IBM Support

Security Bulletin: Multiple Security Vulnerabilities in IBM Java Runtime affect IBM RLKS Administration and Reporting Tool Admin and Agent

Created by Pankaj Dwivedi on
Published URL:
https://www.ibm.com/support/pages/node/542129
542129

Security Bulletin


Summary

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition, Versions 6.0.16.0 and 7.0.9.10, that are used by IBM Rational License Key Server Administration and Reporting Tool Admin and Agent. These issues were disclosed as part of the IBM Java Runtime updates in January 2016 and includes the vulnerability commonly referred to as “SLOTH”.

Vulnerability Details

CVEID: CVE-2016-0466
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE Java SE Embedded and Jrockit related to the JAXP component could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109948 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-7575
DESCRIPTION:
The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109415 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)

CVEID: CVE-2016-0448
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the JMX component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109949 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)



CVEID: CVE-2015-4893
DESCRIPTION: An unspecified vulnerability related to the JAXP component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107359 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-4803
DESCRIPTION: An unspecified vulnerability related to the JAXP component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107358 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-4911
DESCRIPTION: An unspecified vulnerability related to the JAXP component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107360 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-4872
DESCRIPTION:
 An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107361 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Affected Products and Versions

These vulnerabilities impact following components and their releases:

  • RLKS Administration and Reporting Tool version 8.1.4
  • RLKS Administration and Reporting Tool version 8.1.4.2
  • RLKS Administration and Reporting Tool version 8.1.4.3
  • RLKS Administration and Reporting Tool version 8.1.4.4
  • RLKS Administration and Reporting Tool version 8.1.4.5
  • RLKS Administration and Reporting Tool version 8.1.4.6
  • RLKS Administration and Reporting Tool version 8.1.4.7
  • RLKS Administration and Reporting Tool version 8.1.4.8
  • RLKS Administration and Reporting Tool version 8.1.4.9
  • RLKS Administration Agent version 8.1.4
  • RLKS Administration Agent version 8.1.4.2
  • RLKS Administration Agent version 8.1.4.3
  • RLKS Administration Agent version 8.1.4.4
  • RLKS Administration Agent version 8.1.4.5
  • RLKS Administration Agent version 8.1.4.6
  • RLKS Administration Agent version 8.1.4.7
  • RLKS Administration Agent version 8.1.4.8
  • RLKS Administration Agent version 8.1.4.9
  • RLKS LKAD Borrow Tool version 8.1.4
  • RLKS LKAD Borrow Tool version 8.1.4.8

Remediation/Fixes

Replace the JRE used in IBM RLKS Administration and Reporting Tool and IBM RLKS Administration Agent.

Steps to replace the JRE in IBM RLKS Administration and Reporting Tool (All Versions)



1. Go to Fix Central

2. On the Find product tab, enter Rational Common Licensing in the Product Selector field and hit enter.

3. Select the Installed Version and hit continue button.

4. Select the platform of the machine where RLKS Administration and Reporting Tool is installed and hit continue button.

5. On the Identify fixes page, select Browse for fixes and select Show fixes that apply to this version and hit continue button.

6. Download the Java 6 runtime iFix for RLKS Administration and Reporting Tool.

Note:
Although the name of the iFix is RLKS_Administration_And_Reporting_Tool_8149_iFix_3_<Platform>_<Architecture>, the same ifix is applicable to all previous RLKS Administration and Reporting Tool versions.

7. Shutdown RLKS Administration and Reporting Tool.

8. Go to the installation location of RLKS Administration and Reporting Tool.

9. Rename <install location>/server/jre folder to <install location>/server/jre_back. This step backs up the existing JRE.

10. Extract the downloaded JRE into <install location>/server folder.

Example: <install location>/server/jre

11. Startup RLKS Administration and Reporting Tool.

12. Login to the tool using rcladmin user and verify that you see the configured license servers under 'Server' tab.

How to fix these vulnerabilities in IBM RLKS Administration Agent (All Versions)?



1. Go to Fix Central

2. On the Find product tab, enter Rational Common Licensing in the Product Selector field and hit enter.

3. Select the Installed Version and hit continue button.

4. Select the platform of the machine where RLKS Administration Agent is installed and hit continue button.

5. On the Identify fixes page, select Browse for fixes and select Show fixes that apply to this version and hit continue button.

6. Download the Java 7 runtime iFix for RLKS Administration Agent.

Note:
Although the name of the iFix is RLKS_Administration_And_Reporting_Tool_8149_iFix_3_<Platform>_<Architecture>, the same ifix is applicable to all previous RLKS Administration Agent versions.

7. Shutdown RLKS Administration Agent.

8. Go to the installation location of RLKS Administration Agent.

9. Rename <install location>/jre folder to <install location>/jre_back. This step backs up the existing JRE.

10. Extract the downloaded JRE into <install location> folder.

Example: <install location>/jre

11. Startup RLKS Administration Agent.

Steps to replace the JRE in IBM RLKS LKAD Borrow Tool (All Versions)



1. Go to Fix Central

2. On the Find product tab, enter Rational Common Licensing in the Product Selector field and hit enter.

3. Select the Installed Version and hit continue button.

4. Select Windows as the platform and hit continue button.

5. On the Identify fixes page, select Browse for fixes and select Show fixes that apply to this version and hit continue button.

6. Download the Java 6 runtime iFix for RLKS LKAD Borrow Tool.

7. Close RLKS LKAD Borrow Tool.

8. Go to the installation location of LKAD Borrow Tool.

9. Rename <install location>/jre folder to <install location>/jre_back. This step backs up the existing JRE.

10. Extract the downloaded JRE into <install location> folder.

Example: <install location>/jre

11. Launch RLKS LKAD Borrow Tool.

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

CVE-2015-7575 was reported to IBM by Karthikeyan Bhargavan at INRIA in Paris, France.

Change History

23 February 2016 : Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSTMW6","label":"Rational License Key Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"RLKS Administration and Reporting Tool","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.1.4;8.1.4.1;8.1.4.2;8.1.4.3;8.1.4.4;8.1.4.5;8.1.4.6;8.1.4.7;8.1.4.8;8.1.4.9","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
17 June 2018

UID

swg21976926