Security Bulletin
Summary
Vulnerability CVE-2015-2590 exists in IBM® Runtime Environment Java™ Technology Edition, Version 6.0.16.5 and earlier that is shipped with Tivoli Storage Productivity Center for download and use with its Java WebStart GUI.
Vulnerability Details
CVEID: CVE-2015-2590
DESCRIPTION: An unspecified vulnerability and Java SE Embedded related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104724 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Affected Products and Versions
IBM® Runtime Environment Java™ Technology Edition, Version 6.0.16.5 and earlier that is provided for download and use with the Java WebStart GUI from the following versions:
- Tivoli Storage Productivity Center 5.2.0 through 5.2.6
- Tivoli Storage Productivity Center 5.1.0 through 5.1.1.8
- Tivoli Storage Productivity Center 4.2.0 through 4.2.2.195
IBM® Runtime Environment Java™ Technology Edition, Version 5.0.16.11 and earlier that is provided for download and use with the Java WebStart GUI from the following versions:
- Tivoli Storage Productivity Center 4.1.x
- TotalStorage Productivity Center 3.3.x
The versions listed above apply to all licensed offerings of Tivoli Storage Productivity Center, including IBM SmartCloud Virtual Storage Center Storage Analytics Engine.
System Storage Productivity Center is affected if it has one of the versions listed above installed.
Note:
The Tivoli Storage Productivity Center server component is not directly affected. However, the affected versions listed above provide an interface to download the affected IBM® Runtime Environment Java™ Technology Edition. It you did not download and install this IBM® Runtime Environment Java™ Technology Edition on any systems, such as is required for the Tivoli Storage Productivity Center GUI that launches using Java WebStart, you are not affected and do not need to apply a fix.
Remediation/Fixes
The solution is to apply an appropriate Tivoli Storage Productivity Center fix maintenance for each named product and execute the manual steps listed below. The solution should be implemented as soon as practicable.
If you have downloaded and installed an affected IBM® Runtime Environment Java™ Technology Edition, Version 6 Service Refresh 16 Fix Pack 2 or earlier from any version of Tivoli Storage Productivity Center, this interim fix provides a replacement package. Do not use the IBM JRE 1.6.0 or IBM SDK 1.6.0 links provided with the affected Tivoli Storage Productivity Center versions.
Note: It is always recommended to have a current backup before applying any update procedure.
| Affected TPC Version | APAR | Fixed TPC Version |
| 5.2.x | IT10634 | 5.2.7 -OR- 5.2-TIV-TPC-JRE-6SR16FP7 |
| 5.1.x | IT10634 | 5.1.1.9 (target October 2015) -OR- 5.1-TIV-TPC-JRE-6SR16FP7 |
| 4.2.x | IT10635 | 4.2.2 FP10 -OR- 4.2-TIV-TPC-JRE-6SR16FP7 |
For Tivoli Storage Productivity Center V3.x, and V4.1.x IBM recommends upgrading to a fixed, supported version/release/platform of the product.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
Important Note
IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
References
Acknowledgement
None
Change History
17 Aug 2015: Original Version Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
19 August 2022
UID
swg21963288