Security Bulletin
Summary
There are vulnerabilities in IBM Runtime Environments Java Technology Edition, Versions 7 and 8, IBM SDK, Java Technology Edition Version 8 and Eclipse Open J9 that affect IBM Transformation Extender.
Vulnerability Details
CVEID: CVE-2018-1890
Description: On the AIX platform, the IBM Java 8 executable contains inappropriate absolute RPATHS, which might allow local users to inject code into JVM processes launched by other users with higher privileges. The fix removes the unsafe RPATHs.
CVSS Base Score: 5.6
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/152081 for more information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-2426
Description: The transparent NTLM authentication implementation in java.net.HttpURLConnection exposes the user's NTLM credentials to any server that requests them.The fix disables transparent NTLM authentication by default. A new system property (jdk.http.ntlm.transparentAuth) allows the user to enable transparent NTLM authentication for all hosts or trusted hosts only.
CVSS Base Score: 3.7
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/155744 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2018-12547
Description: A widely used function in the OpenJ9 JVM is vulnerable to buffer overflows. Multiple Java Runtime components use the vulnerable code, so the issue can manifest in a number of different ways. The fix ensures that the buffer cannot overflow.
CVSS Base Score: 9.8
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/157512 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: 2019-2602
Description: A flaw in the java.math.BigDecimal API causes hangs when parsing certain String values. This potentially allows an attacker to inflict a denial-of-service. The fix ensures that all Strings are parsed promptly.
CVSS Base Score: 7.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/159698 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: 2019-2684
Description: The Java runtime's java.rmi.Registry implementation does not check access privileges correctly for some remote calls. This allows an attacker to effectively replace a number of predefined static skeleton classes with dynamic malicious skeletons. The fix ensures that access checks on remote calls are conducted correctly.
CVSS Base Score: 5.9
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/159776 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Affected Products and Versions
IBM Transformation Extender V8.4.1.0 through V8.4.1.5
Remediation/Fixes
Workarounds and Mitigations
Get Notified about Future Security Bulletins
References
Change History
23 May 2019: Original version published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
22 November 2019
UID
ibm10882278