IBM Support

Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Conductor

Created by Xue Zhou Yuan on
Published URL:
https://www.ibm.com/support/pages/node/735477
735477

Security Bulletin


Summary

There are multiple vulnerabilities in IBM® Runtime Environment Java™ versions 8 Service Refresh 5 Fix Pack 17 used by IBM Spectrum Conductor with Spark 2.2.0, 2.2.1 and IBM Spectrum Conductor 2.3.0. IBM Spectrum Conductor has addressed the applicable CVEs.

Vulnerability Details

If you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether additional Java vulnerabilities are applicable to your code. For a complete list of vulnerabilities, refer to the "IBM Java SDK Security Bulletin", located in the References section for more information.

CVEID:  CVE-2018-2964
DESCRIPTION:  An unspecified vulnerability related to the Java SE Deployment component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/146827 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID:  CVE-2018-2973
DESCRIPTION:  An unspecified vulnerability related to the Java SE JSSE component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base Score: 5.9
CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/146835 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:  CVE-2018-2940
DESCRIPTION:  An unspecified vulnerability related to the Java SE Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base Score: 4.3
CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/146803 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

CVEID:  CVE-2018-2952
DESCRIPTION:  An unspecified vulnerability related to the Java SE Concurrency component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 3.7
CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/146815 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:  CVE-2018-1656
DESCRIPTION:  The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) does not protect against path traversal attacks when extracting compressed dump files.
CVSS Base Score: 7.4
CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/144882 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

CVEID: CVE-2018-12539
DESCRIPTION: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the failure to restrict the use of Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations to only the process owner. An attacker could exploit this vulnerability to execute untrusted native code and gain elevated privileges on the system.
CVSS Base Score: 8.4
CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/148389 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:  CVE-2018-1517
DESCRIPTION:  A flaw in the java.math component in IBM SDK, Java Technology Edition may allow an attacker to inflict a denial-of-service attack with specially crafted String data.
CVSS Base Score: 5.9
CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/141681 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-0705
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys.
An attacker could exploit this vulnerability to corrupt memory and cause a denial of service.
CVSS Base Score: 3.7
CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/111140 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-3732
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in
 the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the
private key.
CVSS Base Score: 5.3
CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/121313 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2017-3736
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw i
n the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system co
uld exploit this vulnerability to obtain information about the private key.
CVSS Base Score: 5.9
CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/134397 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM Spectrum Conductor with Spark 2.2.0
IBM Spectrum Conductor with Spark 2.2.1
IBM Spectrum Conductor 2.3.0

Remediation/Fixes

Before installation

  1. Log in to the cluster management console as the cluster administrator and stop all Spark instance groups.
  2. Log on to the primary management host as the cluster administrator:
    > egosh user logon -u Admin -x Admin
  3. Stop all services and shut down the cluster:
    > egosh service stop all
    > egosh ego shutdown all

Installation

  1. Log on to each host in your cluster (root or sudo to root permission).
  2. Define the CLUSTERADMIN environment variable and set it to any valid operating user account, which then owns all installation files. For example:
    > export CLUSTERADMIN=egoadmin
  3. Upgrade the JRE by using the RPM in this interim fix.
    NOTE: RPM version 4.2.1 or later must be installed on the host. Ensure that you replace dbpath_location in the following RPM commands with the path to your database.

    For IBM Spectrum Conductor with Spark 2.2.0, take Linux x86_64 as example
    > mkdir -p /tmp/cws22build504322
    > tar zxof cws-2.2.0.0_x86_64_build504322.tgz -C /tmp/cws22build504322
    > rpm -ivh --replacefiles --prefix $EGO_TOP --dbpath dbpath_location /tmp/cws22build504322/egojre-8.0.5.22.x86_64.rpm
    For IBM Spectrum Conductor with Spark 2.2.1, take Linux x86_64 as example:
    > mkdir -p /tmp/cws221build504323
    > tar zxof cws-2.2.1.0_x86_64_build504323.tgz -C /tmp/cws221build504323
    > rpm -ivh --replacefiles --prefix $EGO_TOP --dbpath dbpath_location /tmp/cws221build504323/egojre-8.0.5.22.x86_64.rpm

    For IBM Spectrum Conductor 2.3.0, take Linux x86_64 as example:
    > mkdir -p /tmp/sc230build504324
    > tar zxof conductor-2.3.0.0_x86_64_build504324.tgz -C /tmp/sc230build504324
    > rpm -ivh --replacefiles --prefix $EGO_TOP --dbpath dbpath_location /tmp/sc230build504324/egojre-8.0.5.22.x86_64.rpm 
  4. The cshrc.jre and profile.jre files are updated to the current JRE version. If you made copies of these files, ensure that you update the copied files with the new JRE version.
  5. Source the cluster profile again and start the cluster:
    > egosh ego start all
  6. Log in to the cluster management console as the cluster administrator and start the required Spark instance groups.

