ESB-2017.1601 - [Win][Linux][HP-UX][Solaris][AIX] IBM Java Runtime: Multiple vulnerabilities 2017-06-27

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.1601
Security Bulletin: Multiple Vulnerabilites in IBM Java Runtime Affect Optim
       Data Growth, Test Data Management and Application Retirement
                               27 June 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Java Runtime
Publisher:         IBM
Operating System:  AIX
                   HP-UX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated      
                   Denial of Service              -- Remote/Unauthenticated      
                   Provide Misleading Information -- Remote/Unauthenticated      
                   Reduced Security               -- Remote/Unauthenticated      
                   Access Confidential Data       -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-5549 CVE-2016-5548 CVE-2016-5547
                   CVE-2016-5546 CVE-2016-2183 

Reference:         ASB-2017.0005
                   ASB-2016.0095
                   ESB-2017.1599
                   ESB-2017.1593

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg22003285

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Multiple Vulnerabilites in IBM Java Runtime Affect Optim 
Data Growth, Test Data Management and Application Retirement

Security Bulletin

Document information

More support for: Optim

Client components

Software version: 9.1, 11.3.0

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Reference #: 2003285

Modified date: 26 June 2017

Summary

There are multiple vulnerabilities in IBM Runtime Environment Java Version 6 
used by Optim Data Growth, Test Data Management and Application Retirement. 
These issues were disclosed as part of the IBM Java SDK updates in January 
2017.

Vulnerability Details

If you run your own Java code using the IBM Java Runtime delivered with this 
product, you should evaluate your code to determine whether the complete list
of vulnerabilities are applicable to your code. For a complete list of 
vulnerabilities please refer to the link for IBM Java SDK Security Bulletin" 
located in the References section for more information.

CVEID: CVE-2016-5546

DESCRIPTION: An unspecified vulnerability related to the Libraries component 
has no confidentiality impact, high integrity impact, and no availability 
impact.

CVSS Base Score: 7.5

CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/120869 for the current 
score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID: CVE-2016-5548

DESCRIPTION: An unspecified vulnerability related to the Libraries component 
could allow a remote attacker to obtain sensitive information resulting in a 
high confidentiality impact using unknown attack vectors.

CVSS Base Score: 6.5

CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/120864 for the current 
score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

CVEID: CVE-2016-5549

DESCRIPTION: An unspecified vulnerability related to the Libraries component 
could allow a remote attacker to obtain sensitive information resulting in a 
high confidentiality impact using unknown attack vectors.

CVSS Base Score: 6.5

CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/120863 for the current 
score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

CVEID: CVE-2016-5547

DESCRIPTION: An unspecified vulnerability related to the Libraries component 
could allow a remote attacker to cause a denial of service resulting in a low
availability impact using unknown attack vectors.

CVSS Base Score: 5.3

CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/120871 for the current 
score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-2183

DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive 
information, caused by an error in the DES/3DES cipher, used as a part of the
SSL/TLS protocol. By capturing large amounts of encrypted traffic between the
SSL/TLS server and the client, a remote attacker able to conduct a 
man-in-the-middle attack could exploit this vulnerability to recover the 
plaintext data and obtain sensitive information. This vulnerability is known 
as the SWEET32 Birthday attack.

CVSS Base Score: 3.7

CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/116337 for the current 
score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM InfoSphere Optim solutions and editions versions 9.1 and 11.3 running on 
all supported platforms are affected.

Both editions (Enterprise and Workgroup) of the following products are 
affected:

Optim Archive

Optim Data Privacy

Optim Test Data Management

All variations of the following solutions are affected:

Optim Data Growth Solution

Optim Solution for Application Retirement

Optim Test Data Management Solution

Remediation/Fixes

For the 11.3 release, fix pack 4 (11.3.0.4), iFix 153 and iFix 215 are 
required before installing iFix 032. That is, install 11.3.0.4, then iFix 153,
then iFix 215, then iFix 032.

For the 9.1 release, fix pack 6 (9.1.0.6) and iFix 208 are required before 
installing iFix 025.

Product VRMF iFix Remediation/First Fix

IBM InfoSphere Optim solutions and editions 11.3.0 032 - Apply IBM InfoSphere
Optim 11.3.0.4

- - Apply IBM InfoSphere Optim iFix 153

- - Apply IBM InfoSphere Optim iFix 215

IBM InfoSphere Optim solutions and editions 9.1.0 025 - Apply IBM InfoSphere 
Optim 9.1.0.6

- - Apply IBM InfoSphere Optim iFix 208

Installing this fix

For each release (9.1.0 and 11.3.0), there are 3 components that require this
fix:

Optim Designer

Optim Runtime Services

WAS CE

There are 2 alternatives to install the fixes:

Use IBM Installation Manager to directly download the fix from IBM and apply 
it. An internet connection is required on the machine where Optim is installed
for this alternative.

