IBM Support

Security Bulletin: A security vulnerability has been identified in IBM Java Runtime could affect Infosphere Optim Performance Manager shipped with Tivoli OMEGAMON XE for DB2 Performance Expert (CVE-2018-2783)

Created by Rita Zimmer on
Published URL:
https://www.ibm.com/support/pages/node/719745
719745

Security Bulletin


Summary

An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Security component that could allow an unauthenticated attacker to cause high confidentiality impact, high integrity impact, and no availability impact could affect IBM Infosphere Optim Performance Manager that is shipped with Tivoli OMEGAMON XE for DB2 Performance Expert. This issue was disclosed as part of the IBM Java SDK updates for April 2018.

Vulnerability Details

CVEID: CVE-2018-2783
 

DESCRIPTION: A flaw in TLS handshaking related to previously implemented 3Shake countermeasures
CVSS Base Score: 7.4

CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/141939 for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

Principal Product and Version(s)

Affected Supporting Product and Version

IBM Tivoli OMEGAMON XE for DB2 Perfomance Expert on z/OS version 5

IBM Optim Performance Manager for DB2 on Linux, UNIX, and Windows version 4.1. through 4.1.1 IBM Runtime Environment Java Technology Edition, Version 6 SR16 Fix Pack 41 and subsequent releases

 

IBM InfoSphere Optim Performance Manager for DB2 on Linux, UNIX, and Windows version 5.2 through 5.3.1 IBM Runtime Environment Java Technology Edition, Version 7 SR10 Fix Pack 1 and subsequent releases

Remediation/Fixes

You must replace the IBM Runtime Environment, Java Technology Edition that is installed with IBM InfoSphere Optim Performance Manager for DB2 on Linux, UNIX, and Windows (and shipped with IBM Tivoli OMEGAMON XE for DB2 Performance Expert on z/OS) with the latest IBM Runtime Environment, Java Technology Edition. Detailed instructions are provided in the tech-note: Updating the IBM Runtime Environment, Java Technology Edition for InfoSphere Optim Performance Manager.

Workarounds and Mitigations

None

Important note: IBM strongly suggests that all System z customers subscribe to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

Get Notified about Future Security Bulletins

References

Off

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSUSPS","label":"Tivoli OMEGAMON XE for DB2 Performance Expert on z\/OS"},"Component":"","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"5","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
06 November 2018

UID

ibm10719745