IBMA1C156D95A62F05FFE33E84E5605F1FBC967FBDFE6461273A0CA48F15D09408DSecurity Bulletin: Vulnerability in IBM Java Runtime affects Rational Publishing Engine
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
Summary
There is a vulnerability in IBM Java Runtime Environment, Versions 6 and 7 that are used by Rational Publishing Engine.
Vulnerability Details
CVEID:CVE-2016-5582 DESCRIPTION: A flaw in the Hotspot JIT compiler allows an attacker to disable the security manager and execute arbitrary code.
CVSS Base Score: 9.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/118069> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID:CVE-2016-5568 DESCRIPTION: A flaw in the AWT component allows an attacker to disable the security manager and execute arbitrary code.
CVSS Base Score: 9.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/118068> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID:CVE-2016-5556 DESCRIPTION: A flaw in the font parser allows an attacker to corrupt the Java heap using a maliciously crafted font file. In a server environment this could be exploited by a remote attacker to cause a DoS by crashing the JVM. In a client deployment, or when running untrusted code under a security manager, the vulnerability potentially allows an attacker to disable the security manager and execute arbitrary code.
CVSS Base Score: 9.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/118067> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID:CVE-2016-5573 DESCRIPTION: A flaw in the JDWP implementation potentially allows an attacker to connect to a local JDWP port via javascript code or Flash documents in a malicious web page. This potentially allows remote execution of arbitrary code.
CVSS Base Score: 8.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/118070> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID:CVE-2016-5597 DESCRIPTION: A flaw exists in the HttpURLConnection and HttpsURLConnection implementations when connecting via a proxy, which allows a man-in-the-middle attacker to access proxy username and password information.
CVSS Base Score: 5.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/118071> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2016-5554 DESCRIPTION: A flaw in the JMX component allows an attacker to bypass permission checks and access classes which should be restricted.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/118072> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVEID:CVE-2016-5542 DESCRIPTION: If a JAR file is signed with old, weak hash algorithms, the class files within it can be modified without the change being caught. This potentially enables attackers to inject malicious code into signed code from a trusted third party.
CVSS Base Score: 3.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/118073> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)
Affected Products and Versions
Rational Publishing Engine 1.3
Rational Publishing Engine 2.0
Rational Publishing Engine 2.0.1
Rational Publishing Engine 2.1.0
Rational Publishing Engine 2.1.1
Remediation/Fixes
Upgrade the IBM Java Runtime environment used with Rational Publishing Engine to version 7.1.3.60, which can be downloaded from [http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FIBM+Rational+Publishing+Engine&fixids=Rational-RPE-JavaSE-JRE-7.1SR3FP60&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FIBM+Rational+Publishing+Engine&fixids=Rational-RPE-JavaSE-JRE-7.1SR3FP60&source=SAR>)
Workarounds and Mitigations
None.
Related
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C