IBME26DEF9FA9B3EA834D0EFC76879FEF150FD79FF5746E829E7A6BD0AA48628D36Security Bulletin: Java SE issues disclosed in the Oracle October 2016 Critical Patch Update affects(CVE-2016-5582 CVE-2016-5568 CVE-2016-5556 CVE-2016-5573 CVE-2016-5597 CVE-2016-5554 CVE-2016-5542)
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
Summary
Java SE issues disclosed in the Oracle October 2016 Critical Patch Update was addressed by IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, Platform HPC , and Spectrum Cluster Foundation
Vulnerability Details
CVEID: CVE-2016-5582DESCRIPTION: An unspecified vulnerability related to the VM component has high confidentiality impact, high integrity impact, and high availability impact.CVSS Base Score: 9.6CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118069 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2016-5568DESCRIPTION: An unspecified vulnerability related to the AWT component has high confidentiality impact, high integrity impact, and high availability impact.CVSS Base Score: 9.6CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118068 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2016-5556DESCRIPTION: An unspecified vulnerability related to the 2D component has high confidentiality impact, high integrity impact, and high availability impact.CVSS Base Score: 9.6CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118067 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2016-5573DESCRIPTION: An unspecified vulnerability related to the VM component has high confidentiality impact, high integrity impact, and high availability impact.CVSS Base Score: 8.3CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118070 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2016-5597DESCRIPTION: An unspecified vulnerability related to the Networking component could allow a remote attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.CVSS Base Score: 5.9CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118071 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2016-5554DESCRIPTION: An unspecified vulnerability related to the JMX component has no confidentiality impact, low integrity impact, and no availability impact.CVSS Base Score: 4.3CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118072 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVEID: CVE-2016-5542DESCRIPTION: An unspecified vulnerability related to the Libraries component has no confidentiality impact, low integrity impact, and no availability impact.CVSS Base Score: 3.1CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118073 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)
Affected Products and Versions
Platform Cluster Manager Standard Edition Version 4.1.0, 4.1.1 and 4.1.1.1
Platform Cluster Manager Version 4.2.0, 4.2.0.1, 4.2.0.2 and 4.2.1
Platform HPC Version 4.1.1, 4.1.1.1, 4.2.0 and 4.2.1
Spectrum Cluster Foundation 4.2.2
Remediation/Fixes
See workarounds
Workarounds and Mitigations
Platform Cluster Manager 4.1.x & Platform HPC 4.1.x
1. Download IBM JRE 6.0 x86_64 from the following location: http://www.ibm.com/support/fixcentral. (For POWER platform, download ppc64 version JRE tar package. The followings steps are using x86_64 as an example.)
2. Copy the tar package into the management node. If high availability is enabled, copy the JRE tar package to standby management node, as well.
3. If high availability is enabled, shutdown standby management node, in order to avoid triggering high availability.
4. On the management node, stop GUI and PERF services
HA disabled:# pmcadmin stop# perfadmin stop allHA enabled:# egosh user logon -u Admin -x Admin# egosh service stop all
5. On management node, extract new JRE files and replace some old folders with new ones.
tar -zxvf ibm-java-jre-6.0-16.35-linux-x86_64.tgz# mv /opt/pcm/web-portal/jre/linux-x86_64/bin /opt/pcm/web-portal/jre/linux-x86_64/bin-old# mv /opt/pcm/web-portal/jre/linux-x86_64/lib /opt/pcm/web-portal/jre/linux-x86_64/lib-old# mv /opt/pcm/web-portal/jre/linux-x86_64/plugin /opt/pcm/web-portal/jre/linux-x86_64/plugin-old# cp -r ibm-java-x86_64-60/jre/bin /opt/pcm/web-portal/jre/linux-x86_64/# cp -r ibm-java-x86_64-60/jre/lib /opt/pcm/web-portal/jre/linux-x86_64/# cp -r ibm-java-x86_64-60/jre/plugin /opt/pcm/web-portal/jre/linux-x86_64/
6. On management node, start GUI and PERF services
HA disabled:# pmcadmin start# perfadmin start allHA enabled:# egosh user logon -u Admin -x Admin# egosh service start all
Platform Cluster Manager 4.2.x & Platform HPC 4.2.x & Spectrum Cluster Foundation 4.2.2
1. Download IBM JRE 7.0 x86_64 from the following location: http://www.ibm.com/support/fixcentral. (For POWER platform, download ppc64 version JRE tar package. The followings steps are using x86_64 as an example.)
2. Copy the tar package into the management node. If high availability is enabled, copy the JRE tar package to standby management node, as well.
3. If high availability is enabled, shutdown standby management node, in order to avoid triggering high availability.
4. On the management node, stop GUI and PERF services
pcmadmin service stop --group ALL
5. On management node, extract new JRE files and replace some old folders with new ones.
tar -zxvf ibm-java-jre-7.0-9.60-linux-x86_64.tgz# mv /opt/pcm/jre/bin /opt/pcm/jre/bin-old# mv /opt/pcm/jre/lib /opt/pcm/jre/lib-old# mv /opt/pcm/jre/plugin /opt/pcm/jre/plugin-old# cp -r ibm-java-x86_64-70/jre/bin /opt/pcm/jre/# cp -r ibm-java-x86_64-70/jre/lib /opt/pcm/jre/# cp -r ibm-java-x86_64-70/jre/plugin /opt/pcm/jre/# mv /opt/pcm/web-portal/jre/linux-x86_64/bin /opt/pcm/web-portal/jre/linux-x86_64/bin-old# mv /opt/pcm/web-portal/jre/linux-x86_64/lib /opt/pcm/web-portal/jre/linux-x86_64/lib-old# mv /opt/pcm/web-portal/jre/linux-x86_64/plugin /opt/pcm/web-portal/jre/linux-x86_64/plugin-old# cp -r ibm-java-x86_64-70/jre/bin /opt/pcm/web-portal/jre/linux-x86_64/# cp -r ibm-java-x86_64-70/jre/lib /opt/pcm/web-portal/jre/linux-x86_64/# cp -r ibm-java-x86_64-70/jre/plugin /opt/pcm/web-portal/jre/linux-x86_64/
6. On management node, start GUI and PERF services
pcmadmin service start --group ALL
7. If high availability is enabled, start up standby management node, and replace bin, lib, plugin folders under /opt/pcm/web-portal/jre/linux-x86_64, on standby management node.
| CPE | Name | Operator | Version |
|---|---|---|---|
| platform hpc for system x | eq | 4.1 | |
| platform hpc for system x | eq | 4.1.1 | |
| platform hpc for system x | eq | 4.2 |
Related
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C