Security Bulletin: Vulnerabilities in Java affect Power Hardware Management Console (CVE-2015-0480, CVE-2015-0486, CVE-2015-0488, CVE-2015-0478, CVE-2015-0477, CVE-2015-1916)

Summary

Java is used by Power Hardware Management Console (HMC). HMC has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2015-0480**
DESCRIPTION:** A directory traversal vulnerability in Oracle Java SE related to the Tools component and the extraction of JAR archive files could allow remote attacker to overwrite files on the system with privileges of another user.
CVSS Base Score: 5.8
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/102334&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:P)

CVEID: CVE-2015-0486**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Deployment component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/102335&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-0488**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Jrockit related to the JSSE component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/102336&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-0478**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JCE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/102339&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-0477**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Beans component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4.3
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/102337&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-1916**
DESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability.
CVSS Base Score: 5
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/101995&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

Power HMC V7.7.3.0

Power HMC V7.7.8.0

Power HMC V7.7.9.0

Power HMC V8.1.0.0

Power HMC V8.2.0.0

Power HMC V8.3.0.0

Remediation/Fixes

The following fixes are available on IBM Fix Central at: http://www-933.ibm.com/support/fixcentral/

Product|
VRMF|
APAR|
Remediation/First Fix
—|—|—|—

Power HMC|
V7.7.3.0 SP7|
MB03923| Apply eFix MH01535

Power HMC|
V7.7.8.0 SP2|
MB03924|
Apply eFix MH01536

Power HMC|
V7.7.9.0 SP2|
MB03925|
Apply eFix MH01537

Power HMC|
V8.8.1.0 SP2|
MB03920|
Apply eFix MH01532

Power HMC|
V8.8.2.0 SP1|
MB03926|
Apply eFix MH01538

Power HMC|
V8.8.3.0|
MB03927|
Apply eFix MH01539

Note:

1. For unsupported releases IBM recommends upgrading to a fixed, supported release of the product.

2. After applying the PTF, you should restart the HMC.

3. HMC V7.7.3 support is extended only for managing the Power 775 (9125-F2C) also called “PERCS” and “IH”. End Of Service date for managing all other server models was 2013.05.31.

Workarounds and Mitigations

None