IBMB70C9E6980463EEC68E10566B4D27E6DC8D97EBCAD158C0E75138FCC18A9AEDFSecurity Bulletin: IBM Java Runtime Vulnerabilities affect the IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
Summary
Vulnerabilities in IBM® Runtime Environment Java™ such as denial of service and ability to obtain sensitive information could affect the IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Envionments. These vulnerabilities were disclosed as part of the IBM Java SDK updates in April and July 2020. UPDATED 1/29/2021: Added 7.1 fix for IBM Spectrum Protect Client and IBM Spectrum Protect for Virtual Environments.
Vulnerability Details
CVEID:CVE-2020-14579
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185057 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2020-14578
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185056 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2020-14577
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185055 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2020-2781
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Java SE JSSE component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/179681 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Spectrum Protect Client |
8.1.0.0-8.1.10.0 (Macintosh and Windows)
8.1.7.0-8.1.10.0 (Linux - web user interface only)
8.1.9.0-8.1.10.0 (AIX - web user interface only)
7.1.0.0-7.1.8.9 (Macintosh and Windows)
IBM Spectrum Protect for Space Management| 8.1.7.0-8.1.10.0 (Linux)
8.1.9.0-8.1.10.0 (AIX)
IBM Spectrum Protect for Virtual Environments:
Data Protection for VMware| 8.1.0.0-8.1.10.0 (Linux and Windows)
7.1.0.0-7.1.8.9 (Linux and Windows
IBM Spectrum Protect for Virtual Environments:
Data Protection for Hyper-V| 8.1.0.0-8.1.10.0 (Windows)
7.1.0.0-7.1.8.x (Windows)
Remediation/Fixes
IBM Spectrum Protect
Client Release|First Fixing
VRM Level|Platform|Link to Fix
—|—|—|—
8.1| 8.1.11| AIX*
Linux*
Macintosh
Windows| <https://www.ibm.com/support/pages/node/6367205>
7.1
| 7.1.8.10
| Macintosh
Windows
| <https://www.ibm.com/support/pages/node/316619>
*Note that the AIX and Linux platforms are only affected if using the web user interface.
IBM Spectrum Protect for
Space Management Release|First Fixing
VRM Level|Platform|Link to Fix
—|—|—|—
8.1| 8.1.11| AIX
Linux| <https://www.ibm.com/support/pages/node/6335741>
IBM Spectrum Protect for
Virtual Environments:
Data Protection for VMware Release|First Fixing
VRM Level|Platform|Link to Fix
—|—|—|—
8.1| 8.1.11| Linux
Windows|
<https://www.ibm.com/support/pages/node/6152475>
7.1
| 7.1.8.10
| Linux
Windows
|
<https://www.ibm.com/support/pages/node/316625>
IBM Spectrum Protect for
Virtual Environments:
Data Protection for Hyper-V Release|First Fixing
VRM Level|Platform|Link to Fix
—|—|—|—
8.1| 8.1.11| Linux| <https://www.ibm.com/support/pages/node/6152475>
7.1
|
| Linux
| Apply the above 7.1.8.10 client fix using the following link:
<https://www.ibm.com/support/pages/node/316619>
Workarounds and Mitigations
None
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P