IBM Support

IBM SDK, Java Technology Edition Quarterly CPU - October 2018 - Includes Oracle October 2018 CPU

Created by Clarissa Vukovic on
Published URL:
https://www.ibm.com/support/pages/node/738855
738855

Security Bulletin


Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Versions 6, 7, and 8** that are used by Maximo Asset Management, Maximo Asset Management Essentials, Maximo Asset Management for Energy Optimization, Maximo Asset Management Essentials, Maximo Industry Solutions (including Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas and Maximo for Utilities), Tivoli Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, Change and Configuration Management Database, and IBM Control Desk. These issues were disclosed as part of the IBM Java SDK updates in October 2018.

Vulnerability Details

CVEID: CVE-2018-3139
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Networking component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/151455 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-3136
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 3.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/151452 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N)

CVEID: CVE-2018-13785
DESCRIPTION: libpng is vulnerable to a denial of service, caused by a wrong calculation of row_factor in the png_check_chunk_length function in pngrutil.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/146015 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-3214
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Sound component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/151530 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-3180
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JSSE component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and low availability impact.
CVSS Base Score: 5.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/151497 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2018-3149
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JNDI component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/151465 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2018-3169
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Hotspot component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/151486 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2018-3183
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Scripting component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/151500 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

The following IBM Java versions are affected:

IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 70 and earlier releases
IBM SDK, Java Technology Edition, Version 6 R1 Service Refresh 8 Fix Pack 70 and earlier releases
IBM SDK, Java Technology Edition, Version 7 Service Refresh 10 Fix Pack 30 and earlier releases
IBM SDK, Java Technology Edition, Version 7 R1 Service Refresh 4 Fix Pack 30 and earlier releases
IBM SDK, Java Technology Edition, Version 8 Service Refresh 5 Fix Pack 22 and earlier releases


It is likely that earlier unsupported versions are also affected by these vulnerabilities. Remediation is not provided for product versions that are no longer supported. IBM recommends that customers running unsupported versions upgrade to the latest supported version of products in order to obtain remediation for the vulnerabilities.

Remediation/Fixes

There are two areas where the vulnerabilities in the Java SDK/JDK or JRE may require remediation:

1. Application Server – Update the Websphere Application Server. Refer to Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition for additional information on updating and maintaining the JDK component within Websphere. Customers with Oracle Weblogic Server, which is not an IBM product and is not shipped by IBM, will also want to update their server.

2. Browser Client - Update the Java plug-in used by the browser on client systems, using the remediated JRE version referenced on developerWorks JavaTM Technology Security Alerts or referenced on Oracle’s latest Critical Patch Update (which can be accessed via developerWorks JavaTM Technology Security Alerts). Updating the browser Java plug-in may impact some applets such as Maximo Asset Management Scheduler. Download from IBM FixCentral the latest Maximo Asset Management Fix Pack.

Due to the threat posed by a successful attack, IBM strongly recommends that customers apply fixes as soon as possible.

Workarounds and Mitigations

Until you apply the fixes, it may be possible to reduce the risk of successful attack by restricting network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from unprivileged users may help reduce the risk of successful attack. Both approaches may break application functionality, so IBM strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Get Notified about Future Security Bulletins

References

Off

Change History

13 November 2018: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Product":{"code":"SSLKT6","label":"IBM Maximo Asset Management"},"Component":"--","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSWT9A","label":"IBM Control Desk"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.0;7.6.0.1;7.6.0.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSLL84","label":"Maximo for Life Sciences"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Product":{"code":"SSLL8M","label":"Maximo for Nuclear Power"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.0","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Product":{"code":"SSLL9G","label":"Maximo for Oil and Gas"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.0;7.6.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSLL9Z","label":"Maximo for Transportation"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.1;7.6.2;7.6.2.1;7.6.2.2;7.6.2.3;7.6.2.4","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Product":{"code":"SSLLAM","label":"Maximo for Utilities"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6;7.6.0.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS5RRF","label":"IBM Maximo for Aviation"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"7.6;7.6.1;7.6.2;7.6.2.1;7.6.3;7.6.4;7.6.5","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

Document Information

Modified date:
13 November 2018

UID

ibm10738855