Security Bulletin: Security vulnerabilities in IBM Java Runtime affect IBM RLKS Administration and Reporting Tool Admin

Summary

There are multiple vulnerabilities related to IBM® Runtime Environment Java™ Technology Edition which is used and shipped by different versions of IBM Rational License Key Server Administration and Reporting Tool Admin (ART).

Vulnerability Details

CVEID: CVE-2018-2796 DESCRIPTION: An unspecified vulnerability related to the Java SE Concurrency component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141952&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-2795 DESCRIPTION: An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141951&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-2794 DESCRIPTION: An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 7.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/141950 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2018-2783 DESCRIPTION: An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to cause high confidentiality impact, high integrity impact, and no availability impact.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/141939 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

These vulnerabilities impact the following components and their releases:

• RLKS Administration and Reporting Tool version 8.1.4.9

• RLKS Administration and Reporting Tool version 8.1.5

• RLKS Administration and Reporting Tool version 8.1.5.1

• RLKS Administration and Reporting Tool version 8.1.5.2

• RLKS Administration and Reporting Tool version 8.1.5.3

• RLKS Administration and Reporting Tool version 8.1.5.4

Remediation/Fixes

For IBM RLKS Administration and Reporting Tool v. 8.1.5.x
Replace the JRE used in IBM RLKS Administration and Reporting Tool.

Steps to replace the JRE

1. Go to https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?product=ibm/Rational/Rational+Common+Licensing&release=All&platform=All&function=fixId&fixids=RLKS_Administration_And_Reporting_Tool_8154_iFix_1&includeRequisites=1&includeSupersedes=0&downloadMethod=http.

2. Download the Java 8 runtime package that is applicable for your target platform.

3. Additionally, download the files US_export_policy.jar andlocal_policy.jar.

4. Shutdown RLKS Administration and Reporting Tool.

5. Go to the installation location of RLKS Administration and Reporting Tool.

6. Rename <install location>/jre folder to <install location>/jre_back. This step backs up the existing JRE.

7. Extract the downloaded JRE into <install location> folder.

8. Copy the downloaded US_export_policy.jar andlocal_policy.jar files to <install location>/jre/lib/security.

9. Startup RLKS Administration and Reporting Tool.

10. Login to the tool using “rcladmin” user and verify that you see the configured license servers under ‘Server’ tab.

For IBM RLKS Administration and Reporting Tool v. 8.1.4.9 or earlier

Upgrade to the latest version of 8.1.5.x. Then, update the JRE using the instructions mentioned above.

Workarounds and Mitigations

None