Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.0037
Multiple vulnerabilities have been identified in IBM
Intelligent Operations Center
2 January 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Intelligent Operations Center
Publisher: IBM
Operating System: Linux variants
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Increased Privileges -- Remote with User Interaction
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2018-13785 CVE-2018-12539 CVE-2018-3214
CVE-2018-3211 CVE-2018-3209 CVE-2018-3183
CVE-2018-3180 CVE-2018-3169 CVE-2018-3149
CVE-2018-3139 CVE-2018-3136 CVE-2018-2973
CVE-2018-2964 CVE-2018-2952 CVE-2018-2940
CVE-2018-2814 CVE-2018-2800 CVE-2018-2799
CVE-2018-2798 CVE-2018-2797 CVE-2018-2796
CVE-2018-2795 CVE-2018-2794 CVE-2018-2790
CVE-2018-2783 CVE-2018-2678 CVE-2018-2677
CVE-2018-2663 CVE-2018-2657 CVE-2018-2641
CVE-2018-2639 CVE-2018-2638 CVE-2018-2637
CVE-2018-2634 CVE-2018-2633 CVE-2018-2629
CVE-2018-2618 CVE-2018-2603 CVE-2018-2602
CVE-2018-2599 CVE-2018-2588 CVE-2018-2582
CVE-2018-2579 CVE-2018-1656 CVE-2018-1517
CVE-2018-1413 CVE-2018-0739 CVE-2017-15095
CVE-2017-12624 CVE-2017-7525 CVE-2017-3737
CVE-2017-3736 CVE-2017-3735 CVE-2016-5597
CVE-2016-5549 CVE-2016-5548 CVE-2016-5547
CVE-2016-2183
Reference: ASB-2018.0290
ASB-2018.0264
ASB-2018.0259
ESB-2016.2268
ESB-2016.2263
ESB-2016.2239.2
ESB-2016.2238
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=ibm10791133
http://www.ibm.com/support/docview.wss?uid=ibm10730863
Comment: This bulletin contains two (2) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Multiple vulnerabilities in IBM(R) Java(TM) SDK and IBM(R) Java(TM)
Runtime affect IBM(R) Intelligent Operations Center products
Document information
More support for: IBM Intelligent Operations Center
Component: Not Applicable
Software version: 1.6.0, 1.6.0.1, 1.6.0.2, 1.6.0.3, 5.1, 5.1.0.1, 5.1.0.2,
5.1.0.3, 5.1.0.4, 5.1.0.5, 5.1.0.6, 5.1.0.7, 5.1.0.8, 5.1.0.9, 5.1.0.10,
5.1.0.11, 5.1.0.12, 5.1.0.13, 5.1.0.14
Operating system(s): Linux, Windows
Reference #: 0791133
Modified date: 21 December 2018
Security Bulletin
Summary
There are multiple vulnerabilities in IBM(R) SDK Java(TM) Technology Edition,
Versions 6, 7, and 8, and IBM(R) Runtime Environment Java(TM), Versions 6, 7, and 8
that are used by IBM(R) Intelligent Operations Center, IBM(R) Intelligent
Operations Center for Emergency Management, and IBM(R) Water Operations for
Waternamics. IBM(R) Intelligent Operations Center has addressed the applicable
CVEs.
Vulnerability Details
If you run your own Java(TM) code using the IBM(R) Java(TM) JRE that is delivered with
this product, you should evaluate your code to determine whether
additional Java(TM) vulnerabilities are applicable to your code.
CVE IDs: CVE-2018-3183 CVE-2018-3209 CVE-2018-3169 CVE-2018-3149 CVE-2018-3211
CVE-2018-3180 CVE-2018-3214 CVE-2018-13785 CVE-2018-3136 CVE-2018-3139
CVEID: CVE-2018-3183
DESCRIPTION: A flaw in the javax.script API allows untrusted code running
under a security manager to elevate its privileges. The fix addresses the flaw.
Product Applicability: This issue is exploitable if the JRE is running
untrusted code under a security manager (including untrusted applets or Web
Start applications).
