IBM Support

Security Bulletin: Java SE issues disclosed in the Oracle April 2018 Critical Patch Update affects IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, Platform HPC, and Spectrum Cluster Foundation

Created by Jian Jin on
Published URL:
https://www.ibm.com/support/pages/node/665247
665247

Security Bulletin


Summary

Java SE issues disclosed in the Oracle April 2018 Critical Patch Update was addressed by IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, Platform HPC, and Spectrum Cluster Foundation.

Vulnerability Details

CVE Descriptions

CVE-2018-2826 (CVSS 8.3)


Description
A flaw in the VM causes type confusion and potentially allows an untrusted code running under a security manager to elevate its privileges.
The fix corrects the flaw.
Product Applicability
This issue is exploitable if the JRE is running untrusted code under a security manager (including untrusted applets or Web Start applications).
Mitigation
The only solution is to upgrade the JRE.

CVE-2018-2825 (CVSS 8.3)
Description
A flaw in the VM causes type confusion and potentially allows an untrusted code running under a security manager to elevate its privileges.
The fix corrects the flaw.
Product Applicability
This issue is exploitable if the JRE is running untrusted code under a security manager (including untrusted applets or Web Start applications).
Mitigation
The only solution is to upgrade the JRE.

CVE-2018-2814 (CVSS 8.3)
Description
A flaw in the Oracle HotSpot VM exposes reclaimed memory which may cause JVM crashes, expose sensitive information, or allow untrusted code to elevate its privileges.
The fix addresses the flaw.
Product Applicability
This issue applies to Solaris, HP-UX and Mac OS only.
This issue is exploitable if the JRE is running untrusted code under a security manager (including untrusted applets or Web Start applications).
Mitigation
The only solution is to upgrade the JRE.

CVE-2018-2794 (CVSS 7.7)
Description
A flaw in the JCE component may allow arbitrary code execution via malicious serialized data in keystores.
The fix ensures that this type of malicious data is detected and handled gracefully.
Product Applicability
This issue is applicable if keytool is used on a keystore from an untrusted source.
Mitigation
The only solution is to upgrade the JRE.

CVE-2018-2783 (CVSS 7.4)
Description
A flaw in TLS handshaking related to previously implemented 3Shake countermeasures.
The fix addresses the vulnerability by implementing RFC 7627.
Product Applicability
This issue affects applications that use TLS.
Mitigation
The only solution is to upgrade the JRE.

CVE-2018-2815 (CVSS 5.3)
Description
A flaw in the ORB component allows an attacker to inflict a DoS via malicious serialized data which triggers an OutOfMemoryError.
The fix ensures that this type of malicious data is detected and handled gracefully.
Product Applicability
This issue does not apply to the IBM JRE/SDK, including the Hybrid JREs/SDKs on Solaris, HP-UX and Mac OS.
Mitigation
The only solution is to upgrade the JRE.

CVE-2018-2799 (CVSS 5.3)
Description
A flaw in the JAXP component allows an attacker to inflict a DoS via malicious serialized data which triggers an OutOfMemoryError.
The fix ensures that this type of malicious data is detected and handled gracefully.
Product Applicability
This issue is applicable if the JRE deserializes serialized object data from untrusted sources.
Mitigation
The only solution is to upgrade the JRE.

CVE-2018-2798 (CVSS 5.3)
Description
A flaw in the AWT component allows an attacker to inflict a DoS via malicious serialized data which triggers an OutOfMemoryError.
The fix ensures that this type of malicious data is detected and handled gracefully.
Product Applicability
This issue is applicable if the JRE deserializes serialized object data from untrusted sources.
Mitigation
The only solution is to upgrade the JRE.

CVE-2018-2797 (CVSS 5.3)
Description
A flaw in the JMX component allows an attacker to inflict a DoS via malicious serialized data which triggers an OutOfMemoryError.
The fix ensures that this type of malicious data is detected and handled gracefully.
Product Applicability
This issue is applicable if the JRE deserializes serialized object data from untrusted sources.
Mitigation
The only solution is to upgrade the JRE.

CVE-2018-2796 (CVSS 5.3)
Description
A flaw in the java.lang.util.concurrent component allows an attacker to inflict a DoS via malicious serialized data which triggers an OutOfMemoryError.
The fix ensures that this type of malicious data is detected and handled gracefully.
Product Applicability
This issue is applicable if the JRE deserializes serialized object data from untrusted sources.
Mitigation
The only solution is to upgrade the JRE.

CVE-2018-2795 (CVSS 5.3)
Description
A flaw in the java.util component allows an attacker to inflict a DoS via malicious serialized data which triggers an OutOfMemoryError.
The fix ensures that this type of malicious data is detected and handled gracefully.
Product Applicability
This issue is applicable if the JRE deserializes serialized object data from untrusted sources.
Mitigation
The only solution is to upgrade the JRE.

CVE-2018-2800 (CVSS 4.2)
Description
RMI will accept HTTP connections by default, which may allow an RMI server to be exposed by XSS attacks.
The fix disables inbound HTTP connections by default. They can re-enabled if necessary by setting this system property:
java.rmi.server.disableIncomingHttp=false
Product Applicability
This issue applies to Java deployments that use an RMI server.
Mitigation
The only solution is to upgrade the JRE.

CVE-2018-2790 (CVSS 3.1)
Description
A flaw in JAR parser allowed attributes to be added to a signed JAR's manifest without breaking signature verification.
The fix ensures that any modification of manifest attributes prevents signature verification.
Product Applicability
This issue affects applications which rely on signed JARs for integrity purposes.
This issue is also applicable if the JRE is installed as a system JRE, such that it is used to launch and execute applets in a browser, or to launch applications via Java Web Start.
Mitigation
The only solution is to upgrade the JRE.

