Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Conductor

Summary

There are multiple vulnerabilities in IBM® Runtime Environment Java™ versions 8 used by IBM Spectrum Conductor with Spark 2.2.0, 2.2.1 and IBM Spectrum Conductor 2.3.0. IBM Spectrum Conductor has addressed the applicable CVEs.

Vulnerability Details

If you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether additional Java vulnerabilities are applicable to your code. For a complete list of vulnerabilities, refer to the “IBM Java SDK Security Bulletin”, located in the References section for more information.

CVEID: CVE-2018-3139
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Networking component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base Score: 3.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/151455&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-3136
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 3.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/151452&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N)

CVEID: CVE-2018-13785
DESCRIPTION: libpng is vulnerable to a denial of service, caused by a wrong calculation of row_factor in the png_check_chunk_length function in pngrutil.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 5.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/146015&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-3214
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Sound component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/151530&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-3180
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JSSE component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and low availability impact.
CVSS Base Score: 5.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/151497&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2018-3149
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JNDI component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/151465&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2018-3169
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Hotspot component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/151486&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2018-3183
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Scripting component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/151500&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

IBM Spectrum Conductor with Spark: 2.2.0 - 2.2.1
IBM Spectrum Conductor: 2.3.0

Remediation/Fixes

Packages

egojre-8.0.5.25.x86_64.rpm

IBM Spectrum Conductor with Spark | 2.2.1 | P102842 |

egojre-8.0.5.25.x86_64.rpm

IBM Spectrum Conductor | 2.3.0 | P102842 |

egojre-8.0.5.25.x86_64.rpm

Before installation

1. Log in to the cluster management console as the cluster administrator and stop all Spark instance groups.
2. Log on to the master host as the cluster administrator:
   > egosh user logon -u Admin -x Admin
3. Stop all services and shut down the cluster:
   > egosh service stop all
   > egosh ego shutdown all

Installation and verification

IBM Spectrum Conductor with Spark 2.2.0

1. Log on to each host in your cluster (root or sudo to root permission).
2. Define the CLUSTERADMIN environment variable and set it to any valid operating user account, which then owns all installation files, for example:
   > export CLUSTERADMIN=egoadmin
3. Upgrade the JRE by using the RPM for the interim fix.
   NOTE: RPM version 4.2.1 or later must be installed on the host.

For example, on Linux x86_64 hosts, enter:
> mkdir -p /tmp/cws22build509248
> tar zxof cws-2.2.0.0_x86_64_build509248.tgz -C /tmp/cws22build509248
> rpm -ivh --replacefiles --prefix $EGO_TOP --dbpath dbpath_location_ _/tmp/cws22build509248/egojre-8.0.5.25.x86_64.rpm
where $EGO_TOP specifies the path to where the cluster is installed and dbpath_location specifies the path to your database.

4. The _cshrc.jre _and profile.jre files are updated to the current JRE version. If you made copies of these files, ensure that you update the copied files with the new JRE version.

5. Source the cluster profile again and start the cluster:
   > egosh ego start all

6. Log in to the cluster management console as the cluster administrator and start the required Spark instance groups.

7. Run the rpm –qa command to verify the installation:
   > rpm -qa --dbpath dbpath_location |grep egojre

egojre-8.0.5.25-509248.x86_64

IBM Spectrum Conductor with Spark 2.2.1

1. Log on to each host in your cluster (root or sudo to root permission).
2. Define the CLUSTERADMIN environment variable and set it to any valid operating user account, which then owns all installation files, for example:
   > export CLUSTERADMIN=egoadmin
3. Upgrade the JRE by using the RPM for the interim fix.
   NOTE: RPM version 4.2.1 or later must be installed on the host.

For example, on Linux x86_64 hosts, enter:
> mkdir -p /tmp/cws221build509249
> tar zxof cws-2.2.1.0_x86_64_build509249.tgz -C /tmp/cws221build509249
> rpm -ivh --replacefiles --prefix $EGO_TOP --dbpath dbpath_location_ _/tmp/cws221build509249/egojre-8.0.5.25.x86_64.rpm
where $EGO_TOP specifies the path to where the cluster is installed and dbpath_location specifies the path to your database.
The _cshrc.jre _and profile.jre files are updated to the current JRE version. If you made copies of these files, ensure that you update the copied files with the new JRE version.

4. Source the cluster profile again and start the cluster:
   > egosh ego start all
5. Log in to the cluster management console as the cluster administrator and start the required Spark instance groups.
6. Run the rpm –qa command to verify the installation:
   > rpm -qa --dbpath dbpath_location |grep egojre

egojre-8.0.5.25-509249.x86_64

IBM Spectrum Conductor 2.3.0

1. Log on to each host in your cluster (root or sudo to root permission).
2. Define the CLUSTERADMIN environment variable and set it to any valid operating user account, which then owns all installation files, for example:
   > export CLUSTERADMIN=egoadmin
3. Upgrade the JRE by using the RPM for the interim fix.
   NOTE: RPM version 4.2.1 or later must be installed on the host. Ensure that you replace dbpath_location in the following commands with the path to your database.
   For example, on Linux x86_64 hosts, enter:
   > mkdir -p /tmp/sc230build509250
   > tar zxof conductor-2.3.0.0_x86_64_build509250.tgz -C /tmp/sc230build509250
   > rpm -ivh --replacefiles --prefix $EGO_TOP --dbpath dbpath_location_ _/tmp/sc230build509250/egojre-8.0.5.25.x86_64.rpm
   where $EGO_TOP specifies the path to where the cluster is installed and dbpath_location specifies the path to your database.
   The _cshrc.jre _and profile.jre files are updated to the current JRE version. If you made copies of these files, ensure that you update the copied files with the new JRE version.
4. Source the cluster profile again and start the cluster:
   > egosh ego start all
5. Log in to the cluster management console as the cluster administrator and start the required Spark instance groups.
6. Run the rpm –qa command to verify the installation:
   > rpm -qa --dbpath dbpath_location |grep egojre

egojre-8.0.5.25-509250.x86_64

Uninstallation (if required)

