IBMCDDA128A0A45D4CA4ECD0735D8B10027814497D1D702CE3D1D8E1A772CEC1F54Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security SiteProtector System (CVE-2015-2601, CVE-2015-2613 and CVE-2015-1931)
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
Summary
There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 7 that is used by IBM Security SiteProtector System. These issues were disclosed as part of the IBM Java SDK updates in July 2015.
Vulnerability Details
CVEID: CVE-2015-2601 **
DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104733 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-2613 **
DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104734 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-1931 **
DESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system.
CVSS Base Score: 2.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102967 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)
Affected Products and Versions
IBM Security SiteProtector System 3.0 and 3.1.1
Remediation/Fixes
Apply the appropriate eXPress Updates (XPUs) as identified in the SiteProtector Console Agent view:
For SiteProtector 3.0:
SiteProtector Core Component: ServicePack3_0_0_8a.xpu
Event Collector Component: RSEvntCol_WINNT_ST_3_0_0_7.xpu
Agent Manager Component: AgentManager_WINNT_XXX_ST_3_0_0_48.xpu
For SiteProtector 3.1.1:
SiteProtector Core Component: ServicePack3_1_1_3a.xpu
Event Collector Component: RSEvntCol_WINNT_ST_3_1_1_3.xpu
Agent Manager Component: AgentManager_WINNT_XXX_ST_3_1_1_18.xpu
Update Server Component: UpdateServer_3_1_1_3.pkg
Event Archiver Component: EventArchiver_3_1_1_3.pkg
Event Archiver Importer Component: EventArchiverImporter_3_1_1_3.zip
Manual Upgrader Component: MU_3_1_1_4.xpu
These updates are also available to be manualy downloaded from the IBM Security License Key and Download Center at https://ibmss.flexnetoperations.com/service/ibms/login
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm security siteprotector system | eq | 3.0 | |
| ibm security siteprotector system | eq | 3.1.1 |
Related
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N