Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition may affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise

Summary

A vulnerability in IBM® SDK Java™ Technology Edition, Version 8.0.5.40 used by IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise. The CVE-2020-2590 and CVE-2020-2601 were disclosed as part of the Oracle January 2020 Critical Patch Update.

Vulnerability Details

CVEID:CVE-2020-2590
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/174538 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2020-2601
**DESCRIPTION:**An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/174548 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

The recommended solution is to manually apply the fix on IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise 2.5.0.10.

Consult the following security bulletins for the vulnerability details and information about their fixes:

Security Bulletin: CVE-2020-2590 may affect IBM® SDK, Java™ Technology Edition

Security Bulletin: CVE-2020-2601 may affect IBM® SDK, Java™ Technology Edition

Workarounds and Mitigations

None