Download the zip file and then use IBM Installation Manger to install it. An 
internet connection is not required on the machine where Optim is installed 
for this alternative, but the zip file will have to be placed on the machine 
via a diskette or USB drive to be used.

Here are the detailed instructions for each alternative:

Use IBM Installation Manager to directly download an iFix from IBM and apply 
it. This method requires an external internet connection on the host machine 
containing Installation Manager and one, two or all of the following 3 Optim 
components: Designer, Runtime Services, and WAS CE.

Use the following instructions:

Shut down all Optim components.

Start Installation Manager. If you have multiple instances of Installation 
Manager installed, make sure you choose the one used to install Optim.

On the main Installation Manger window, select File->Preferences, then 
Repositories.

At the bottom of the Installation Manager Repositories window, ensure the 
check box "Search service repositories during installation and updates." is 
selected.

Select OK to save the settings and close the window.

On the main Installation Manger window, select the Update icon.

On the Update Packages window, select one of the following:

IBM InfoSphere package group for machines where Optim Designer is installed

IBM Optim Runtime package group for machines where Optim Runtime Services is 
installed

IBM Optim Shared package group for machines where WAS CE is installed.

Select the Next button.

On the next window, ensure that the appropriate iFix is selected for the 
version of the Optim that is installed on your machine.

Follow the wizard to complete the installation of the iFix.

NOTES:

You must be at either the 9.1.0.6 or 11.3.0.4 versions for this to work.

Repeat this process for each Opim component (Designer, Runtime Services, WAS 
CE) that is installed on each machine where Optim is installed.

Download the zip file and then use IBM Installation Manger to install it.

Use the following instructions:

To update Optim Designer download:

For 11.3.0: 
http://public.dhe.ibm.com/software/rationalsdp/v75/nex/zips/OPDM-11.03.00-032DesignerPatch.zip

For 9.1.0: 
http://public.dhe.ibm.com/software/rationalsdp/v75/nex/zips/OPDM-09.01.00-025DesignerPatch.zip

To update Optim Runtime Services download:

For 11.3.0: 
http://public.dhe.ibm.com/software/rationalsdp/v75/nex/zips/OPDM-11.03.00-032RuntimeServicesPatch.zip

For 9.1.0: 
http://public.dhe.ibm.com/software/rationalsdp/v75/nex/zips/OPDM-09.01.00-025RuntimeServicesPatch.zip

To update WAS CE download:

For 11.3.0: 
http://public.dhe.ibm.com/software/rationalsdp/v75/nex/zips/OPDM-11.03.00-032WASCEPatch.zip

For 9.1.0: 
http://public.dhe.ibm.com/software/rationalsdp/v75/nex/zips/OPDM-09.01.00-025WASCEPatch.zip

Transfer to the computer where Optim is installed each of the above files for
the components that are installed on the computer.

Unzip the zip file(s).

Follow the instructions in the ReadMe contained in the zip file(s).

NOTES:

1. If you have multiple components on a computer, you will have to install the
fix for each component (Designer, Runtime Services, WAS CE) separately.

Workarounds and Mitigations

None

References

Complete CVSS v3 Guide

On-line Calculator v3

IBM Java SDK Security Bulletin

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Change History

16 June 2017: Original version published

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the 
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the 
Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWVGo64x+lLeg9Ub1AQgxaQ/+JLaAZZRQns/7+INd8a7elsmUqJfYLSHp
ktergVIn+P/eHRRL8xdk3fxpIaLwuQhzZAnp88CzXKVDk3udT5bYHwnW6jgYFJt3
xb+KRjwK23vsu1o2tdQP7ddgkOGrNibl3WlwZIadVEpzyEdfyYJgeTLtEzbWIK+4
PiV9/pmPwECsKzJUBBDToyB38BWxgO/S8FytiFQZB0dMoIvY4vYqCtvtJBGMgMFX
jPXupiN9u7vP8zlb/PZuT073eNqzEIzgfiNgVb1riavYmr+eI2AWjR6ux8S3H9f9
/5DeUDjVvAD6i8MFregFLyZfFvtXDqIlcPCP7v8c6nsfUzXVm+HUEjR5U4f7Xm1G
7g4T/FgztOjEHbHGK8aFbnJUuuDIfkhiuWn5EnVgc34s1KFSVNJ0O/hfqYC4kYD+
xDgvqiNzIInbpqxDTLsXpkHFlpJ9RsWfRQhI9sak1YS1skRUY8eNXRRVmyMYj0Dq
thtCNkTzuLd2PlxT6QEdA/O5cVC2ZcjkyThMLszSSpgIHE259jDGXXbFXPuWreKK
shuorByWvij5SlPj/HM8cInY0/8Ax2Su0p3jKnTyrjyDtIeTnffJzzq2R0ke0jqX
SqtKuSwzLr5iSU24yK+H5tmOrJfzGF9BVS9Seo+feMvbZmXxAoCljS9mKg3r89A3
xzrEi0+QTSs=
=Umqk
-----END PGP SIGNATURE-----

« Back to bulletins