Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Tivoli Storage Productivity Center (CVE-2016-0363)

Summary

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Version 6.0.16.21 and earlier that is shipped with Tivoli Storage Productivity Center for download and use with its Java WebStart GUI. These issues were disclosed as part of the IBM Java SDK updates in April 2016.

Vulnerability Details

CVEID: CVE-2016-0363** *DESCRIPTION: IBM SDK, Java Technology Edition contains a vulnerability in the IBM ORB implementation that may allow untrusted code running under a security manager to elevate its privileges. This vulnerability was originally reported as CVE-2013-3009.
CVSS Base Score: 8.1
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/112016 _for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM® Runtime Environment Java™ Technology Edition, Version 6.0.16.21 and earlier that is provided for download and use with the Java WebStart GUI from the following versions:

• Tivoli Storage Productivity Center 5.2.0 through 5.2.7.1
• Tivoli Storage Productivity Center 5.1.0 through 5.1.1.10
• Tivoli Storage Productivity Center 4.2.0 through 4.2.2.195

The versions listed above apply to all licensed offerings of Tivoli Storage Productivity Center, including IBM SmartCloud Virtual Storage Center Storage Analytics Engine.

System Storage Productivity Center is affected if it has one of the versions listed above installed.

Note:
The Tivoli Storage Productivity Center server component is not directly affected. However, the affected versions listed above provide an interface to download the affected IBM® Runtime Environment Java™ Technology Edition. It you did not download and install this IBM® Runtime Environment Java™ Technology Edition on any systems, such as is required for the Tivoli Storage Productivity Center GUI that launches using Java WebStart, you are not affected and do not need to apply a fix.

Starting with IBM Spectrum Control 5.2.8, the IBM Runtime Environment Java Technology Edition is not included and IBM Spectrum Control is not affected.

Remediation/Fixes

Fix:
Apply an interim fix, fix pack or refresh pack containing APAR IT15482, as noted below.

If you have downloaded and installed an affected IBM Runtime Environment Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 21 or earlier from any version of Tivoli Storage Productivity Center, the interim fix provides a replacement package to install. Do not use the IBM JRE 1.6.0 or IBM SDK 1.6.0 links provided with the affected Tivoli Storage Productivity Center versions.
**
Note:** It is always recommended to have a current backup before applying any update procedure.

For 5.2.0 through 5.2.7.1:

• Apply refresh pack 8 (5.2.8) or later. See Latest Downloads.
• Uninstall IBM Runtime Environment Java Technology Edition Version 6 Service Refresh 16 Fix Pack 21 and earlier.

-- OR –

• Apply interim fix 5.2-TIV-TPC-JRE-6SR16FP26

For 5.1.0 through 5.1.1.10:

• Apply fix pack 11 (5.1.1.11) or later. Target August 2016. See Latest Downloads.
• Download and apply IBM Runtime Environment Java Technology Edition Version 6 Service Refresh 16 Fix Pack 26 or later linked from Tivoli Storage Productivity Center 5.1.1.11 or later.

-- OR –

• Apply interim fix 5.1-TIV-TPC-JRE-6SR16FP26

For Tivoli Storage Productivity Center 3.x, and 4.x, IBM recommends upgrading to a fixed, supported version of the product.

Upgrading to IBM Spectrum Control 5.2.8 or higher and uninstalling the IBM Runtime Environment Java Technology Edition is an acceptable solution.

Workarounds and Mitigations

None