Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Rational Application Developer for WebSphere Software

Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Versions 7 and 8 that are used by IBM Rational Application Developer for WebSphere Software. These issues were disclosed as part of the IBM Java SDK updates in October 2018.

Vulnerability Details

CVEID: CVE-2018-3180 DESCRIPTION: An unspecified vulnerability related to the Java SE JSSE component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and low availability impact.
CVSS Base Score: 5.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/151497 for the current score
CVSS Environmental Score*: Undefined

CVEID: CVE-2018-3139 DESCRIPTION: An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base Score: 3.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/151455&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)

Affected Products and Versions

Rational Application Developer 9.0- 9.0.1.2

Rational Application Developer 9.1 - 9.1.1.2

Rational Application Developer 9.5 - 9.5.0.3

Rational Application Developer 9.6 - 9.6.1.1

Remediation/Fixes

Update the IBM SDK, Java Technology Edition of the product to address this vulnerability:

Product

| VRMF |APAR|Remediation/First Fix
—|—|—|—
Rational Application Developer | 9.5 through 9.6 |

PH07533

|

• For all versions, IBM SDK Technology Edition Critical Patch Update
  Rational Application Developer | 9.0 through 9.1 |

PH07533

|

• For all versions, IBM SDK Technology Edition Critical Patch Update

Workarounds and Mitigations

No known workarounds.