IBM Support

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM InfoSphere Streams (CVE-2016-0466, CVE-2016-0448)

Created by Jason Nikolai on
Published URL:
https://www.ibm.com/support/pages/node/279447
279447

Security Bulletin


Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 8 Service Refresh 2 Fix Pack 11 and earlier releases, Version 7R1 Service Refresh 3 Fix Pack 31 and earlier releases, and Version 6 Service Refresh 16 Fix Pack 21 and earlier releases.

If you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities are applicable to your code. For a complete list of vulnerabilities please refer to the Reference section for more information.

Vulnerability Details

CVEID: CVE-2016-0466
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE Java SE Embedded and Jrockit related to the JAXP component could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109948 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2016-0448
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the JMX component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109949 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

Affected Products and Versions

  • IBM InfoSphere Streams Version 1.2.1.0
  • IBM InfoSphere Streams Version 2.0.0.4 and earlier
  • IBM InfoSphere Streams Version 3.0.0.5 and earlier
  • IBM InfoSphere Streams Version 3.1.0.7 and earlier
  • IBM InfoSphere Streams Version 3.2.1.4 and earlier
  • IBM InfoSphere Streams Version 4.0.1.1 and earlier
  • IBM Streams Version 4.1.1.0 and earlier

Remediation/Fixes

NOTE: Fix Packs are available on IBM Fix Central.


IMPORTANT NOTE: If JAVA_HOME is set ensure it points to the install location of the upgraded IBM Developer Kit, Java. Applications compiled with JAVA_HOME set to a different location will need to be recompiled after JAVA_HOME has been changed. For more information on compiling with JAVA_HOME set see the Notes section on the page at the following URL: http://www-01.ibm.com/support/knowledgecenter/SSCRJU_4.0.0/com.ibm.streams.install.doc/doc/ibminfospherestreams-install-prerequisites-java-supported-sdks.html?lang=en

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

References

Off

Change History

17 May 2016: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSCRJU","label":"IBM Streams"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"}],"Version":"1.2;2.0;3.0;3.1;3.2;3.2.1;4.0;4.0.1;4.1;4.1.1","Edition":"All Editions","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Product":{"code":"SSCRJU","label":"IBM Streams"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
16 June 2018

UID

swg21983436