Security Bulletin
Summary
We have identified that the IBM Kenexa LCMS Premier is affected by one or more security vulnerabilities. These have been addressed in LCMS Premier 14.0 version.
Vulnerability Details
CVEID: CVE-2020-14583
DESCRIPTION: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 8.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185061 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2020-14593
DESCRIPTION: An unspecified vulnerability in Java SE related to the 2D component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185071 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)
CVEID: CVE-2020-14621
DESCRIPTION: An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185099 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2020-14556
DESCRIPTION: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185034 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2020-14581
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the 2D component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185059 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2020-14579
DESCRIPTION: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185057 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2020-14578
DESCRIPTION: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185056 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2020-14577
DESCRIPTION: An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185055 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2019-17639
DESCRIPTION: Eclipse OpenJ9 could allow a remote attacker to obtain sensitive information, caused by the premature return of the current method with an undefined return value. By invoking the System.arraycopy method with a length longer than the length of the source or destination array can, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185437 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
| IBM Kenexa LCMS Premier on premise | 14.0 and Below |
Remediation/Fixes
IBM recommends updating to the latest release for customers who are using an affected version. The new version is available at IBM Passport Advantage web site.
Once on version 14.0, please proceed to download and apply the provided fix via Fix Central.
Steps to Download from Fix Central
- Log in to Fix Central (https://www-945.ibm.com/support/fixcentral/)
- Select "IBM Kenexa LCMS Premier” from the Product Selector dropdown
- Select "14.0" from the Installed version dropdown
- Select "Windows" from the Platform dropdown
- Click "Continue"
- Select "Browse for Fixes” and click "Continue"
Download the following 2 files:
- p_14.0.0058_2020-09-18_18-06.zip or above
- p_14.0.0058_JDK-ONLY_8.0.6.15_2020-09-18_18-16.zip
Steps to Follow in Version 14.0 ONLY:
Perform Backups:
1. Stop LCMS Services
2. Perform Backups:
In the LCMS installation directory, perform a backup of the existing JDK directories by renaming the Java directories ibmsdk32 and ibmsdk64. We suggest appending "_backup” to the end.
Important Note: If the Step 1 (stopping of services) did not complete, you might have issues renaming the folders. Please ensure all LCMS services are no longer running prior to renaming/taking backup
Step 1: Deploy the latest LCMS patch: p_14.0.0058_2020-09-18_18-06.zip or above
1. Remove all plugins:
a. From ConfigWiz.exe, check "Advanced" checkbox, then click "Stop Services"
b. Move all jar and all zip files from plugin folder to somewhere else
c. From ConfigWiz.exe, click "Add/Remove Plugins".
2. Install the latest patch:
a. Move or copy this plugin file into the plugin folder.
b. From ConfigWiz.exe, click "Advanced" checkbox, then click "Add/Remove Plugins".
Step 2: Deploy the JDK_Only patch/plugin: p_14.0.0058_JDK-ONLY_8.0.6.15_2020-09-18_18-16.zip [This is on-time activity]
1. Step#1 must complete to starts the JDK 8.0.6.15 upgrade
2. Add the JDK_Only patch/pligin in "plugins" folder [example: p_14.0.0058_JDK-ONLY_8.0.6.15_2020-09-18_18-16.zip] & LCMS patch need not be removed from plugin folder
3. From ConfigWiz.exe, click "Advanced" checkbox, then click "Add/Remove Plugins"
4. For plugins that have JDK upgrade: ◦ ConfigWiz.exe must be closed for JDK upgrade to complete [A popup will display as an alert to close the ConfigWiz]. Anything else that might be using LCMS files or directories must also be closed.
5. From ConfigWiz.exe, check "Advanced" checkbox, then click "Starts Services"
Note:
1. In future, while deploying the upcoming patches, ensure JDK_Only patch/plugin deployment- "Add/Remove Plugins" needs to be run twice as part of step#1.1 [Remove all plugins]
2. Once, Step 1 & 2 are done, you will not be able to revert to the precious version of the JDK. However, applying the upcoming/future patches will only ensure that JDK is maintained with latest version or installed with upgraded version
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Change History
07 Oct 2020: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
08 October 2020
UID
ibm16346499