Security Bulletin
Summary
Information about a security vulnerability that affects IBM Java SDK, IBM WebSphere Application Server, and bundling products of IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition has been published in a security bulletin.
These issues were also addressed by IBM WebSphere Application Server, IBM Business Process Manager and IBM Tivoli System Automation Application Manager, which are shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise.
Additionally, these issues were also addressed by IBM Tivoli Monitoring and SmartCloud Cost Management, which are shipped with IBM Cloud Orchestrator Enterprise.
Vulnerability Details
IBM WebSphere Application Server, IBM Tivoli System Automation Application Manager, and IBM Business Process Manager are shipped as components of IBM Cloud Orchestrator and Cloud Orchestrator Enterprise Edition. Additionally, the IBM Tivoli Monitoring and SmartCloud Cost Management are also shipped with IBM Cloud Orchestrator Enterprise Edition.
CVEID: CVE-2016-3426
DESCRIPTION: An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112457 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVEID: CVE-2016-3427
DESCRIPTION: An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112459 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Affected Products and Versions
|
Principal Product and Version(s) | Supporting Product and Version |
| IBM Cloud Orchestrator version 2.5, 2.5.0.1, V2.5.0.2 | IBM WebSphere Application Server Network Deployment V8.5.5 through 8.5.5.7 IBM Business Process Manager Standard V8.5.6 IBM Tivoli System Automation Application Manager 4.1 |
| IBM Cloud Orchestrator version 2.4, 2.4.0.1, 2.4.0.2, 2.4.0.3 | IBM WebSphere Application Server Network Deployment V8.5.5 through 8.5.5.7 IBM Business Process Manager Standard V8.5.5 through 8.5.6 IBM Tivoli System Automation Application Manager 4.1 |
| IBM Cloud Orchestrator version 2.3, 2.3.0.1 | IBM WebSphere Application Server V8.0.1 through V8.0.0.11 IBM Business Process Manager V 8.5, 8.5.6 |
| IBM Cloud Orchestrator Enterprise V2.5, V2.5.0.1, V2.5.0.2 | IBM Business Process Manager Standard 8.5.6 IBM Tivoli System Automation Application Manager 4.1 IBM SmartCloud Cost Management 2.1.0.5 IBM Tivoli Monitoring 6.3.0.2 |
| IBM Cloud Orchestrator Enterprise V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3 | IBM Business Process Manager Standard 8.5.6 IBM Tivoli System Automation Application Manager 4.1 IBM SmartCloud Cost Management 2.1.0.4 IBM Tivoli Monitoring 6.3.0.2 |
| IBM SmartCloud Orchestrator Enterprise V2.3 and V2.3.0.1 from Interim Fix1 through Interim Fix 9 | IBM Business Process Manager Standard 8.5 IBM SmartCloud Cost Management V2.1.0.3 IBM Tivoli Monitoring V6.3.0.1 |
Remediation/Fixes
These issues were addressed by IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise through the bundled products IBM WebSphere Application Server, IBM Business Process Manager, and IBM Tivoli System Automation Application Manager, which are shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise.
Additionally, these issues were also addressed by IBM Tivoli Monitoring and SmartCloud Cost Management, which are shipped with IBM Cloud Orchestrator Enterprise.
Refer to the following security bulletins for information about fixes for IBM Cloud Orchestrator:
| Product and Version(s) | Remediation/First Fix |
| IBM Cloud Orchestrator V2.5, 2.5.0.1, V2.5.0.2 | Upgrade to IBM Cloud Orchestrator Fix Pack 2 (2.5.0.2) for 2.5 http://www-01.ibm.com/support/docview.wss?uid=swg27045667 After upgrade to IBM Cloud Orchestrator 2.5.0.2 you need to install the corresponding APAR from WebSphere Application Server. Follow the instructions on this link: http://www.ibm.com/support/docview.wss?uid=swg21982223. |
| IBM Cloud Orchestrator V2.4, V2.4.0.1, V2.4.0.2 v2.4.0.3 | Contact IBM Support For all releases of V2.4, fix will be made available in V2.4.0.4. If you are running IBM Cloud Orchestrator Enterprise Edition V2.4 through 2.4.0,3, install the corresponding APAR from WebSphere Application Server. Follow the instructions on this link: http://www.ibm.com/support/docview.wss?uid=swg21982223 |
| IBM SmartCloud Orchestrator version V2.3, V2.3.0.1 | Contact IBM Support |
Refer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server, Tivoli System Automation Application Manager, and Business Process Manager that are shipped with IBM Cloud Orchestrator.
Refer to the following security bulletins for information about fixes for IBM Cloud Orchestrator Enterprise Edition:
| Principal Product and Version | Remediation/First Fix |
| IBM Cloud Orchestrator Enterprise V2.5, V2.5.0.1, V2.5.0.2 | Apply IBM Cloud Orchestrator Enterprise Fix Pack 2 (2.5.0.2) for 2.5 http://www-01.ibm.com/support/docview.wss?uid=swg27045667 |
| IBM Cloud Orchestrator Enterprise V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3 | Contact IBM Support For all releases of V2.4, fix will be made available in V2.4.0.4. |
| IBM SmartCloud Orchestrator Enterprise V2.3 and V2.3.0.1 from Interim fix1 through Interim Fix 9 | Contact IBM Support |
Refer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server, Tivoli System Automation Application Manager, Business Process Manager, SmartCloud Cost Management, and Tivoli Monitoring, which are shipped with IBM Cloud Orchestrator Enterprise Edition:
Get Notified about Future Security Bulletins
References
Change History
29 July 2016: Original version published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Internal Use Only
CVE-2016-3426
CVE-2016-3427
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg2C1000178