Security Bulletin
Summary
An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Security component that could allow an unauthenticated attacker to cause high confidentiality impact, high integrity impact, and no availability impact could affect IBM Infosphere Optim Performance Manager that is shipped with Tivoli OMEGAMON XE for DB2 Performance Expert. This issue was disclosed as part of the IBM Java SDK updates for April 2018.
Vulnerability Details
CVEID: CVE-2018-2783
DESCRIPTION: A flaw in TLS handshaking related to previously implemented 3Shake countermeasures
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/141939 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
Affected Products and Versions
|
Principal Product and Version(s) |
Affected Supporting Product and Version |
|
|---|---|---|
|
IBM Optim Performance Manager for DB2 on Linux, UNIX, and Windows version 4.1. through 4.1.1 IBM Runtime Environment Java Technology Edition, Version 6 SR16 Fix Pack 41 and subsequent releases IBM InfoSphere Optim Performance Manager for DB2 on Linux, UNIX, and Windows version 5.2 through 5.3.1 IBM Runtime Environment Java Technology Edition, Version 7 SR10 Fix Pack 1 and subsequent releases |
Remediation/Fixes
You must replace the IBM Runtime Environment, Java Technology Edition that is installed with IBM InfoSphere Optim Performance Manager for DB2 on Linux, UNIX, and Windows (and shipped with IBM Tivoli OMEGAMON XE for DB2 Performance Expert on z/OS) with the latest IBM Runtime Environment, Java Technology Edition. Detailed instructions are provided in the tech-note: Updating the IBM Runtime Environment, Java Technology Edition for InfoSphere Optim Performance Manager.
Workarounds and Mitigations
None
Important note: IBM strongly suggests that all System z customers subscribe to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
Get Notified about Future Security Bulletins
References
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
06 November 2018
UID
ibm10719745