-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
A security vulnerability has been identified in IBM Java
Runtime which affects DataQuant for z/OS
23 April 2019
AusCERT Security Bulletin Summary
Product: IBM DataQuant
Operating System: z/OS
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Existing Account
Denial of Service -- Remote/Unauthenticated
CVE Names: CVE-2019-2426 CVE-2018-12549 CVE-2018-12547
- --------------------------BEGIN INCLUDED TEXT--------------------
A security vulnerability has been identified in IBM Java Runtime which affects
DataQuant for z/OS
Software version: 2.1
Operating system(s): z/OS
Reference #: 0881488
An unspecified vulnerability has been identified in IBM Java Runtime that could
affect DataQuant for z/OS.
CVSS Base Score: 9.8
A widely used function in the OpenJ9 JVM is vulnerable to buffer overlows.
Multiple Java Runtime components use the vulnerable code, so the issue can
manifest in a number of different ways.
The fix ensures that the buffer cannot overflow.
CVEID : CVE-2018-1890
CVSS Base Score: 5.6
On the AIX platform, the IBM Java 8 executable contains inappropriate absolute
RPATHs, which may allow local users to inject code into JVM processes launched
by other users with higher privileges.
The fix removes the unsafe RPATHs.
CVEID : CVE-2018-12549
CVSS Base Score: 9.8
A flaw in the OpenJ9 JIT compiler allows unprivileged code to access to access
sensitive methods in the internal class sun.misc.Unsafe, which allows the
untrusted code to elevate its privileges.
The fix prevents optimized unprivileged code from accessing sun.misc.Unsafe.
CVSS Base Score: 3.7
The transparent NTLM authentication implementation in
java.net.HttpURLConnection exposes the user's NTLM credentials to any server
that requests them.
The fix disables transparent NTLM authentication by default. A new system
property (jdk.http.ntlm.transparentAuth) allows the user to enable transparent
NTLM authentication for all hosts or trusted hosts only.
CVEID : CVE-2018-11212
CVSS Base Score: 5.3
A flaw in the Java runtime's JPEG parser allows maliciously crafted JPEG data
to inflict a denial-of-service by triggering a JVM crash.
The fix ensures that the bad JPEG data is handled gracefully.
Affected Products and Versions
|Principal Products and Versions|
|DataQuant for z/OS 2.1.0 |
Steps to update Java for IBM DataQuant:
1. Close DataQuant.
2. Download JRE 188.8.131.52 version from IBM Java download portal.
3. Replace jre folder at the install directory location > C:\Program Files
(x86)\IBM\IBM DataQuant\DataQuant for Workstation. Replace with contents in
step # 2.
4. Download eclipse oxygen from https://www.eclipse.org/downloads/download.php
5. Extract the eclipse oxygen and copy the plugin -
6. Copy org.apache.jasper.glassfish_2.2.2.v201501141630.jar in the folder where
DataQuant is installed - C:\Program Files (x86)\IBM\IBM DataQuant\DataQuant for
7. Delete the older plugin org.apache.jasper.glassfish_2.2.2.v201205150955.jar
from the DataQuant install directory
Workarounds and Mitigations
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to email@example.com
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----