Security Bulletin
Summary
There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Versions 8** that are used by Rational Software Architect Designer and Rational Software Architect Designer for Websphere Software. These issues were disclosed as part of the IBM Java SDK updates in Jan 2020.
Vulnerability Details
CVEID: CVE-2019-4732
DESCRIPTION: IBM SDK, Java Technology Edition Version 7.0.0.0 through 7.0.10.55, 7.1.0.0 through 7.1.4.55, and 8.0.0.0 through 8.0.6.0 could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. By placing a specially-crafted file in a compromised folder, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 172618.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172618 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
| RSAD and RSAD4WS | 9.5 to 9.5.0.3 |
| RSAD and RSAD4WS | 9.6 to 9.6.1.4 |
| RSAD and RSAD4WS | 9.7 to 9.7.0.2 |
Remediation/Fixes
Update the IBM SDK, Java Technology Edition of the product to address this vulnerability:
| Product | VRMF | Remediation/First Fix |
| Rational Software Architect Designer (RSAD) |
9.7 to 9.7.0.2
9.6 to 9.6.1.4 9.5 to 9.5.0.3
| IBM Java SDK/JRE 8 SR6 FP7 IFixes |
| Rational Software Architect Designer for WebSphere Software (RSAD4WS) |
9.7 to 9.7.0.2
9.6 to 9.6.1.4 9.5 to 9.5.0.3
| IBM Java SDK/JRE 8 SR6 FP7 IFixes |
Installation Instructions:
For instructions on installing this update using Installation Manager, review the topic Updating Installed Product Packages in the IBM Knowledge Center.
Instructions to download and install the update from the compressed files:
- Download the update files from Fix Central by following the link listed in the download table above
- Extract the compressed files in an appropriate directory.
For example, choose to extract to C:\temp\update
- Start IBM Installation Manager.
- On the Start page of Installation Manager, click File > Preferences, and then click Repositories. The Repositories page opens.
- On the Repositories page, click Add Repository.
- In the Add repository window, browse to or enter the file path to the repository.config file, which is located in the directory where you extracted the compressed files and then click OK.
For example, enter C:\temp\update\repository.config.
- Click OK to close the Preference page.
- Install the update as described in the the topic Updating Installed Product Packages in the IBM Knowledge Center for your product and version.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Change History
26 May 2020: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
30 May 2020
UID
ibm16218246