Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.2135
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM
Rational Software Architect, Rational Software Architect for WebSphere
Software and Rational Software Architect RealTime Edition
13 September 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Rational Software Architect products
Publisher: IBM
Operating System: Linux variants
OS X
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Modify Arbitrary Files -- Remote with User Interaction
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2016-3610 CVE-2016-3606 CVE-2016-3598
CVE-2016-3587 CVE-2016-3552 CVE-2016-3550
CVE-2016-3511 CVE-2016-3508 CVE-2016-3503
CVE-2016-3500 CVE-2016-3498 CVE-2016-3485
CVE-2016-3458
Reference: ASB-2016.0074
ESB-2016.1911
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=swg21990374
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM
Rational Software Architect, Rational Software Architect for WebSphere
Software and Rational Software Architect RealTime Edition
Security Bulletin
Document information
More support for:
Rational Software Architect
General Information
Software version:
8.5, 8.5.1, 8.5.5, 8.5.5.1, 8.5.5.2, 8.5.5.3, 8.5.5.4, 9.0, 9.0.0.1, 9.1,
9.1.1, 9.1.2, 9.1.2.1, 9.1.2.2
Operating system(s):
Linux, OS X, Windows
Reference #:
1990374
Modified date:
2016-09-13
Summary
There are multiple vulnerabilities in IBM SDK Java Technology Edition,
Versions 7 and 8 that are used by IBM Rational Software Architect, Rational
Software Architect for WebSphere Software and Rational Software Architect
RealTime.
Vulnerability Details
CVEID:
CVE-2016-3610
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE and Java SE Embedded related
to the Libraries component has high confidentiality impact, high integrity
impact, and high availability impact.
CVSS Base Score: 9.6
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/115270
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID:
CVE-2016-3598
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE and Java SE Embedded related
to the Libraries component has high confidentiality impact, high integrity
impact, and high availability impact.
CVSS Base Score: 9.6
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/115269
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID:
CVE-2016-3606
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE and Java SE Embedded related
to the Hotspot component has high confidentiality impact, high integrity
impact, and high availability impact.
CVSS Base Score: 9.6
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/115268
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID:
CVE-2016-3587
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE and Java SE Embedded related
to the Hotspot component has high confidentiality impact, high integrity
impact, and high availability impact.
CVSS Base Score: 9.6
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/115267
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID:
CVE-2016-3511
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE related to the Deployment
component has high confidentiality impact, high integrity impact, and high
availability impact.
CVSS Base Score: 7.7
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/115275
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID:
CVE-2016-3508
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE Java SE Embedded and Jrockit
related to the JAXP component could allow a remote attacker to cause a denial
of service resulting in a low availability impact using unknown attack
vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/115279
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2016-3550
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE and Java SE Embedded related
to the Hotspot component could allow a remote attacker to obtain sensitive
information resulting in a low confidentiality impact using unknown attack
vectors.
CVSS Base Score: 4.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/115272
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
CVEID:
CVE-2016-3500
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE Java SE Embedded and Jrockit
related to the JAXP component could allow a remote attacker to cause a denial
of service resulting in a low availability impact using unknown attack
vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/115278
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2016-3458
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE and Java SE Embedded related
to the CORBA component has no confidentiality impact, low integrity impact,
and no availability impact.
CVSS Base Score: 4.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/115271
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVEID:
CVE-2016-3485
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE and Java SE Embedded related
to the Networking component has no confidentiality impact, low integrity
impact, and no availability impact.
CVSS Base Score: 2.9
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/115273
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:
CVE-2016-3498
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE related to the JavaFX
component could allow a remote attacker to cause a denial of service
resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/115277
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2016-3552
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE related to the Install
component has high confidentiality impact, high integrity impact, and high
availability impact.
CVSS Base Score: 8.1
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/115274
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVEID:
CVE-2016-3503
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE related to the Install
component has high confidentiality impact, high integrity impact, and high
availability impact.
