Lucene search

IBM89874AE3A41D0B3BFE98224E49A98F538B3F5146B2022747EF0DACDA6AB4A273

HistoryMar 15, 2024 - 6:48 p.m.

Security Bulletin: Multiple vulnerabilities in Open JDK affecting Rational Functional Tester / DevOps Test UI

2024-03-1518:48:14

www.ibm.com

open jdk

rational functional tester

devops test ui

unspecified vulnerabilities

java se

security component

vm component

scripting component

remote attacker

local attacker

high confidentiality impact

high integrity impact

rft 10.0

rft 10.1

rft 10.2

rft 10.5

test ui 11.0

windows 32 bit

windows 64 bit

linux

mac os

remediation

cvss base score 7.4

cvss base score 5.9

cvss base score 4.7

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

6.8 Medium

AI Score

Confidence

High

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:P/A:N

0.001 Low

EPSS

Percentile

36.6%

JSON

Summary

There are multiple vulnerabilities in Open JDK Version 8, OpenJ9 used by Rational Functional Tester (RFT) / DevOps Test UI. RFT has addressed the applicable CVEs.

Vulnerability Details

CVEID:CVE-2024-20952
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Security component could allow a remote attacker to cause high confidentiality impact and high integrity impact.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279685 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:CVE-2024-20918
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality impact and high integrity impact.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279718 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:CVE-2024-20921
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality impact.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279734 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2024-20945
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a local authenticated attacker to cause high confidentiality impact.
CVSS Base score: 4.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279775 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2024-20926
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Scripting component could allow a remote attacker to cause high confidentiality impact.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279716 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
Rational Functional Tester (RFT)	RFT 10.0
Rational Functional Tester (RFT)	RFT 10.1
Rational Functional Tester (RFT)	RFT 10.2
Rational Functional Tester (RFT)	RFT 10.5
DevOps Test UI (Test UI)	Test UI 11.0

Remediation/Fixes

Product	Version	APAR	Operating System
RFT
Test UI	10.0 to 10.5.4
11.0.0	None	Windows 32 bit	<https://github.com/ibmruntimes/semeru8-binaries/releases/download/jdk8u402-b06_openj9-0.43.0/ibm-semeru-open-jdk_x86-32_windows_8u402b06_openj9-0.43.0.zip>
Windows 64 bit	<https://github.com/ibmruntimes/semeru8-binaries/releases/download/jdk8u402-b06_openj9-0.43.0/ibm-semeru-open-jdk_x64_windows_8u402b06_openj9-0.43.0.zip>
Linux	<https://github.com/ibmruntimes/semeru8-binaries/releases/download/jdk8u402-b06_openj9-0.43.0/ibm-semeru-open-jdk_x64_linux_8u402b06_openj9-0.43.0.tar.gz>
Mac OS	<https://github.com/ibmruntimes/semeru8-binaries/releases/download/jdk8u402-b06_openj9-0.43.0/ibm-semeru-open-jdk_x64_mac_8u402b06_openj9-0.43.0.tar.gz>

Download the correct version of JDK for your platform to manually replace the JDK.
Note: Please take a backup of the existing _${RFTinstallLocation}/_jdk folder.

Product	Version	APAR	Operating System	Remediation/ Fix
Test UI	11.0.0	None	Windows 32 bit	<https://github.com/ibmruntimes/semeru17-binaries/releases/download/jdk-17.0.9%2B9_openj9-0.41.0/ibm-semeru-open-jre_x64_windows_17.0.9_9_openj9-0.41.0.zip>
Windows 64 bit	<https://github.com/ibmruntimes/semeru17-binaries/releases/download/jdk-17.0.9%2B9_openj9-0.41.0/ibm-semeru-open-jre_x64_windows_17.0.9_9_openj9-0.41.0.zip>
Linux	<https://github.com/ibmruntimes/semeru17-binaries/releases/download/jdk-17.0.9%2B9_openj9-0.41.0/ibm-semeru-open-jre_x64_linux_17.0.9_9_openj9-0.41.0.tar.gz>
Mac OS	<https://github.com/ibmruntimes/semeru17-binaries/releases/download/jdk-17.0.9%2B9_openj9-0.41.0/ibm-semeru-open-jre_x64_mac_17.0.9_9_openj9-0.41.0.tar.gz>

Download the correct version of JRE for your platform to manually replace the JRE.
Note: Please take a backup of the existing _${DTUIinstallLocation}/_jre17/jre folder.

Additional steps for Mac OS:

Run the following commands:

chmod -R +x ${RFTinstallLocation}/jdk/Contents/Home/bin
chmod -R +x ${RFTinstallLocation}/jdk/Contents/Home/jre/bin
chmod -R +x ${RFTinstallLocation}/jdk/Contents/Home/jre/lib/jspawnhelper
chmod -R +x ${RFTinstallLocation}/jdk/Contents/Home/jre/lib/*.dylib
rm -f ${RFTinstallLocation}/jdk/Contents/MacOS/libjli.dylib
ln -s ${RFTinstallLocation}/jdk/Contents/Home/jre/lib/jli/libjli.dylib ${RFTinstallLocation}/jdk/Contents/MacOS/libjli.dylib

For DevOps Test UI 11.0.0 and later releases, run the following additional commands:

chmod -R +x ${TestUIinstallLocation}/jre17/jre/Contents/Home/bin
chmod -R +x ${TestUIinstallLocation}/jre17/jre/Contents/Home/lib/jspawnhelper
chmod -R +x ${TestUIinstallLocation}/jre17/jre/Contents/Home/lib/*.dylib
rm -f ${TestUIinstallLocation}/jre17/jre/Contents/MacOS/libjli.dylib
ln -s ${TestUIinstallLocation}/jre17/jre/Contents/Home/lib/jli/libjli.dylib ${TestUIinstallLocation}/jre17/jre/Contents/MacOS/libjli.dylib

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm rational functional testereq10.0
ibm rational functional testereq11.0

CPE	Name	Operator	Version
	ibm rational functional tester	eq	10.0
	ibm rational functional tester	eq	11.0

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

6.8 Medium

AI Score

Confidence

High

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:P/A:N

0.001 Low

EPSS

Percentile

36.6%

JSON

Related for 89874AE3A41D0B3BFE98224E49A98F538B3F5146B2022747EF0DACDA6AB4A273