IBM Spectrum Conductor with Spark 2.2.0

1. Log in to the cluster management console as the cluster administrator and stop all Spark instance groups.
2. Log on to the master host as the cluster administrator:
   > egosh user logon -u Admin -x Admin
3. Stop services and shut down the cluster:
   > egosh service stop all
   > egosh ego shutdown all
4. Log on to each host in your cluster (root or sudo to root permission).
5. Define the CLUSTERADMIN environment variable and set it to any valid operating user account, which then owns all installation files, for example:
   > export CLUSTERADMIN=egoadmin
6. Uninstall the existing JRE and then install the old JRE.
   NOTE: RPM version 4.2.1 or later must be installed on the host.
   For example, on Linux x86_64 hosts, enter:

> rpm -e egojre-8.0.5.25-509248.x86_64 --dbpath dbpath_location --nodeps
> rpm -qa --dbpath dbpath_location |grep egojre
where dbpath_location specifies the path to your database.
For each previous egojre rpm, run:
> rpm -e [egojre_name] --dbpath dbpath_location --nodeps
Then, install the old JRE:
> mkdir -p /tmp/extract22
> cws-2.2.0.0_x86_64.bin --extract /tmp/extract22
> rpm -ivh --prefix $EGO_TOP --dbpath dbpath_location_ _/tmp/extract22/egojre-*.rpm
where $EGO_TOP specifies the path to where the cluster is installed and dbpath_location specifies the path to your database.

7. Source the cluster profile and start the cluster:
   > egosh ego start all
8. Log in to the cluster management console as the cluster administrator and start the required Spark instance groups.

IBM Spectrum Conductor with Spark 2.2.1

1. Log in to the cluster management console as the cluster administrator and stop all Spark instance groups.
2. Log on to the master host as the cluster administrator:
   > egosh user logon -u Admin -x Admin
3. Stop services and shut down the cluster:
   > egosh service stop all
   > egosh ego shutdown all
4. Log on to each host in your cluster (root or sudo to root permission).
5. Define the CLUSTERADMIN environment variable and set it to any valid operating user account, which then owns all installation files, for example:
   > export CLUSTERADMIN=egoadmin
6. Uninstall the existing JRE and then install the old JRE.
   For example, on Linux x86_64 hosts, enter:

> rpm -e egojre-8.0.5.25-509249.x86_64 --dbpath dbpath_location --nodeps
> rpm -qa --dbpath dbpath_location |grep egojre
where dbpath_location specifies the path to your database.
For each previous egojre rpm, run:
> rpm -e [egojre_name] --dbpath dbpath_location --nodeps
Then, install the old JRE:
> mkdir -p /tmp/extract221
> cws-2.2.1.0_x86_64.bin --extract /tmp/extract221
> rpm -ivh --prefix $EGO_TOP --dbpath dbpath_location_ _/tmp/extract221/egojre-*.rpm
where $EGO_TOP specifies the path to where the cluster is installed and dbpath_location specifies the path to your database.

7. Source the cluster profile and start the cluster:
   > egosh ego start all
8. Log in to the cluster management console as the cluster administrator and start the required Spark instance groups.

IBM Spectrum Conductor 2.3.0

1. Log in to the cluster management console as the cluster administrator and stop all Spark instance groups.
2. Log on to the master host as the cluster administrator:
   > egosh user logon -u Admin -x Admin
3. Stop services and shut down the cluster:
   > egosh service stop all
   > egosh ego shutdown all
4. Log on to each host in your cluster (root or sudo to root permission).
5. Define the CLUSTERADMIN environment variable and set it to any valid operating user account, which then owns all installation files, for example:
   > export CLUSTERADMIN=egoadmin
6. Uninstall the existing JRE and then install the old JRE.
   NOTE: RPM version 4.2.1 or later must be installed on the host.
   For example, on Linux x86_64 hosts, enter:
   > rpm -e egojre-8.0.5.25-509250.x86_64 --dbpath dbpath_location --nodeps
   > rpm -qa --dbpath dbpath_location |grep egojre
   where dbpath_location specifies the path to your database.
   For each previous egojre rpm, run:
   > rpm -e [egojre_name] --dbpath dbpath_location --nodeps
   Then, install the old JRE:
   > mkdir -p /tmp/extract23
   > conductor2.3.0.0_x86_64.bin --extract /tmp/extract23
   > rpm -ivh --prefix $EGO_TOP --dbpath _dbpath_location _/tmp/extract23/egojre-*.rpm
   where $EGO_TOP specifies the path to where the cluster is installed and dbpath_location specifies the path to your database.
7. Source the cluster profile and start the cluster:
   > egosh ego start all
8. Log in to the cluster management console as the cluster administrator and start the required Spark instance groups.

Workarounds and Mitigations

None