Affected Products and Versions

Platform Cluster Manager Standard Edition Version 4.1.0, 4.1.1 and 4.1.1.1

Platform Cluster Manager Version 4.2.0, 4.2.0.1, 4.2.0.2 and 4.2.1

Platform HPC Version 4.1.1, 4.1.1.1, 4.2.0 and 4.2.1

Spectrum Cluster Foundation 4.2.2

Remediation/Fixes

<Product

VRMFAPARRemediation/First Fix
Platform Cluster Manager Standard Edition4.1.0, 4.1.1, 4.1.1.1, 4.2.0, 4.2.0.1, 4.2.0.2, 4.2.1NoneSee workaround
Platform Cluster Manager Advanced Edition4.2.0, 4.2.0.1, 4.2.0.2, 4.2.1NoneSee workaround
Platform HPC 4.1.1, 4.1.1.1, 4.2.0, 4.2.1NoneSee workaround
Spectrum Cluster Foundation4.2.2NoneSee workaround

Workarounds and Mitigations

Platform Cluster Manager 4.1.x & Platform HPC 4.1.x

1. Download IBM JRE 6.0 x86_64 from the following location: http://www.ibm.com/support/fixcentral. (For POWER platform, download ppc64 version JRE tar package. The following steps are using x86_64 as an example.)

2. Copy the tar package into the management node. If high availability is enabled, copy the JRE tar package to stand-by management node, as well.

3. If high availability is enabled, shutdown stand-by management node to avoid triggering high availability.

4. On the management node, stop GUI and PERF services

HA disabled:


# pmcadmin stop
# perfadmin stop all

HA enabled:
# egosh user logon -u Admin -x Admin
# egosh service stop all

5. On management node, extract new JRE files and replace some old folders with new ones.

# tar -zxvf ibm-java-jre-6.0-16.65-linux-x86_64.tgz


# mv /opt/pcm/web-portal/jre/linux-x86_64/bin /opt/pcm/web-portal/jre/linux-x86_64/bin-old
# mv /opt/pcm/web-portal/jre/linux-x86_64/lib /opt/pcm/web-portal/jre/linux-x86_64/lib-old
# mv /opt/pcm/web-portal/jre/linux-x86_64/plugin /opt/pcm/web-portal/jre/linux-x86_64/plugin-old
# cp -r ibm-java-x86_64-60/jre/bin /opt/pcm/web-portal/jre/linux-x86_64/
# cp -r ibm-java-x86_64-60/jre/lib /opt/pcm/web-portal/jre/linux-x86_64/
# cp -r ibm-java-x86_64-60/jre/plugin /opt/pcm/web-portal/jre/linux-x86_64/

6. On management node, start GUI and PERF services

HA disabled:


# pmcadmin start
# perfadmin start all

HA enabled:
# egosh user logon -u Admin -x Admin
# egosh service start all

Platform Cluster Manager 4.2.x & Platform HPC 4.2.x & Spectrum Cluster Foundation 4.2.2

1. Download IBM JRE 7.0 x86_64 from the following location: http://www.ibm.com/support/fixcentral. (For POWER platform, download ppc64 version JRE tar package. The following steps are using x86_64 as an example.)

2. Copy the tar package into the management node. If high availability is enabled, copy the JRE tar package to stand-by management node, as well.

3. If high availability is enabled, shutdown stand-by management node to avoid triggering high availability.

4. On the management node, stop GUI and PERF services

# pcmadmin service stop --group ALL

5. On management node, extract new JRE files and replace some old folders with new ones.

# tar -zxvf ibm-java-jre-7.0-10.25-linux-x86_64.tgz


# mv /opt/pcm/jre/bin /opt/pcm/jre/bin-old
# mv /opt/pcm/jre/lib /opt/pcm/jre/lib-old
# mv /opt/pcm/jre/plugin /opt/pcm/jre/plugin-old
# cp -r ibm-java-x86_64-70/jre/bin /opt/pcm/jre/
# cp -r ibm-java-x86_64-70/jre/lib /opt/pcm/jre/
# cp -r ibm-java-x86_64-70/jre/plugin /opt/pcm/jre/
# mv /opt/pcm/web-portal/jre/linux-x86_64/bin /opt/pcm/web-portal/jre/linux-x86_64/bin-old
# mv /opt/pcm/web-portal/jre/linux-x86_64/lib /opt/pcm/web-portal/jre/linux-x86_64/lib-old
# mv /opt/pcm/web-portal/jre/linux-x86_64/plugin /opt/pcm/web-portal/jre/linux-x86_64/plugin-old
# cp -r ibm-java-x86_64-70/jre/bin /opt/pcm/web-portal/jre/linux-x86_64/
# cp -r ibm-java-x86_64-70/jre/lib /opt/pcm/web-portal/jre/linux-x86_64/
# cp -r ibm-java-x86_64-70/jre/plugin /opt/pcm/web-portal/jre/linux-x86_64/

6. On management node, start GUI and PERF services

# pcmadmin service start --group ALL


7. If high availability is enabled, start up stand-by management node, and replace bin, lib, plugin folders under /opt/pcm/web-portal/jre/linux-x86_64, on stand-by management node.

Get Notified about Future Security Bulletins

References

Off

Change History

May 25, 2018 - v1.0

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSDV85","label":"Platform Cluster Manager"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
17 June 2018

UID

isg3T1027765