IBMCD91438C4049C3E50681096441AB24E202AD967CD3D183FD5CC2C7A6D09E32F8Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Algorithmics One Core, Algo Risk Application, and Counterparty Credit Risk
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
Summary
There are multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition, Versions 6 (Service Refresh 16 Fix Pack 5 and earlier) and 7 (Service Refresh 9 Fix Pack 1 and earlier) that is used by IBM Algo One Core, Algo Risk Application, and Counterparty Credit Risk.
Vulnerability Details
CVEID: CVE-2015-4748**
DESCRIPTION:** An unspecified vulnerability related to the Security component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 7.6
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104729>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CVEID: CVE-2015-2664**
DESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 6.9
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104731>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2015-2632**
DESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 5.0
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104732>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-2638**
DESCRIPTION:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10.0
CVSS Temporal Score: See h__ttps://exchange.xforce.ibmcloud.com/vulnerabilities/104727 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2015-2613**
DESCRIPTION:** An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5.0
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104734>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-2601**
DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5.0
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104733>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-4760**
DESCRIPTION:** An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10.00
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104721>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2015-4736**
DESCRIPTION:** An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 9.3
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104728>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2015-2659**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the Security component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5.0
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104736>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2015-4749**
DESCRIPTION:** An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 4.3
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104740>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVEID: CVE-2015-2625**
DESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 2.6
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104743>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-1931**
DESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system.
CVSS Base Score: 2.1
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-2637**
DESCRIPTION:** An unspecified vulnerability and JavaSX related to the 2D component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5.0
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104738>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-2619**
DESCRIPTION:** An unspecified vulnerability and JavaSX related to the 2D component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5.0
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104737>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Affected Products and Versions
Algo One Versions 4.7.0 through 5.0.0
ARA Versions 2.5.8 through 5.0.0
The following versions of the affected products are not being patched and users currently on one of the versions specified below are advised to upgrade to a patched version:
ARA 2.4.0.1
ARA 2.4.1
ARA 2.4.2
ARA 2.5.0
ARA 2.5.1
ARA 2.5.2
ARA 2.5.3
ARA 2.5.4
ARA 2.5.5
ARA 2.5.5.2
ARA 2.5.6
ARA 2.5.7.1
ARA 2.5.7.2
Remediation/Fixes
A fix has been created for each affected version of the named product, for CCR fixes please apply the corresponding Algo One Core patch. Download and install the appropriate fix as soon as practicable. Fixes and installation instructions are provided at the URLs listed below:
Workarounds and Mitigations
None
Related
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C