Security Bulletin: A vulnerability in IBM Java Runtime affects IBM ILOG CPLEX Optimization Studio (CVE-2021-41041)

Summary

There is a vulnerability in IBM® Runtime Environment Java™ Version 8 used by IBM CPLEX Optimization Studio. IBM CPLEX Optimization Studio has addressed the applicable CVE.

Vulnerability Details

CVEID:CVE-2021-41041
**DESCRIPTION:**Eclipse Openj9 could allow a remote attacker to bypass security restrictions, caused by failing to throw the exception captured during bytecode verification when verification. By sending a specially-crafted request, an attacker could exploit this vulnerability to make unverified methods to be invoked using MethodHandles.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225398 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

The recommended solution is to download and install the appropriate version of IBM JRE as soon as practicable.

Before installing a newer version of IBM JRE, please ensure that you:

• Close any open programs that you may have running;
• Rename the initial directory of the IBM JRE (for example: with a .old at the end),
• Download and install the appropriate IBM JRE version.

IBM ILOG CPLEX Optimization Studio :

IBM JRE Version 8 Service Refresh 7 Fix Pack 20 and subsequent releases

You must verify that applying this fix does not cause any compatibility issues.
Here are the detailed instructions for updating IBM JRE.

For macOS, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

Workarounds and Mitigations

None