Mitigation: The only solution is to upgrade the JRE.
CVSS Base Score: 9.0
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVEID: CVE-2018-3209
DESCRIPTION: A flaw in Java FX may allow elevation of privileges and execution
of arbitrary code.
Product Applicability: This does not apply to the IBM JRE/SDK, including
Solaris, HP-UX and Mac OS.
Mitigation: N/A.
CVSS Base Score: 8.3
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2018-3169
DESCRIPTION: A flaw in the java.lang.invoke implementation allows untrusted
code to bypass the security manager and elevate its privileges. The fix adds
additional constraint checking to resolve the flaw.
Product Applicability: This issue is exploitable if the JRE is running
untrusted code under a security manager (including untrusted applets or Web
Start applications).
Mitigation: The only solution is to upgrade the JRE.
CVSS Base Score: 8.3
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2018-3149
DESCRIPTION: A flaw in the JNDI component allows classes to be loaded from
arbitrary URLs even when the system property
"com.sun.jndi.ldap.object.trustURLCodebase" is set to "false". The fix ensures
that URL codebases are not trusted when
com.sun.jndi.ldap.object.trustURLCodebase=false.
Product Applicability: This issue is exploitable if the JRE is running
untrusted code under a security manager (including untrusted applets or Web
Start applications).
Mitigation: The only solution is to upgrade the JRE.
CVSS Base Score: 8.3
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2018-3211
DESCRIPTION: An unknown flaw in Oracle's Java Usage Tracker.
Product Applicability: This does not apply to the IBM JRE/SDK, including
Solaris, HP-UX and Mac OS.
Mitigation: N/A
CVSS Base Score: 6.6
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N)
CVEID: CVE-2018-3180
DESCRIPTION: A flaw in the JSSE component means that TLS connections do not
always check the validity of the hostname on the server-side certificate. The
fix ensures that server-side certificates are checked correctly.
Product Applicability: This issue affects products or applications that use TLS
to connect to remote servers.
Mitigation: The only solution is to upgrade the JRE.
CVSS Base Score: 5.6
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2018-3214
DESCRIPTION: A flaw in the sound component results in an infinite loop when
reading a specially crafted WAV file. This potentially allows an attacker to
inflict a denial-of-service attack. The fix ensure that the malformed WAV data
is handled gracefully.
Product Applicability: This issue affects products/applications that read WAV
data from untrusted sources using the
javax.sound.sampled.AudioSystem.getAudioFileFormat() API. This issue is also
exploitable if the JRE is running untrusted code under a security manager
(including untrusted applets or Web Start applications).
Mitigation: The only solution is to upgrade the JRE.
CVSS Base Score: 5.3
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-13785
DESCRIPTION: A flaw in libpng 1.6.34 may trigger a divide-by-zero while
processing a maliciously crafted PNG file, leading to crash and denial of
service. The fix upgrades the libpng code in the Java runtime (used only for
Applet splash screens) to 1.6.35.
Product Applicability: This issue is applicable if the JRE is installed as a
system JRE, such that it is used to launch and execute applets in a browser.
Mitigation: The only solution is to upgrade the JRE.
CVSS Base Score: 3.7
CVEID: CVE-2018-3136
DESCRIPTION: A flaw in the JAR implementation allows the sealing of a JAR file
to be broken. The fix ensures that sealed JAR files cannot be "unsealed".
Product Applicability: This issue is exploitable if the JRE is running
untrusted code under a security manager (including untrusted applets or Web
Start applications).
Mitigation: The only solution is to upgrade the JRE.
CVSS Base Score: 3.4
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N)
CVEID: CVE-2018-3139
DESCRIPTION: A flaw in the implemention of java.net.HttpURLConnection may lead
to exposure of sensitive information in HTTP headers. The fix ensures that the
sensitive information is not exposed.
Product Applicability: This issue applies to products or applications that use
java.net.HttpURLConnection or javax.net.ssl.HttpsURLConnectioninstances that
are set to automatically follow redirects - i.e. instances upon which
setFollowRedirects() has been called.
