IBMB93CBD995960C74072CEEF36E0F5A0227F680BEF8318CC7D97C9863BCE03826FSecurity Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum LSF Analytics
9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
Summary
There are multiple vulnerabilities in IBM® Runtime Environment Java™Version 7 used by IBM Spectrum LSF Analytics. IBM Spectrum LSF Analytics has addressed the applicable CVEs.
Vulnerability Details
CVEID: CVE-2019-2699 DESCRIPTION: Oracle’s JREs/JDKs on Windows ship with an old version of a Microsoft DLL which contains a vulnerability.
CVSS Base Score: 9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/159791> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-2698 DESCRIPTION: An attacker can use a maliciously crafted font to exploit a flaw in the JDK’s font parsing code to overwrite memory addresses and cause a crash. Untrusted code running under a security manager may be able to elevate its privileges and execute arbitrary code.
CVSS Base Score: 8.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/159790> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2019-2697 DESCRIPTION: An attacker can use a maliciously crafted font to exploit a flaw in the JDK’s font parsing code to overwrite memory addresses and cause a crash. Untrusted code running under a security manager may be able to elevate its privileges and execute arbitrary code.
CVSS Base Score: 8.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/159789> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-2602 DESCRIPTION: A flaw in the java.math.BigDecimal API causes hangs when parsing certain String values. This potentially allows an attacker to inflict a denial-of-service.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/159698> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)
CVEID: CVE-2019-2684 DESCRIPTION: The Java runtime’s java.rmi.Registry implementation does not check access privileges correctly for some remote calls. This allows an attacker to effectively replace a number of predefined static skeleton classes with dynamic malicious skeletons.
CVSS Base Score: 5.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/159776> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-10245 DESCRIPTION: A flaw in the OpenJ9 class verifier potentially allows untrusted code to elevate its privileges and execute arbitrary code.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/160010> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
Spectrum LSF Analytics 9.1.4
Remediation/Fixes
<Product
|
VRMF
|
APAR
|
Remediation/First Fix
—|—|—|—
Spectrum LSF Analytics
|
9.1.4
|
None
|
- Download IBM JRE 7 from the following location: <http://www.ibm.com/support/fixcentral> by keyword ‘Runtimes for Java Technology’. (The followings steps are using x86_64 as an example.)
- Copy JRE package into the Analytics Server host and Analytics Node host(s).
- On the Analytics Server host, stop pats, pars, and parb services
- On the Analytics Server host, extract new JRE files and replace old JRE files in following directories
#{ANALYTICS_SERVER_TOP}\jre
#{ANALYTICS_SERVER_TOP}\report\jre
Where ANALYTICS_SERVER_TOP describes the top-level IBM Spectrum LSF Analytics server installation directory.
- On the Analytics Server host, start pats, pars, and parb services on demand.
- On the Analytics Node host, stop plc services
- On the Analytics Node host, extract new JRE files and replace old JRE files in following directory
#{ANALYTICS_NODE_TOP}/jre/#{ARCH}/
Where ANALYTICS_NODE_TOP describes the top-level IBM Spectrum LSF Analytics node installation directory. ARCH describes the architecture of Analytics Node host. E.g. linux-x86_64
- On the Analytics Node host, start plc service.
Workarounds and Mitigations
N/A
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm spectrum lsf analytics | eq | any |
Related
9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P