Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Tivoli Storage Productivity Center (CVE-2016-0363)

Created by Dan Bajema on Fri, 06/24/2016 - 13:38

Security Bulletin

Summary

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Version 6.0.16.21 and earlier that is shipped with Tivoli Storage Productivity Center for download and use with its Java WebStart GUI. These issues were disclosed as part of the IBM Java SDK updates in April 2016.

Vulnerability Details

CVEID: CVE-2016-0363
DESCRIPTION: IBM SDK, Java Technology Edition contains a vulnerability in the IBM ORB implementation that may allow untrusted code running under a security manager to elevate its privileges. This vulnerability was originally reported as CVE-2013-3009.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112016 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM® Runtime Environment Java™ Technology Edition, Version 6.0.16.21 and earlier that is provided for download and use with the Java WebStart GUI from the following versions:

Tivoli Storage Productivity Center 5.2.0 through 5.2.7.1
Tivoli Storage Productivity Center 5.1.0 through 5.1.1.10
Tivoli Storage Productivity Center 4.2.0 through 4.2.2.195

The versions listed above apply to all licensed offerings of Tivoli Storage Productivity Center, including IBM SmartCloud Virtual Storage Center Storage Analytics Engine.

System Storage Productivity Center is affected if it has one of the versions listed above installed.

Note:
The Tivoli Storage Productivity Center server component is not directly affected. However, the affected versions listed above provide an interface to download the affected IBM® Runtime Environment Java™ Technology Edition. It you did not download and install this IBM® Runtime Environment Java™ Technology Edition on any systems, such as is required for the Tivoli Storage Productivity Center GUI that launches using Java WebStart, you are not affected and do not need to apply a fix.

Starting with IBM Spectrum Control 5.2.8, the IBM Runtime Environment Java Technology Edition is not included and IBM Spectrum Control is not affected.

Remediation/Fixes

Fix:
Apply an interim fix, fix pack or refresh pack containing APAR IT15482, as noted below.

If you have downloaded and installed an affected IBM Runtime Environment Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 21 or earlier from any version of Tivoli Storage Productivity Center, the interim fix provides a replacement package to install. Do not use the IBM JRE 1.6.0 or IBM SDK 1.6.0 links provided with the affected Tivoli Storage Productivity Center versions.

Note: It is always recommended to have a current backup before applying any update procedure.

For 5.2.0 through 5.2.7.1:

Apply refresh pack 8 (5.2.8) or later. See Latest Downloads.
Uninstall IBM Runtime Environment Java Technology Edition Version 6 Service Refresh 16 Fix Pack 21 and earlier.

-- OR --
Apply interim fix 5.2-TIV-TPC-JRE-6SR16FP26

For 5.1.0 through 5.1.1.10:

Apply fix pack 11 (5.1.1.11) or later. Target August 2016. See Latest Downloads.
Download and apply IBM Runtime Environment Java Technology Edition Version 6 Service Refresh 16 Fix Pack 26 or later linked from Tivoli Storage Productivity Center 5.1.1.11 or later.

-- OR --
Apply interim fix 5.1-TIV-TPC-JRE-6SR16FP26

For Tivoli Storage Productivity Center 3.x, and 4.x, IBM recommends upgrading to a fixed, supported version of the product.

Upgrading to IBM Spectrum Control 5.2.8 or higher and uninstalling the IBM Runtime Environment Java Technology Edition is an acceptable solution.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Complete CVSS v3 Guide
On-line Calculator v3

Off

Acknowledgement

CVE-2016-0363 was reported by Adam Gowdiak of Security Explorations.

Change History

27 Jun 2016: Original Version Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SS5R93","label":"IBM Spectrum Control"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"5.1;5.1.1;5.2;5.2.1;5.2.2;5.2.3;5.2.4;5.2.5;5.2.6;5.2.7","Edition":"All Editions","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"SS5R93","label":"IBM Spectrum Control"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":" ","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"4.2;4.2.1;4.2.2","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"SS2JZW","label":"Tivoli Storage Productivity Center Select"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":null,"Platform":[{"code":"","label":""}],"Version":"4.2;4.2.1;4.2.2","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Tips

Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Tivoli Storage Productivity Center (CVE-2016-0363)