Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM PureApplication System (January 2019 updates)

Summary

Multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 6 and 7, used by the IBM PureApplication System were disclosed as part of the IBM Java SDK updates in January 2019. IBM PureApplication System has addressed the vulnerabilities.

Vulnerability Details

CVEID: CVE-2018-1890_ _ DESCRIPTION: IBM SDK, Java Technology Edition Version 8 on the AIX platform uses absolute RPATHs which may facilitate code injection and privilege elevation by local users.
CVSS Base Score: 5.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/152081_ for the current score_
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L)

Affected Products and Versions

IBM PureApplication System V2.2.3.0
IBM PureApplication System V2.2.3.1
IBM PureApplication System V2.2.3.2
IBM PureApplication System V2.2.4.0
IBM PureApplication System V2.2.5.0
IBM PureApplication System V2.2.5.1
IBM PureApplication System V2.2.5.2
IBM PureApplication System V2.2.5.3

Remediation/Fixes

Upgrade the IBM PureApplication System to the following fix release:

• IBM PureApplication System V2.2.6.0

Information on upgrading can be found here: <http://www-01.ibm.com/support/docview.wss?uid=swg27039159&gt;

Workarounds and Mitigations

None