Security Bulletin: A vulnerability may affect IBM® SDK, Java™ Technology Edition used in Liberty for Java for IBM Cloud (CVE-2020-2601)

Summary

CVE-2020-2601 was disclosed in the Oracle January 2020 Critical Patch Update.

Vulnerability Details

CVEID:CVE-2020-2601
**DESCRIPTION:**An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/174548 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

To upgrade to Liberty for Java v3.48-20200821-1648 or higher, you must re-stage or re-push your application

To find the current version of Liberty for Java in IBM Cloud being used, from the command-line Cloud Foundry client by running the following commands:

cf ssh <appname> -c “cat staging_info.yml”

Look for the following lines:

{“detected_buildpack”:“Liberty for Java™ (WAR, liberty-20.0.0_6, buildpack-v3.47-20200723-1022, ibmjdk-1.8.0_sr6fp11-20200602, env)”,“start_command”:“.liberty/initial_startup.rb”}

To re-stage your application using the command-line Cloud Foundry client, use the following command:

cf restage <appname>

To re-push your application using the command-line Cloud Foundry client, use the following command:

cf push <appname>

Workarounds and Mitigations

None