Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect SmartCloud Entry

Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 6.0.16.35 and Version 7.0.10.1 used by SmartCloud Entry. These issues were disclosed as part of the IBM Java SDK updates in Apr 2017.

Vulnerability Details

CVEID: CVE-2017-3514**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/124893 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2017-3512**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/124891 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2017-3511**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 7.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/124890 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2017-3526**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/124904 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2017-3509**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 4.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/124888 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)

CVEID: CVE-2017-3544**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/124920 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2017-3533**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/124910 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2017-3539**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/124915 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)

CVEID: CVE-2017-1289**
DESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources.
CVSS Base Score: 8.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125150 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)

CVEID: CVE-2016-9840**
DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120508 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-9841**
DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120509 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-9842**
DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120510 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-9843**
DESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120511 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: Not Applicable**
DESCRIPTION:** Use this if you deliver IBM Java and are N/A to the IBM Java SDK update vulnerabilities because the vulnerabilities could not be exploited by your product. However, customers could run their own Java code using the IBM Java Runtime delivered with your product.
CVSS Base Score: 0
CVSS Temporal Score: See Not Applicable for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (0)

Affected Products and Versions

IBM SmartCloud Entry 2.3.0 through 2.3.0.4 Appliance JRE Update 7,
IBM SmartCloud Entry 2.4.0 through 2.4.0.5 Appliance JRE Update7,
IBM SmartCloud Entry 3.1.0 through 3.1.0.4 Appliance fix pack 25,
IBM SmartCloud Entry 3.2.0 through 3.2.0.4 Appliance fix pack 25

Remediation/Fixes

Product

|

VRMF

|

APAR

|

Remediation/First Fix

—|—|—|—
IBM SmartCloud Entry| 2.3| None| IBM SmartCloud Entry 2.3.0.4 JRE Update 8 for Windows:

https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=2.3.0.4-IBM-SCE-JRE-IF008-Windows&source=dbluesearch&function=fixId&parent=ibm/Other%20software
IBM SmartCloud Entry| 2.3| None| IBM SmartCloud Entry 2.3.0.4 JRE Update 8 for Linux:

https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=2.3.0.4-IBM-SCE-JRE-IF008_Linux&source=SAR&function=fixId&parent=ibm/Other%20software
IBM SmartCloud Entry| 2.3| None| IBM SmartCloud Entry 2.3.0.4 JRE Update 8 for AIX:

https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=2.3.0.4-IBM-SCE-JRE-IF008-AIX&source=dbluesearch&function=fixId&parent=ibm/Other%20software
IBM SmartCloud Entry| 2.4| None| IBM SmartCloud Entry 2.4.0.5 JRE Update 8 for Windows:

https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=2.4.0.5-IBM-SCE-JRE-IF008-Windows&source=dbluesearch&function=fixId&parent=ibm/Other%20software
IBM SmartCloud Entry| 2.4| None| IBM SmartCloud Entry 2.4.0.5 JRE Update 8 for Linux:

https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=2.4.0.5-IBM-SCE-IF008-Linux&source=dbluesearch&function=fixId&parent=ibm/Other%20software
IBM SmartCloud Entry| 2.4| None| IBM SmartCloud Entry 2.4.0.5 JRE Update 8 for AIX:

https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=2.4.0.5-IBM-SCE-JRE-Update-IF008-AIX&source=dbluesearch&function=fixId&parent=ibm/Other%20software
IBM SmartCloud Entry| 3.1| None| IBM SmartCloud Entry 3.1.0 Appliance fix pack 25:

https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=3.1.0.4-IBM-SCE_APPL-FP25&source=SAR&function=fixId&parent=ibm/Other%20software
IBM SmartCloud Entry| 3.2| None| IBM SmartCloud Entry 3.2.0 Appliance fix pack 25:

https://www-945.ibm.com/support/fixcentral/swg/selectFix?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=sce_3.2.0.4_appl-fp25&source=dbluesearch&function=fixId&parent=ibm/Other%20software

Workarounds and Mitigations

None