Mitigation: The only solution is to upgrade the JRE.
CVSS Base Score: 3.1
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)
Affected Products and Versions
+---------------------------------------------+--------------------------------------------------------------+
|Principal Product and Versions |Affected Supporting Products and Versions |
+---------------------------------------------+--------------------------------------------------------------+
|IBM(R) Intelligent Operations Center V1.6.0 - |IBM SDK, Java Technology Edition, Version 6 Service Refresh 16|
|V5.1.0.14 |Fix Pack 55 and earlier releases |
| | |
| |IBM SDK, Java Technology Edition, Version 6R1 Service Refresh |
| |8 Fix Pack 55 and earlier releases |
+---------------------------------------------+ |
| |IBM SDK, Java Technology Edition, Version 7 Service Refresh 10|
|IBM(R) Intelligent Operations Center for |Fix Pack 15 and earlier releases |
|Emergency Management V1.6 - V5.1.0.6 | |
| |IBM SDK, Java Technology Edition, Version 7R1 Service Refresh |
| |4 Fix Pack 15 and earlier releases |
+---------------------------------------------+ |
| |IBM SDK, Java Technology Edition, Version 8 Service Refresh 5 |
|IBM(R) Water Operations for Waternamics V5.1 - |Fix Pack 7 and earlier releases |
|V5.2.1.1 | |
| | |
| | |
+---------------------------------------------+--------------------------------------------------------------+
Remediation/Fixes
The fix for this issue is available in IBM(R) Intelligent Operations Center
version 5.2 on Passport Advantage.
Refer to the following security bulletins for vulnerability details and
information about fixes:
o IJ10930: FIX SECURITY VULNERABILITY CVE-2018-3183
CVE(s): CVE-2018-3183
o IJ10931: FIX SECURITY VULNERABILITY CVE-2018-3169
CVE(s): CVE-2018-3169
o IJ10932: FIX SECURITY VULNERABILITY CVE-2018-3149
CVE(s): CVE-2018-3149
o IJ10894: FIX SECURITY VULNERABILITY CVE-2018-3180
CVE(s): CVE-2018-3180
o IJ10933: FIX SECURITY VULNERABILITY CVE-2018-3214
CVE(s): CVE-2018-3214
o IJ10934: FIX SECURITY VULNERABILITY CVE-2018-13785
CVE(s): CVE-2018-13785
o IJ10935: FIX SECURITY VULNERABILITY CVE-2018-3136
CVE(s): CVE-2018-3136
o IJ10895: FIX SECURITY VULNERABILITY CVE-2018-3139
CVE(s): CVE-2018-3139
Workarounds and Mitigations
Until you apply the fixes, it may be possible to reduce the risk of successful
attacks by restricting network protocols required by an attack. For attacks
that require certain privileges or access to certain packages, removing the
privileges or the ability to access the packages from unprivileged users may
help reduce the risk of successful attack. Both approaches may break
application functionality, so IBM strongly recommends that customers test
changes on non-production systems. Neither approach should be considered a
long-term solution as neither corrects the underlying problem.