Verify the installation

Run the rpm –qa command to verify the installation.

For IBM Spectrum Conductor with Spark 2.2.0, enter:
> rpm -qa --dbpath dbpath_location |grep egojre
  egojre-8.0.5.22-504322.x86_64

For IBM Spectrum Conductor with Spark 2.2.1, enter:
> rpm -qa --dbpath dbpath_location |grep egojre
  egojre-8.0.5.22-504323.x86_64

For IBM Spectrum Conductor 2.3.0, enter:
> rpm -qa --dbpath dbpath_location |grep egojre
  egojre-8.0.5.22-504324.x86_64

Uninstallation (if required)

  1. Log in to the cluster management console as the cluster administrator and stop all Spark instance groups.
  2. Log on to the primary management host as the cluster administrator:
    > egosh user logon -u Admin -x Admin
  3. Stop services and shut down the cluster:
    > egosh service stop all
    > egosh ego shutdown all
  4. Log on to each host in your cluster (root or sudo to root permission).
  5. Define the CLUSTERADMIN environment variable and set it to any valid operating user account, which then owns all installation files. For example:
    > export CLUSTERADMIN=egoadmin
  6. Uninstall the existing JRE and then install the old JRE.
    NOTE: RPM version 4.2.1 or later must be installed on the host. 
    Ensure that you replace dbpath_location in the following RPM commands with the path to your database.

    For IBM Spectrum Conductor with Spark 2.2.0, enter:
    > rpm -e egojre-8.0.5.22-504322.x86_64 --dbpath dbpath_location --nodeps
    > rpm -qa --dbpath dbpath_location |grep egojre
    For each previous egojre rpm, run:
    > rpm -e [egojre_name] --dbpath dbpath_location --nodeps
    Then, install the old JRE:
    > mkdir -p /tmp/extract22
    > cws-2.2.0.0_x86_64.bin --extract /tmp/extract22
    > rpm -ivh --prefix $EGO_TOP --dbpath dbpath_location /tmp/extract22/egojre-*.rpm
    For IBM Spectrum Conductor with Spark 2.2.1, enter:
    > rpm -e egojre-8.0.5.22-504323.x86_64 --dbpath dbpath_location --nodeps
    > rpm -qa --dbpath dbpath_location |grep egojre
    For each previous egojre rpm, run:
    > rpm -e [egojre_name] --dbpath dbpath_location --nodeps
    Then, install the old JRE:
    > mkdir -p /tmp/extract221
    > cws-2.2.1.0_x86_64.bin --extract /tmp/extract221
    > rpm -ivh --prefix $EGO_TOP --dbpath dbpath_location /tmp/extract221/egojre-*.rpm

    For IBM Spectrum Conductor 2.3.0, enter:
    > rpm -e egojre-8.0.5.22-504324.x86_64 --dbpath dbpath_location --nodeps
    > rpm -qa --dbpath dbpath_location |grep egojre
    For each previous egojre rpm, run:

    > rpm -e [egojre_name] --dbpath dbpath_location --nodeps
    Then, install the old JRE:

    > mkdir -p /tmp/extract23
    > conductor2.3.0.0_x86_64.bin --extract /tmp/extract23
    > rpm -ivh --prefix $EGO_TOP --dbpath dbpath_location /tmp/extract23/egojre-*.rpm
  7. Source the cluster profile and start the cluster:
    > egosh ego start all
  8. Log in to the cluster management console as the cluster administrator and start the required Spark instance groups.

Packages

Product VRMF APAR Remediation/First Fix
IBM Spectrum Conductor with Spark 2.2.0 P102770

egojre-8.0.5.22.x86_64.rpm

https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Conductor+with+Spark&release=All&platform=All&function=fixId&fixids=cws-2.2-build504322&includeSupersedes=0

IBM Spectrum Conductor with Spark 2.2.1 P102770

egojre-8.0.5.22.x86_64.rpm

https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Conductor+with+Spark&release=All&platform=All&function=fixId&fixids=cws-2.2.1-build504323&includeSupersedes=0

IBM Spectrum Conductor 2.3.0 P102770

egojre-8.0.5.22.x86_64.rpm

https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Conductor+with+Spark&release=All&platform=All&function=fixId&fixids=sc-2.3-build504324&includeSupersedes=0

Workarounds and Mitigations

  None

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

CVE-2018-1517 was reported to IBM by Michael Weissbacher

Change History

06 Nov, 2018: Original version published
12 Nov, 2018: Edited the summary and vulnerability details.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS4H63","label":"IBM Spectrum Conductor"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"2.2.0;2.2.1;2.3.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
02 August 2021

UID

ibm10735477