Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.0528
Security Bulletin: Vulnerabilities in IBM SDK, Java Technology Edition
Quarterly CPU - Oct 2019 - Includes Oracle Oct 2019 CPU minus CVE-2019-2949
17 February 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Streams
Publisher: IBM
Operating System: Linux variants
Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-17631 CVE-2019-2999 CVE-2019-2996
CVE-2019-2992 CVE-2019-2989 CVE-2019-2988
CVE-2019-2987 CVE-2019-2983 CVE-2019-2981
CVE-2019-2978 CVE-2019-2977 CVE-2019-2975
CVE-2019-2973 CVE-2019-2964 CVE-2019-2962
CVE-2019-2958 CVE-2019-2949 CVE-2019-2945
CVE-2019-2933 CVE-2019-2894
Reference: ASB-2019.0294
ASB-2019.0290
ESB-2020.0513
ESB-2020.0350
Original Bulletin:
https://www.ibm.com/support/pages/node/1171108
- --------------------------BEGIN INCLUDED TEXT--------------------
Vulnerabilities in IBM SDK, Java Technology Edition Quarterly CPU - Oct 2019 -
Includes Oracle Oct 2019 CPU minus CVE-2019-2949
Security Bulletin
Summary
There are vulnerabilities in IBM SDK, Java Technology Edition Quarterly CPU -
Oct 2019 - Includes Oracle Oct 2019 CPU used by IBM Streams. IBM Streams has
addressed the applicable CVEs.
Vulnerability Details
CVEID: CVE-2019-2989
DESCRIPTION: An unspecified vulnerability in Java SE could allow an
unauthenticated attacker to cause no confidentiality impact, high integrity
impact, and no availability impact.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169295 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N)
CVEID: CVE-2019-2958
DESCRIPTION: An unspecified vulnerability in Java SE related to the Libraries
component could allow an unauthenticated attacker to cause no confidentiality
impact, high integrity impact, and no availability impact.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169264 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2019-2977
DESCRIPTION: An unspecified vulnerability in Java SE related to the VM
component could allow an unauthenticated attacker to cause low confidentiality
impact, no integrity impact, and low availability impact.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169283 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L)
CVEID: CVE-2019-2975
DESCRIPTION: An unspecified vulnerability in Java SE related to the Scripting
component could allow an unauthenticated attacker to cause no confidentiality
impact, low integrity impact, and low availability impact.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169281 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)
CVEID: CVE-2019-2999
DESCRIPTION: An unspecified vulnerability in Java SE related to the Javadoc
component could allow an unauthenticated attacker to cause low confidentiality
impact, low integrity impact, and no availability impact.
CVSS Base score: 4.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169305 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2019-2996
DESCRIPTION: An unspecified vulnerability in Java SE related to the Deployment
component could allow an unauthenticated attacker to cause low confidentiality
impact, low integrity impact, and no availability impact.
CVSS Base score: 4.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169302 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVEID: CVE-2019-2894
DESCRIPTION: An unspecified vulnerability in Java SE related to the Security
component could allow an unauthenticated attacker to obtain sensitive
information resulting in a low confidentiality impact using unknown attack
vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169207 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2019-2992
DESCRIPTION: An unspecified vulnerability in Java SE related to the 2D
component could allow an unauthenticated attacker to cause a denial of service
resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169298 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-2988
DESCRIPTION: An unspecified vulnerability in Java SE related to the 2D
component could allow an unauthenticated attacker to cause a denial of service
resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169294 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-2987
DESCRIPTION: An unspecified vulnerability in Java SE related to the 2D
component could allow an unauthenticated attacker to cause a denial of service
resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169293 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-2983
DESCRIPTION: An unspecified vulnerability in Java SE related to the
