Security Bulletin: Multiple vulnerabilities in IBM® Java™ SDK and IBM® Java™ Runtime affect IBM® Intelligent Operations Center products

Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Versions 7 and 8, and IBM® Runtime Environment Java™, Versions 7 and 8 that are used by IBM® Intelligent Operations Center, IBM® Intelligent Operations Center for Emergency Management, and IBM® Water Operations for Waternamics. IBM® Intelligent Operations Center has addressed the applicable CVEs.

Vulnerability Details

If you run your own Java™ code using the IBM® Java™ JRE that is delivered with this product, you should evaluate your code to determine whether additional Java™ vulnerabilities are applicable to your code. For a complete list of vulnerabilities, refer to the “IBM Java SDK Security Bulletin” located in the References section for more information.

CVE IDs: CVE-2019-2698 CVE-2019-2697 CVE-2019-2602 CVE-2019-2684 CVE-2019-10245

CVEID: CVE-2019-2698 DESCRIPTION: An unspecified vulnerability related to the Java SE 2D component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/159790&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2019-2697 DESCRIPTION: An unspecified vulnerability related to the Java SE 2D component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/159789&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2019-2602 DESCRIPTION: An unspecified vulnerability related to the Java SE Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/159698&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2019-2684 DESCRIPTION: An unspecified vulnerability related to the Java SE RMI component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base Score: 5.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/159776&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID: CVE-2019-10245 DESCRIPTION: Eclipse OpenJ9 is vulnerable to a denial of service, caused by the execution of a method past the end of bytecode array by the Java bytecode verifier. A remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/160010&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Principal Product and Versions

| Affected Supporting Products and Versions
—|—
IBM® Intelligent Operations Center V1.6.0 - V5.2.0 |

IBM SDK, Java Technology Edition, Version 7 Service Refresh 10 Fix Pack 40 and earlier releases

IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 4 Fix Pack 40 and earlier releases

IBM SDK, Java Technology Edition, Version 8 Service Refresh 5 Fix Pack 31 and earlier releases

IBM® Intelligent Operations Center for Emergency Management V1.6 - V5.1.0.6
IBM® Water Operations for Waternamics V5.1 - V5.2.1.1

Remediation/Fixes

The fix for this issue is available in IBM® Intelligent Operations Center version 5.2.1 on Passport Advantage.

For information about the latest available updates, see IBM Intelligent Operations Center V5.2 installation updates.

Workarounds and Mitigations

None.