Change History
21 December 2018: Original version published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Product Component Platform Version Edition
IBM Intelligent Linux, 1.6, 5.1, 5.1.0.2, 5.1.0.3,
Operations Center for Windows 5.1.0.4, 5.1.0.5, 5.1.0.6
Emergency Management
IBM Water Operations 5.1, 5.2, 5.2.0.1, 5.2.0.2,
for Waternamics Linux 5.2.0.3, 5.2.0.4, 5.2.0.5,
5.2.0.6, 5.2.1, 5.2.1.1
- --------------------------------------------------------------------------------
Security Bulletin: Multiple vulnerabilities in IBM(R) Java(TM) SDK and IBM(R) Java(TM)
Runtime affect IBM(R) Intelligent Operations Center products
Security Bulletin
Document information
More support for: IBM Intelligent Operations Center
Component: Not Applicable
Software version: 1.6.0, 1.6.0.1, 1.6.0.2, 1.6.0.3, 5.1, 5.1.0.1, 5.1.0.2,
5.1.0.3, 5.1.0.4, 5.1.0.5, 5.1.0.6, 5.1.0.7, 5.1.0.8, 5.1.0.9, 5.1.0.10,
5.1.0.11, 5.1.0.12, 5.1.0.13, 5.1.0.14
Operating system(s): Linux, Windows
Reference #: 0730863
Modified date: 21 December 2018
Summary
There are multiple vulnerabilities in IBM(R) SDK Java(TM) Technology Edition,
Versions 6, 7, and 8, and IBM(R) Runtime Environment Java(TM), Versions 6, 7, and 8
that are used by IBM(R) Intelligent Operations Center, IBM(R) Intelligent
Operations Center for Emergency Management, and IBM(R) Water Operations for
Waternamics. IBM(R) Intelligent Operations Center has addressed the applicable
CVEs.
Vulnerability Details
If you run your own Java(TM) code using the IBM(R) Java(TM) JRE that is delivered with
this product, you should evaluate your code to determine whether
additional Java(TM) vulnerabilities are applicable to your code.
CVE IDs: CVE-2018-2964 CVE-2018-2973 CVE-2018-2940 CVE-2018-2952 CVE-2018-1656
CVE-2018-1517 CVE-2018-2579 CVE-2018-2588 CVE-2018-2663 CVE-2018-2677
CVE-2018-2678 CVE-2018-2602 CVE-2018-2599 CVE-2018-2603 CVE-2018-2629
CVE-2018-2657 CVE-2018-2618 CVE-2018-2641 CVE-2018-2582 CVE-2018-2634
CVE-2018-2637 CVE-2018-2633 CVE-2018-2638 CVE-2018-2639 CVE-2018-2783
CVE-2018-2800
CVEID: CVE-2018-2964
DESCRIPTION: An unspecified vulnerability related to the Java SE Deployment
component could allow an unauthenticated attacker to take control of the
system.
CVSS Base Score: 8.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
146827 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2018-2973
DESCRIPTION: An unspecified vulnerability related to the Java SE JSSE component
could allow an unauthenticated attacker to cause no confidentiality impact,
high integrity impact, and no availability impact.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
146835 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2018-2940
DESCRIPTION: An unspecified vulnerability related to the Java SE Libraries
component could allow an unauthenticated attacker to obtain sensitive
information resulting in a low confidentiality impact using unknown attack
vectors.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
146803 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
CVEID: CVE-2018-2952
DESCRIPTION: An unspecified vulnerability related to the Java SE Concurrency
component could allow an unauthenticated attacker to cause a denial of service
resulting in a low availability impact using unknown attack vectors..
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
146815 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-1656
DESCRIPTION: The IBM Java Runtime Environment's Diagnostic Tooling Framework
for Java (DTFJ) does not protect against path traversal attacks when extracting
compressed dump files.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
144882 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector:(CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)
CVEID: CVE-2018-1517
DESCRIPTION: A flaw in the java.math component in IBM SDK, Java Technology
Edition may allow an attacker to inflict a denial-of-service attack with
specially crafted String data.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
141681 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2018-2579
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Libraries component could allow an
unauthenticated attacker to obtain sensitive information resulting in a low
confidentiality impact using unknown attack vectors.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137833 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2018-2588
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit LDAP component could allow an unauthenticated
attacker to obtain sensitive information resulting in a low confidentiality
impact using unknown attack vectors.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137841 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2018-2663
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Libraries component could allow an
unauthenticated attacker to cause a denial of service resulting in a low
availability impact using unknown attack vectors.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137917 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-2677
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded AWT component could allow an unauthenticated attacker to
cause a denial of service resulting in a low availability impact using unknown
attack vectors.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137932 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-2678
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit JNDI component could allow an unauthenticated
attacker to cause a denial of service resulting in a low availability impact
using unknown attack vectors.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137933 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-2602
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded I18N component could allow an unauthenticated attacker to
cause low confidentiality impact, low integrity impact, and low availability
impact.
