
• 4.0.1.0
• 4.1.1.0

Remediation/Fixes

Apply the appropriate upgrade for InfoSphere Streams as indicated below. Fix packs are available on IBM Fix Central.

• Version 4.1:** **Apply 4.1.1 fix pack 1 (4.1.1.1) or higher. If JAVA_HOME is defined see the note at the end of this section.
• **Version 4.0.1:**Apply 4.0.1 fix pack 2 (4.0.1.2) or higher. If JAVA_HOME is defined see the note at the end of this section.
• Version 3.2.1: Apply 3.2.1 fix pack 5 (3.2.1.5) or higher. If JAVA_HOME is defined see the note at the end of this section.
• Version 3.1:****Apply 3.1 fix pack 1 (3.1.0.7) or higher. If JAVA_HOME is defined see the note at the end of this section.
• **Version 3.0:**Apply 3.0 fix pack 6 (3.0.0.6) or higher. If JAVA_HOME is defined see the note at the end of this section.
• Versions 1.0 and 2.0: Upgrade to the latest version of InfoSphere Streams for which these fixes have been released.
• For assistance performing an upgrade contact IBM Technical Support.
• Customers who cannot upgrade and need to secure their installation should open a PMR with IBM Technical Support and request assistance securing their InfoSphere Streams system against the vulnerabilities identified in this Security Bulletin.
  **
  IMPORTANT NOTE:** If JAVA_HOME is set ensure it points to the install location of the upgraded
  IBM Developer Kit, Java. Applications compiled with JAVA_HOME set to a different location will need to be recompiled after JAVA_HOME has been changed. For more information on compiling with JAVA_HOME set see the Notes section on the page at this URL or the corresponding page for the Streams version you are using: http://www-01.ibm.com/support/knowledgecenter/SSCRJU_4.0.0/com.ibm.streams.install.doc/doc/ibminfospherestreams-install-prerequisites-java-supported-sdks.html?lang=en
  _
  For version 1.x and 2.x IBM recommends upgrading to a fixed, supported version/release/platform of the product._

Note that Java 6 is not supported for Streams v4.0.