IBM89110ABC25F6D47E30A7065527D32DED0588DB619219C340BCD7477553C82B04Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Access Manager for Web and IBM Tivoli Access Manager for e-business
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
Summary
There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition Versions 5, 6, 7 and 8, which are used by IBM Security Access Manager for Web and IBM Tivoli Access Manager for e-business. These issues were disclosed as part of the IBM Java SDK updates for October 2015.
Vulnerability Details
CVEID: CVE-2015-4844**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107346 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2015-4843**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107342 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2015-4805**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Serialization component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107345 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2015-4860**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107344 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2015-4883**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107343 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2015-4835**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the CORBA component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107340 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2015-4810**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 6.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107349 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2015-4806**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 6.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107350 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)
CVEID: CVE-2015-4871**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 5.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107351 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVEID: CVE-2015-4902**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Deployment component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107352 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2015-4872**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107361 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2015-4893**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107359 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2015-4840**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the 2D component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107353 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-4842**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the JAXP component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107355 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-4882**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the CORBA component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107354 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2015-4903**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the RMI component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107357 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-4803**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107358 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2015-4734**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the JGSS component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107356 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-5006**
DESCRIPTION:** IBM Java Security Components could allow an attacker with physical access to the system to obtain sensitive information from the Kerberos Credential Cache.
CVSS Base Score: 4.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/106309 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
IBM Tivoli Access Manager for e-business 6.0, 6.1, 6.1.1
IBM Security Access Manager for Web 7.0 (software)
IBM Security Access Manager for Web 8.0, all firmware versions
IBM Security Access Manager for Web 9.0
Remediation/Fixes
The table below provides links to patches for all affected versions. Follow the installation instructions in the README file included with the patch.
| Product | VRMF | APAR | Remediation |
|---|---|---|---|
| IBM Tivoli Access Manager for e-business | 6.0 | IV79536 | 1. Apply Interim Fix 42: |
| 6.0.0-ISS-TAM-IF0042 | |||
| IBM Tivoli Access Manager for e-business | 6.1 | IV79536 | 1. Apply Interim Fix 23: |
| 6.1.0-ISS-TAM-IF0023 | |||
| IBM Tivoli Access Manager for e-business | 6.1.1 | IV79536 | 1. Apply Interim Fix 22: |
| 6.1.1-ISS-TAM-IF0022 | |||
| IBM Security Access Manager for Web | 7.0 (software) | IV79536 | 1. Apply Interim Fix 20: |
| 7.0.0-ISS-SAM-IF0020 | |||
| IBM Security Access Manager for Web | 8.0.0.0 - | ||
| 8.0.1.3 | IV79576 | 1. For 8.0-8.0.1.2 environments, upgrade to 8.0.1.3: | |
| 8.0.1-ISS-WGA-FP0003** ** |
2. Apply 8.0.1.3 Interim Fix 3:
8.0.1.3-ISS-WGA-IF0003
IBM Security Access Manager| 9.0| IV79576 | 1. Upgrade to 9.0.0.1:
9.0.0-ISS-ISAM-FP0001
Related
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C