IBM Support

Security Bulletin: Java SE issues disclosed in the Oracle October 2016 Critical Patch Update affects(CVE-2016-5582 CVE-2016-5568 CVE-2016-5556 CVE-2016-5573 CVE-2016-5597 CVE-2016-5554 CVE-2016-5542)

Created by Chang Liu on
Published URL:
https://www.ibm.com/support/pages/node/630069
630069

Security Bulletin


Summary

Java SE issues disclosed in the Oracle October 2016 Critical Patch Update was addressed by IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, Platform HPC , and Spectrum Cluster Foundation

Vulnerability Details

CVEID: CVE-2016-5582DESCRIPTION: An unspecified vulnerability related to the VM component has high confidentiality impact, high integrity impact, and high availability impact.CVSS Base Score: 9.6CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118069 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2016-5568DESCRIPTION: An unspecified vulnerability related to the AWT component has high confidentiality impact, high integrity impact, and high availability impact.CVSS Base Score: 9.6CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118068 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2016-5556DESCRIPTION: An unspecified vulnerability related to the 2D component has high confidentiality impact, high integrity impact, and high availability impact.CVSS Base Score: 9.6CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118067 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2016-5573DESCRIPTION: An unspecified vulnerability related to the VM component has high confidentiality impact, high integrity impact, and high availability impact.CVSS Base Score: 8.3CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118070 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2016-5597DESCRIPTION: An unspecified vulnerability related to the Networking component could allow a remote attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.CVSS Base Score: 5.9CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118071 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2016-5554DESCRIPTION: An unspecified vulnerability related to the JMX component has no confidentiality impact, low integrity impact, and no availability impact.CVSS Base Score: 4.3CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118072 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)

CVEID: CVE-2016-5542DESCRIPTION: An unspecified vulnerability related to the Libraries component has no confidentiality impact, low integrity impact, and no availability impact.CVSS Base Score: 3.1CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118073 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)

Affected Products and Versions

Platform Cluster Manager Standard Edition Version 4.1.0, 4.1.1 and 4.1.1.1

Platform Cluster Manager Version 4.2.0, 4.2.0.1, 4.2.0.2 and 4.2.1

Platform HPC Version 4.1.1, 4.1.1.1, 4.2.0 and 4.2.1

Spectrum Cluster Foundation 4.2.2

Remediation/Fixes

See workarounds

Workarounds and Mitigations

Platform Cluster Manager 4.1.x & Platform HPC 4.1.x

1. Download IBM JRE 6.0 x86_64 from the following location: http://www.ibm.com/support/fixcentral. (For POWER platform, download ppc64 version JRE tar package. The followings steps are using x86_64 as an example.)

2. Copy the tar package into the management node. If high availability is enabled, copy the JRE tar package to standby management node, as well.

3. If high availability is enabled, shutdown standby management node, in order to avoid triggering high availability.

4. On the management node, stop GUI and PERF services

HA disabled:# pmcadmin stop# perfadmin stop allHA enabled:# egosh user logon -u Admin -x Admin# egosh service stop all

5. On management node, extract new JRE files and replace some old folders with new ones.

# tar -zxvf ibm-java-jre-6.0-16.35-linux-x86_64.tgz# mv /opt/pcm/web-portal/jre/linux-x86_64/bin /opt/pcm/web-portal/jre/linux-x86_64/bin-old# mv /opt/pcm/web-portal/jre/linux-x86_64/lib /opt/pcm/web-portal/jre/linux-x86_64/lib-old# mv /opt/pcm/web-portal/jre/linux-x86_64/plugin /opt/pcm/web-portal/jre/linux-x86_64/plugin-old# cp -r ibm-java-x86_64-60/jre/bin /opt/pcm/web-portal/jre/linux-x86_64/# cp -r ibm-java-x86_64-60/jre/lib /opt/pcm/web-portal/jre/linux-x86_64/# cp -r ibm-java-x86_64-60/jre/plugin /opt/pcm/web-portal/jre/linux-x86_64/

6. On management node, start GUI and PERF services

HA disabled:# pmcadmin start# perfadmin start allHA enabled:# egosh user logon -u Admin -x Admin# egosh service start all

Platform Cluster Manager 4.2.x & Platform HPC 4.2.x & Spectrum Cluster Foundation 4.2.2

1. Download IBM JRE 7.0 x86_64 from the following location: http://www.ibm.com/support/fixcentral. (For POWER platform, download ppc64 version JRE tar package. The followings steps are using x86_64 as an example.)

2. Copy the tar package into the management node. If high availability is enabled, copy the JRE tar package to standby management node, as well.

3. If high availability is enabled, shutdown standby management node, in order to avoid triggering high availability.

4. On the management node, stop GUI and PERF services

# pcmadmin service stop --group ALL

5. On management node, extract new JRE files and replace some old folders with new ones.

# tar -zxvf ibm-java-jre-7.0-9.60-linux-x86_64.tgz# mv /opt/pcm/jre/bin /opt/pcm/jre/bin-old# mv /opt/pcm/jre/lib /opt/pcm/jre/lib-old# mv /opt/pcm/jre/plugin /opt/pcm/jre/plugin-old# cp -r ibm-java-x86_64-70/jre/bin /opt/pcm/jre/# cp -r ibm-java-x86_64-70/jre/lib /opt/pcm/jre/# cp -r ibm-java-x86_64-70/jre/plugin /opt/pcm/jre/# mv /opt/pcm/web-portal/jre/linux-x86_64/bin /opt/pcm/web-portal/jre/linux-x86_64/bin-old# mv /opt/pcm/web-portal/jre/linux-x86_64/lib /opt/pcm/web-portal/jre/linux-x86_64/lib-old# mv /opt/pcm/web-portal/jre/linux-x86_64/plugin /opt/pcm/web-portal/jre/linux-x86_64/plugin-old# cp -r ibm-java-x86_64-70/jre/bin /opt/pcm/web-portal/jre/linux-x86_64/# cp -r ibm-java-x86_64-70/jre/lib /opt/pcm/web-portal/jre/linux-x86_64/# cp -r ibm-java-x86_64-70/jre/plugin /opt/pcm/web-portal/jre/linux-x86_64/

6. On management node, start GUI and PERF services

# pcmadmin service start --group ALL

7. If high availability is enabled, start up standby management node, and replace bin, lib, plugin folders under /opt/pcm/web-portal/jre/linux-x86_64, on standby management node.

Get Notified about Future Security Bulletins

References

Off

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSENRW","label":"Platform HPC for System x"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF016","label":"Linux"}],"Version":"4.1;4.1.1;4.2","Edition":"Advanced;Enterprise;Standard","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
17 June 2018

UID

isg3T1024534