IBM Support

Security Bulletin: Vulnerabilities in Java affect Power Hardware Management Console (CVE-2015-0480, CVE-2015-0486, CVE-2015-0488, CVE-2015-0478, CVE-2015-0477, CVE-2015-1916)

Security Bulletin


Summary

Java is used by Power Hardware Management Console (HMC). HMC has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2015-0480
DESCRIPTION:
 A directory traversal vulnerability in Oracle Java SE related to the Tools component and the extraction of JAR archive files could allow remote attacker to overwrite files on the system with privileges of another user.
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102334 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:P)

CVEID: CVE-2015-0486
DESCRIPTION:
 An unspecified vulnerability in Oracle Java SE related to the Deployment component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102335 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-0488
DESCRIPTION:
 An unspecified vulnerability in Oracle Java SE and Jrockit related to the JSSE component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102336 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)



CVEID: CVE-2015-0478
DESCRIPTION:
 An unspecified vulnerability in Oracle Java SE and JRockit related to the JCE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102339 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-0477
DESCRIPTION:
 An unspecified vulnerability in Oracle Java SE related to the Beans component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102337 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-1916
DESCRIPTION:
 Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/101995 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions


Power HMC V7.7.3.0

Power HMC V7.7.8.0

Power HMC V7.7.9.0

Power HMC V8.1.0.0

Power HMC V8.2.0.0

Power HMC V8.3.0.0

Remediation/Fixes


The following fixes are available on IBM Fix Central at: http://www-933.ibm.com/support/fixcentral/

Product
VRMF

APAR

Remediation/First Fix

Power HMC

V7.7.3.0 SP7

MB03923
Apply eFix MH01535

Power HMC

V7.7.8.0 SP2

MB03924

Apply eFix MH01536

Power HMC

V7.7.9.0 SP2

MB03925

Apply eFix MH01537

Power HMC

V8.8.1.0 SP2

MB03920

Apply eFix MH01532

Power HMC

V8.8.2.0 SP1

MB03926

Apply eFix MH01538

Power HMC

V8.8.3.0

MB03927

Apply eFix MH01539

Note:

1. For unsupported releases IBM recommends upgrading to a fixed, supported release of the product.

2. After applying the PTF, you should restart the HMC.

3. HMC V7.7.3 support is extended only for managing the Power 775 (9125-F2C) also called "PERCS" and "IH". End Of Service date for managing all other server models was 2013.05.31.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Change History

29 July 2015: Original Version Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{"Product":{"code":"SGW5F2","label":"HMC Firmware"},"Business Unit":{"code":"BU009","label":"Systems - Server"},"Component":"HMC","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"Enterprise"}]

Document Information

Modified date:
17 June 2018

UID

nas8N1020838