Serialization component could allow an unauthenticated attacker to cause a
denial of service resulting in a low availability impact using unknown attack
vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169289 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-2981
DESCRIPTION: An unspecified vulnerability in Java SE related to the JAXP
component could allow an unauthenticated attacker to cause a denial of service
resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169287 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-2978
DESCRIPTION: An unspecified vulnerability in Java SE related to the Networking
component could allow an unauthenticated attacker to cause a denial of service
resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169284 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-2973
DESCRIPTION: An unspecified vulnerability in Java SE related to the JAXP
component could allow an unauthenticated attacker to cause a denial of service
resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169279 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-2962
DESCRIPTION: An unspecified vulnerability in Java SE related to the 2D
component could allow an unauthenticated attacker to cause a denial of service
resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169268 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-2964
DESCRIPTION: An unspecified vulnerability in Java SE related to the Concurrency
component could allow an unauthenticated attacker to cause a denial of service
resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169270 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-2945
DESCRIPTION: An unspecified vulnerability in Java SE related to the Networking
component could allow an unauthenticated attacker to cause a denial of service
resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169250 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-2933
DESCRIPTION: An unspecified vulnerability in Java SE related to the Libraries
component could allow an unauthenticated attacker to obtain sensitive
information resulting in a low confidentiality impact using unknown attack
vectors.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169238 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)
CVEID: CVE-2019-17631
DESCRIPTION: Eclipse OpenJ9 could allow a local attacker to gain elevated
privileges on the system, caused by the failure to performs an authorization
check when an actor attempts to access a resource or perform an action. An
attacker could exploit this vulnerability to gain access to diagnostic
operations such as causing a GC or creating a diagnostic file.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169513 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|InfoSphere Streams |4.1.1.x |
+--------------------+----------+
|InfoSphere Streams |4.2.1.x |
+--------------------+----------+
|InfoSphere Streams |4.3.1.x |
+--------------------+----------+
Remediation/Fixes
NOTE:Fix Packs are available on IBM Fix Central.
To remediate/fix this issue, follow the instructions below:
Version 4.3.x: Apply 4.3.0 Fix Pack 1 (4.3.1.1) or higher .
Version 4.2.x: Apply 4.2.1 Fix Pack 4 (4.2.1.9) or higher .
Version 4.1.x: Apply 4.1.1 Fix Pack 6 (4.1.1.11) or higher .
Versions 4.0.x,3.2.x, 3.1.x, and 3.0.x: For versions earlier than 4.x.x, IBM
recommends upgrading to a fixed, supported version/release/platform of the
product. Customers who cannot upgrade and need to secure their installation
should open a PMR with IBM Technical Support and request assistance securing
their InfoSphere Streams system against the vulnerabilities identified in this
Security Bulletin.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXkoHjWaOgq3Tt24GAQhMSw//bSLiwCV/IjYLRAty5SQ6/gGuGF26KCTA
qP3rgnlfifoktBQ8QfXG3s6HtMZKWAzcLpZ5REBUPqLDmBAkgS8guipAqe9McgtC
8h1DHTVcrWu6ERGu8ZWhlI0GeqswwSu2yfkgU+VyfbTCdkgCsLiAd5YPuZY7mjqZ
tg/yYSXCGZLoXSlkj5a8LNFlZ2ZKrRcoRl0A4+r0pngkUWMoA7zgEzkfYlgpBwW0
2bQSgIX60spsikLJSQRHkr0O/2MPneDil7lNGjCRDGHpEP9hwWP2BycsERDzdtZZ
uo+VM+4UMjWpTFxwsTr0MGTQD7iCBAqJ5Nb0fZoU93uC9QPI+LDlDHmCZdRm0Qc4
8bJrghFE0WsvSLhlYW1Gdf6k6x36uwWbJZalO0opiyOo6qg3SEdVQ197IV77/264
UTYL1FwI/uG4DVV261voUzGWyNUxas52fzXIG1KYHO/fpnV0VdfWiNIUJV7GHx9b
9IrOT1Vp50vrqz6y3kO5tsIhHaGoFNCJ0NNY86elEPPnaB71kEZhitkXsPw00PNi
2BVkmX5EDVuT1HOtRxkGD/PcKv0uRWwcL/E3qQrUJfcOtv5eZo+gM9ihqXuFED9p
vdm5cA2tqbhJUnlpXTXZTO4Gpfcgqe3I6JQd0kHEdtmUaQ2WrGnYdUVbJlYnrl/G
w5sCNJjwJnM=
=30AK
-----END PGP SIGNATURE-----