CVSS Base Score: 4.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137854 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L)
CVEID: CVE-2018-2599
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit JNDI component could allow an unauthenticated
attacker to cause no confidentiality impact, low integrity impact, and low
availability impact.
CVSS Base Score: 4.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)
CVEID: CVE-2018-2603
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Libraries component could allow an
unauthenticated attacker to cause a denial of service resulting in a low
availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137855 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-2629
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit JGSS component could allow an unauthenticated
attacker to cause no confidentiality impact, high integrity impact, and no
availability impact.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137880 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID: CVE-2018-2657
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, JRockit Serialization component could allow an unauthenticated attacker to
cause a denial of service resulting in a low availability impact using unknown
attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137910 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-2618
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated
attacker to obtain sensitive information resulting in a high confidentiality
impact using unknown attack vectors.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137870 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2018-2641
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded AWT component could allow an unauthenticated attacker to
cause no confidentiality impact, high integrity impact, and no availability
impact.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137893 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N)
CVEID: CVE-2018-2582
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded Hotspot component could allow an unauthenticated attacker
to cause no confidentiality impact, high integrity impact, and no availability
impact.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137836 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID: CVE-2018-2634
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded JGSS component could allow an unauthenticated attacker to
obtain sensitive information resulting in a high confidentiality impact using
unknown attack vectors.
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137886 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)
CVEID: CVE-2018-2637
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit JMX component could allow an unauthenticated
attacker to cause high confidentiality impact, high integrity impact, and no
availability impact.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137889 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
CVEID: CVE-2018-2633
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit JNDI component could allow an unauthenticated
attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137885 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2018-2638
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE Deployment component could allow an unauthenticated attacker to take control
of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137890 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2018-2639
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE Deployment component could allow an unauthenticated attacker to take control
of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137891 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector:(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2018-2783
DESCRIPTION: Vulnerability in the Java SE, Java SE Embedded, JRockit component
of Oracle Java SE (subcomponent: Security). Supported versions that are
affected are Java SE: 6u181, 7u161 and 8u152; Java SE Embedded: 8u152; JRockit:
R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker
with network access via multiple protocols to compromise Java SE, Java SE
Embedded, JRockit. Successful attacks of this vulnerability can result in
unauthorized creation, deletion or modification access to critical data or all
Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized
access to critical data or complete access to all Java SE, Java SE Embedded,
JRockit accessible data. Note: Applies to client and server deployment of Java.
This vulnerability can be exploited through sandboxed Java Web Start
applications and sandboxed Java applets. It can also be exploited by supplying
data to APIs in the specified Component without using sandboxed Java Web Start
applications or sandboxed Java applets, such as through a web service.
CVSS Base Score: 7.4 (Confidentiality and Integrity impacts).
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
141939 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
CVEID: CVE-2018-2800
DESCRIPTION: Vulnerability in the Java SE, JRockit component of Oracle Java SE
(subcomponent: RMI). Supported versions that are affected are Java SE: 6u181,
7u171 and 8u162; JRockit: R28.3.17. Difficult to exploit vulnerability allows
unauthenticated attacker with network access via multiple protocols to
compromise Java SE, JRockit. Successful attacks require human interaction from
a person other than the attacker. Successful attacks of this vulnerability can
result in unauthorized update, insert or delete access to some of Java SE,
JRockit accessible data as well as unauthorized read access to a subset of Java
SE, JRockit accessible data. Note: This vulnerability can only be exploited by
supplying data to APIs in the specified Component without using Untrusted Java
Web Start applications or Untrusted Java applets, such as through a web
service.
CVSS Base Score: 4.2 (Confidentiality and Integrity impacts).
