Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MessageSight (CVE-2016-0402 and CVE-2015-5041)

Summary

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition, Versions 7 and 7R1 that are used by IBM MessageSight. These issues were disclosed as part of the IBM Java SDK updates in January 2016.

Vulnerability Details

CVEID: CVE-2016-0402 DESCRIPTION: An unspecified vulnerability related to the Networking component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109947 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-5041 DESCRIPTION: A flaw in the IBM J9 JVM allows code to invoke non-public interface methods under certain circumstances. Untrusted code could potentially exploit this. This could lead to sensitive data being exposed to an attacker, or the attacker being able to inject bad data.
CVSS Base Score: 4.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/106719 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

IBM MessageSight V1.1 and V1.2

Remediation/Fixes

Product

|
VRMF|
APAR|
Remediation/First Fix
—|—|—|—
IBM MessageSight| 1.1| IT14421| 1.1.0.1-IBM-IMA-IFIT14421

IBM MessageSight|
1.2|
IT14420|
1.2.0.3-IBM-IMA-IFIT14420

Workarounds and Mitigations

None