Lucene search

K
ibmIBMFC3E140D5E8F3EE5581715DC2DD605A0B3AE95D6E732CA98E87454F55EDDC846
HistoryMar 23, 2020 - 8:41 p.m.

Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Message Broker and IBM Integration Bus

2020-03-2320:41:52
www.ibm.com
2

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

Summary

Multiple security vulnerabilities exist in the IBM® Runtime Environment Java™ Technology Edition 6 SR16 FP15 (and earlier) used by WebSphere Message Broker and the IBM® Runtime Environment Java™ Technology Edition 7 SR9 FP20 (and earlier) or 7R1 SR3 FP20 (and earlier) used by IBM Integration Bus. These vulnerabilities were disclosed as part of the IBM Java SDK updates for October 2015

Vulnerability Details

CVEID: CVE-2015-4844**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107346 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-4872**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107361 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-4911**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107360 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-4893**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107359 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-4840**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the 2D component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107353 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-4803**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107358 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-4734**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the JGSS component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107356 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-5006**
DESCRIPTION:** IBM Java Security Components could allow an attacker with physical access to the system to obtain sensitive information from the Kerberos Credential Cache.
CVSS Base Score: 4.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/106309 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM Integration Bus V9, V10

WebSphere Message Broker V8

IBM Integration Toolkit V9

WebSphere Message Broker Toolkit V8

Remediation/Fixes

Product

| VRMF|APAR|Remediation/Fix
—|—|—|—
IBM Integration Bus

| V10

| IT12305 | The APAR IT13254 supersedes IT12305. Please consult security bulletin <http://www.ibm.com/support/docview.wss?uid=swg21976779&gt; for fix details.
IBM Integration Bus

| V9

| IT12305 | An interim fix is available from IBM Fix Central for all platforms.
http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/Integration+Bus&release=All&platform=All&function=aparId&apars= IT12305
The APAR is targeted to be available in fix pack 9.0.0.6
WebSphere Message Broker (with APAR IT03599 applied*)
| V8| IT12305 | An interim fix is available from IBM Fix Central for all platforms.
http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Message+Broker&release=All&platform=All&function=aparId&apars= IT12305

  • For V8.0 users IT12305 is applicable if:
    - you have APAR IT03599 applied
    - you are using a V8.0 fix pack containing IT03599

The APAR is targeted to be available in fix pack 8.0.0.7
WebSphere Message Broker (with APAR IT03599 not applied**)

| V8
| IT12303 | An interim fix is available from IBM Fix Central for all platforms.
http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Message+Broker&release=All&platform=All&function=aparId&apars=IT12303

** For V8.0 users IT12303 is applicable if :
- you do not have APAR IT03599 applied
- or you are using a V8.0 fix pack which does not contain IT03599

To address Java vulnerabilities in Toolkit

Product VRMF APAR Remediation/Fix
IBM Integration Toolkit V9.0 IT12305 An intim fix is available from IBM Fix Central
http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/Integration+Bus&release=All&platform=All&function=aparId&apars= IT12305
WebSphere Message Broker
Toolkit V8.0 IT12303 An interim fix is available from IBM Fix Central
http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Message+Broker&release=All&platform=All&function=aparId&apars=IT12303

Note regarding CVE-2015-4911
This was addressed by IBM in June 2008. As a reminder, users of Java 6 and above should refer to the IBM XL XP-J documentation for the javax.xml.stream.supportDTD property for information to help avoid this vulnerability.

_For unsupported versions of the product _IBM recommends upgrading to a fixed, supported version/release/platform of the product.

The planned maintenance release dates for WebSphere Message Broker and IBM Integration Bus are available at :
http://www.ibm.com/support/docview.wss?uid=swg27006308

Workarounds and Mitigations

None

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

Related for FC3E140D5E8F3EE5581715DC2DD605A0B3AE95D6E732CA98E87454F55EDDC846