CVSS Base Score: 7.7
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/115276
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
Affected Products and Versions
Rational Software Architect 9.5.0.2 and earlier
Rational Software Architect for WebSphere Software 9.5.0.2 and earlier
Rational Software Architect RealTime Edition 9.5 and earlier
Remediation/Fixes
Update the IBM SDK, Java Technology Edition of the product to address this
vulnerability:
Product VRMF Remediation/First Fix
Rational Software Architect Designer (RSAD) 9.5 to 9.5.0.2 IBM Java SDK/JRE 8 SR3 FP10 IFixes
Rational Software Architect Designer for WebSphere Software (RSAD4WS) 9.5 to 9.5.0.2 IBM Java SDK/JRE 8 SR3 FP10 IFixes
Rational Software Architect RealTime(RSART) 9.5 IBM Java SDK/JRE 8 SR3 FP10 IFixes
Rational Software Architect (RSA) 8.5 to 8.5.5.4 IBM Java SDK/JRE 7 SR9 FP50 IFixes
9.0 to 9.0.0.1
9.1 to 9.1.2.2
Rational Software Architect for WebSphere Software 8.5 to 8.5.5.4 IBM Java SDK/JRE 7 SR9 FP50 IFixes
9.0 to 9.0.0.1
9.1 to 9.1.2.2
Rational Software Architect RealTime Edition 8.5 to 8.5.1 IBM Java SDK/JRE 7 SR9 FP50 IFixes
9.0 to 9.0.0.1
9.1 to 9.1.2
Installation Instructions:
Updating Installed Product Packages
Instructions to download and install the update from the compressed files:
Download the update files from Fix Central by following the link listed in
the download table above
Extract the compressed files in an appropriate directory.
For example, choose to extract to
C:\temp\update
Start IBM Installation Manager.
On the Start page of Installation Manager, click
File > Preferences
and then click
Repositories
The Repositories page opens.
On the Repositories page, click
Add Repository
In the Add repository window, browse to or enter the file path to the
repository.config file, which is located in the directory where you extracted
the compressed files and then click OK.
For example, enter
C:\temp\update\repository.config
Click
OK
to close the Preference page.
Install the update as described in the the topic
Updating Installed Product Packages
in the IBM Knowledge Center for your product and version.
Workarounds and Mitigations
No known worksarounds
Get Notified about Future Security Bulletins
Subscribe to
My Notifications
to be notified of important product support alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV9eO84x+lLeg9Ub1AQjUhw//WG4KBvQqTSx3FJPX6pMI+WPL+Rv7O2UW
yDsytkXXVJ0UCAxAmEHf4qPZkFTwXcxVO9TPBCKBOtKNYxfYVgeQU3TpYWGKLKhM
84OG/unT2Sl2cqqjkeIrbGXQ8y63AEfIlM/zXwWbfTGR3kahsL30Futs+5oJx3QS
TDiAhx4rZjOFt/xMC7okm8re9PIG9lpVYNLfwlbXrssSlCgWw7jD5pc5dg2P0eBH
SdAzPnq4DtOeS2nXNrezH1ydC21yPCY6vZ/hak4evUIBMjjw/qpkZhd3W06Ivprm
cNKwFCoyFmxLh6XT70jXDroRGncty/rcrv+WagO+J9fxKOV1BS+JiRuCEsDTv/cc
3vwRPvPJlQcMtZLgKR77AsTDZzboP5Yi4K8visyxkmGx3I8zsEGsWkiuJKMb92z6
e3IPmxEE++yNjx7xBXYte3KRqTrkmfcdogw/Glt+Ilh5LHRiT9BDJEFqZZyXVyny
f/rVFlNYUWVnbj9Z+IS8/C1+qO/Gvfq8mKfuuHg1nuoJS4FSDdySXsW+3588Jq03
e+h3zaI/Hl1F3iDvqvKvccJIyujOZMlxycx/dYpb8W2gtk9lzp30a9URa0g7a2XV
810vgL5R9XupaYPbcs81rvWYCrzgxQUrucUX8u3vL6KxKcmhUaPeGahOHx54N7/m
lRGaHlTVvRU=
=k3Qa
-----END PGP SIGNATURE-----