Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Apr 2020 CPU (CVE-2020-2805, CVE-2020-2803, CVE-2020-2757, CVE-2020-2756)

Summary

There are multiple vulnerabilities in IBM SDK Java Technology Edition used by IBM Tivoli System Automation Application Manager. These issues were disclosed as part of the IBM Java SDK updates in Apr 2020.

Vulnerability Details

CVEID:CVE-2020-2805
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Java SE Libraries component could allow an unauthenticated attacker to take control of the system.
CVSS Base score: 8.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/179703 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID:CVE-2020-2803
**DESCRIPTION:**An unspecified vulnerability in multiple Oracle products could allow an unauthenticated attacker to take control of the system.
CVSS Base score: 8.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/179701 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID:CVE-2020-2757
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Java SE Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/179657 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2020-2756
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Java SE Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/179656 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Remediation/Fixes

The recommended solution is to apply the corresponding fix to IBM Tivoli System Automation Application Manager. To select the fix you need to apply in your environment, click on ‘Download link’ in the table below.

• If you are running IBM Tivoli System Automation Application Manager 4.1.0.0 to 4.1.0.1, please apply interim fix “4.1.0.1-TIV-SAAMR-<OS>-IF0016” where <OS> represents the operating system for which you want to install the interim fix of this product version. You can apply this interim fix on top of any fixpack of version 4.1.0.0 to 4.1.0.1.
• If you are running IBM Tivoli System Automation Application Manager 4.1.0.2, please apply interim fix “4.1.0.2-TIV-SAAMR-<OS>-IF0006” where <OS> represents the operating system for which you want to install the interim fix of this product version. You can apply this interim fix on top of any fixpack of version 4.1.0.2.
• If you are running IBM Tivoli System Automation Application Manager 4.1.0.3, please apply interim fix “4.1.0.3-TIV-SAAMR-<OS>-IF0002” where <OS> represents the operating system for which you want to install the interim fix of this product version. You can apply this interim fix on top of any fixpack of version 4.1.0.3.

Workarounds and Mitigations

None