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
141956 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)
Affected Products and Versions
+---------------------------------------------+--------------------------------------------------------------+
|Principal Product and Versions |Affected Supporting Products and Versions |
+---------------------------------------------+--------------------------------------------------------------+
|IBM(R) Intelligent Operations Center V1.6.0 - |IBM SDK, Java Technology Edition, Version 6 Service Refresh 16|
|V5.1.0.14 |Fix Pack 55 and earlier releases |
| | |
| |IBM SDK, Java Technology Edition, Version 6R1 Service Refresh |
| |8 Fix Pack 55 and earlier releases |
+---------------------------------------------+ |
| |IBM SDK, Java Technology Edition, Version 7 Service Refresh 10|
|IBM(R) Intelligent Operations Center for |Fix Pack 15 and earlier releases |
|Emergency Management V1.6 - V5.1.0.6 | |
| |IBM SDK, Java Technology Edition, Version 7R1 Service Refresh |
| |4 Fix Pack 15 and earlier releases |
+---------------------------------------------+ |
| |IBM SDK, Java Technology Edition, Version 8 Service Refresh 5 |
|IBM(R) Water Operations for Waternamics V5.1 - |Fix Pack 7 and earlier releases |
|V5.2.1.1 | |
| | |
| | |
+---------------------------------------------+--------------------------------------------------------------+
Remediation/Fixes
IBM(R) Intelligent Operations Center and related products use IBM(R) WebSphere
Application Server, IBM(R) WebSphere Application Server Liberty Profile, IBM(R)
Db2, IBM(R) Installation Manager, IBM(R) WebSphere MQ, and Cognos(R), which use the
affected IBM(R) Java(TM) SDK and IBM(R) Java(TM) JRE versions.
The fix for this issue is available in IBM(R) Intelligent Operations Center
version 5.2 on Passport Advantage.
The following areas may require remediation using the information provided in
the listed security bulletins:
+------------+-------------------------------------------------------------------------+
| Area | Security Bulletins |
+------------+-------------------------------------------------------------------------+
|Data server | |
|for IBM(R) | |
|Intelligent | |
|Operations | |
|Center V5.1 | |
|- V5.1.0.14,| |
|IBM(R) |IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM |
|Intelligent |Java Runtime affect IBM(R) Db2(R) |
|Operations | |
|Center for |CVE(s): CVE-2018-2783, CVE-2018-2794 |
|Emergency | |
|Management |IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM |
|V5.1 - |Java Runtime affect IBM(R) Db2(R) |
|V5.1.0.6, | |
|and IBM(R) |CVE(s): CVE-2018-2579, CVE-2018-2678, CVE-2018-2618, CVE-2018-2602 |
|Water | |
|Operations | |
|for | |
|Waternamics | |
|V5.1 - | |
|V5.2.1.1 | |
+------------+-------------------------------------------------------------------------+
|Application | |
|server for | |
|IBM(R) | |
|Intelligent | |
|Operations | |
|Center V5.1 | |
|- V5.1.0.14,|IBM Security Bulletin: Multiple Vulnerabilities in IBM(R) Java SDK affects |
|IBM(R) |WebSphere Application Server July 2018 CPU |
|Intelligent | |
|Operations |CVE(s): CVE-2018-1656, CVE-2018-12539 |
|Center for | |
|Emergency |IBM Security Bulletin: Multiple Vulnerabilities in IBM(R) Java SDK affects |
|Management |WebSphere Application Server April 2018 CPU |
|V5.1 - | |
|V5.1.0.6, |CVE(s): CVE-2018-2783, CVE-2018-2800 |
|and IBM(R) | |
|Water | |
|Operations | |
|for | |
|Waternamics | |
|V5.1 - | |
|V5.2.1.1 | |
+------------+-------------------------------------------------------------------------+
|Analytics | |
|server for | |
|IBM(R) | |
|Intelligent | |
|Operations | |
|Center V5.1 |IBM Security Bulletin: Multiple Vulnerabilities in IBM(R) Java SDK affects |
|- V5.1.0.14,|WebSphere Application Server July 2018 CPU |
|IBM(R) | |
|Intelligent |CVE(s): CVE-2018-1656, CVE-2018-12539 |
|Operations | |
|Center for |IBM Security Bulletin: Multiple Vulnerabilities in IBM Java SDK affects |
|Emergency |WebSphere Application Server April 2018 CPU |
|Management | |
|V5.1- |CVE(s): CVE-2018-2783, CVE-2018-2800 |
|V5.1.0.6, | |
|and IBM(R) | |
|Water | |
|Operations | |
|for | |
|Waternamics | |
|V5.1 - | |
|V5.2.1.1 | |
+------------+-------------------------------------------------------------------------+
|IBM(R) | |
|WebSphere(R) | |
|MQ used by | |
|IBM(R) | |
|Intelligent | |
|Operations |IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime |
|Center V5.1 |affect IBM MQ |
|- V5.1.0.14 | |
|and IBM(R) |CVE(s): CVE-2018-2799, CVE-2018-2798, CVE-2018-2797, CVE-2018-2796, |
|Water |CVE-2018-2795, CVE-2018-2794, CVE-2018-2814, CVE-2018-2783, CVE-2018-2790|
|Operations | |
|for | |
|Waternamics | |
|V5.1 - | |
|V5.2.1.1 | |
+------------+-------------------------------------------------------------------------+
|IBM(R) | |
|Business | |
|Process | |
|Manager used| |
|by IBM(R) | |
|Intelligent | |
|Operations | |
|Center | |
|V1.6.0 - | |
|V5.1.0.14, | |
|IBM(R) |IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect |
|Intelligent |IBM Integration Designer used in IBM Business Process Manager |
|Operations | |
|Center for |CVE(s): CVE-2018-2633, CVE-2018-2637, CVE-2018-2603, CVE-2018-2602, |
|Emergency |CVE-2018-2579 |
|Management | |
|V1.6 - | |
|V5.1.0.6, | |
|and IBM(R) | |
|Water | |
|Operations | |
|for | |
|Waternamics | |
|V5.1 - | |
|V5.2.1.1 | |
+------------+-------------------------------------------------------------------------+
|Cognos(R) used| |
|by IBM(R) | |
|Intelligent | |
|Operations | |
|Center | |
|V1.6.0 | |
|-V5.1.0.14, |IBM Security Bulletin: Multiple vulnerabilities in IBM Cognos Business |
|IBM(R) |intelligence affect Rational Insight |
|Intelligent | |
|Operations |CVE(s): CVE-2017-3735, CVE-2017-3736, CVE-2018-0739, CVE-2017-3737, |
|Center for |CVE-2017-7525, CVE-2017-12624, CVE-2017-15095, CVE-2018-1413, |
|Emergency |CVE-2018-2579, CVE-2018-2588, CVE-2018-2663, CVE-2018-2677, CVE-2018-2678|
|Management |, CVE-2018-2599, CVE-2018-2603, CVE-2018-2657, CVE-2018-2618, |
|V1.6 - |CVE-2018-2634, CVE-2018-2637, CVE-2018-2800, CVE-2018-2795, CVE-2018-2796|
|V5.1.0.6, |, CVE-2018-2797, CVE-2018-2798, CVE-2018-2799, CVE-2018-2783, |
|and IBM(R) |CVE-2018-2814, CVE-2018-2790 |
|Water | |
|Operations | |
|for | |
|Waternamics | |
|V5.1 - | |
|V5.2.1.1 | |
+------------+-------------------------------------------------------------------------+
|IBM(R) | |
|Installation| |
|Manager used|IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime |
|by IBM(R) |affect IBM Installation Manager and IBM Packaging Utility |
|Intelligent | |
|Operations |CVE(s): CVE-2018-2814, CVE-2018-2783 |
|Center | |
|V1.6.0 - |IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime |
|V5.1.0.14, |affect IBM Installation Manager and IBM Packaging Utility |
|IBM(R) | |
|Intelligent |CVE(s): CVE-2018-2579, CVE-2018-2602, CVE-2018-2603, CVE-2018-2618, |
|Operations |CVE-2018-2633 |
|Center for | |
|Emergency |IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime |
|Management |affect IBM Installation Manager and IBM Packaging Utility |
|V1.6 - | |
|V5.1.0.6, |CVE(s): CVE-2016-5547, CVE-2016-5548, CVE-2016-5549, CVE-2016-2183 |
|and IBM(R) | |
|Water |IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM |
|Operations |Installation Manager and IBM Packaging Utility (CVE-2016-5597) |
|for | |
|Waternamics | |
|V5.1 - | |
|V5.2.1.1 | |
+------------+-------------------------------------------------------------------------+
|IBM(R) SPSS(R) | |
|Analytic | |
|Server used | |
|by IBM(R) | |
|Intelligent | |
|Operations | |
|Center V5.1 |IBM Security Bulletin: Vulnerability in IBM(R) Java SDK affects IBM SPSS |
|- V5.1.0.14 |Analytic Server (CVE-2018-2602, CVE-2018-2634) |
|and IBM(R) | |
|Water | |
|Operations | |
|for | |
|Waternamics | |
|V5.1 - | |
|V5.2.1.1 | |
+------------+-------------------------------------------------------------------------+
Workarounds and Mitigations
Until you apply the fixes, it may be possible to reduce the risk of successful
attacks by restricting network protocols required by an attack. For attacks
that require certain privileges or access to certain packages, removing the
privileges or the ability to access the packages from unprivileged users may
help reduce the risk of successful attack. Both approaches may break
application functionality, so IBM strongly recommends that customers test
changes on non-production systems. Neither approach should be considered a
long-term solution as neither corrects the underlying problem.
Acknowledgement
CVE-2018-1517 was reported to IBM by Michael Weissbacher.
Change History
21 December 2018: Original version published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Product Component Platform Version Edition
IBM Intelligent Linux, 1.6, 5.1, 5.1.0.2, 5.1.0.3,
Operations Center for Windows 5.1.0.4, 5.1.0.5, 5.1.0.6
Emergency Management
IBM Water Operations 5.1, 5.2, 5.2.0.1, 5.2.0.2,
for Waternamics Linux 5.2.0.3, 5.2.0.4, 5.2.0.5,
5.2.0.6, 5.2.1, 5.2.1.1
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXCxUYWaOgq3Tt24GAQiwoA//Qd/G1PFzMmFPx64ThX/qkBb8E5oo2XnY
/rv92BG4WuNu+0sdB0vzXj5hMAVtduZTcsXCd4W3H+vlX8P+wF9vhD/nctCwTxpz
gjFd/jBKPh5HIK9UsdqpGR7fFQomyGjdY8DbEL4NiO52FC5ax0Wp6UJd/xNr4ACH
JMtFZ4lQDIe+XlP8gfRXQoZ3gzpVc+x8Nu18JMW1pMkcT2c4CGTZaic4nz4yx1PG
4xhw6FFY7ZB9Oo9QJi4GeX1IZ1NUkQiKkGoHMIMbEZFw2NGpxoXpo/T75SROOVgC
uz2aA2Q939YtkGykTcPFI4NVQSYZ7Wex1ycWU6Z3PFT/r5xZSoaVSje4qdNHADfo
exGluLGAonQ9AdcmSgWQ5XLqnAiHfOi2lL65jBKZaIF50LGo0LGZNUDTi/ApYPdg
GFu2ccE/QigvWp9UGlGnPp0q5za4I8aTvIIH75WHnva93NxOF3yBf9rtE7zgsW6J
HndTGHLjnSxllD7gVq2O1MYd9BiDCizYupYkK8C9FAGmiQtzKou4iqeVhUasujG0
12nkPEOpPrEF8EFVwDEMPYYnxrxAyzGQg40+cVx8kYOxZm+scF9WrlOyPd7QpJJU
VwVMyUByI9gsf3cIBVnbPWMDvzvofy7AQWn9Vdeer/ioYFtEP7davYeHiMIFm5Ly
M5JH9kX3zWg=
=0pc7
-----END PGP SIGNATURE-----