ESB-2018.0214 - [Win][Linux][Solaris][AIX] IBM Content Manager Enterprise Edition: Multiple vulnerabilities 2018-01-22

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0214
          Security Bulletin: Multiple vulnerabilities in IBM Java
             Runtime affect Content Manager Enterprise Edition
                              22 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Content Manager Enterprise Edition
Publisher:         IBM
Operating System:  AIX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-10357 CVE-2017-10356 CVE-2017-10355
                   CVE-2017-10348 CVE-2017-10345 CVE-2017-10281

Reference:         ESB-2017.2806
                   ESB-2017.3001

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg22012452

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Content
Manager Enterprise Edition

Document information

More support for: Content Manager Enterprise Edition

Software version: 8.5, 8.5.0.1, 8.5.0.2, 8.5.0.3, 8.5.0.4, 8.5.0.5, 8.5.0.6

Operating system(s): AIX, Linux, Solaris, Windows

Reference #: 2012452

Modified date: 19 January 2018

Security Bulletin

Summary

There are multiple vulnerabilities in IBM Runtime Environment Java Versions 7
& 8 used by Content Manager Enterprise Edition. These issues were disclosed as
part of the IBM Java SDK updates in Oct 2017.

Vulnerability Details

If you run your own Java code using the IBM Java Runtime delivered with this 
product, you should evaluate your code to determine whether the complete list
of vulnerabilities are applicable to your code. For a complete list of 
vulnerabilities, refer to the IBM Java SDK Security Bulletin, located in the 
References section for more information.

CVEID: CVE-2017-10345

DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the 
Java SE, Java SE Embedded, JRockit Serialization component could allow an 
unauthenticated attacker to cause a denial of service resulting in a low 
availability impact using unknown attack vectors.

CVSS Base Score: 3.1

CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/133774 for the current 
score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-10281

DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the 
Java SE, Java SE Embedded, JRockit Serialization component could allow an 
unauthenticated attacker to cause a denial of service resulting in a low 
availability impact using unknown attack vectors.

CVSS Base Score: 5.3

CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/133720 for the current 
score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-10348

DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the 
Java SE, Java SE Embedded Libraries component could allow an unauthenticated 
attacker to cause a denial of service resulting in a low availability impact 
using unknown attack vectors.

CVSS Base Score: 5.3

CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/133777 for the current 
score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-10357

DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the 
Java SE, Java SE Embedded Serialization component could allow an 
unauthenticated attacker to cause a denial of service resulting in a low 
availability impact using unknown attack vectors.

CVSS Base Score: 5.3

CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/133786 for the current 
score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-10355

DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the 
Java SE, Java SE Embedded, JRockit Networking component could allow an 
unauthenticated attacker to cause a denial of service resulting in a low 
availability impact using unknown attack vectors.

CVSS Base Score: 5.3

CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/133784 for the current 
score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-10356

DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the 
Java SE, Java SE Embedded, JRockit Security component could allow an 
unauthenticated attacker to obtain sensitive information resulting in a high 
confidentiality impact using unknown attack vectors.

CVSS Base Score: 6.2

CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/133785 for the current 
score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Content Manager Enterprise Edition v8.5.0 - v8.5.0.6

Content Manager Enterprise Edition v8.4.3

Remediation/Fixes

Product VRMF APAR Remediation/First Fix

Content Manager Enterprise Edition v8.5.0 - v8.5.0.6 None Fix available on 
request as part of 8.5 Fix Pack 6 Testfix8. Please contact IBM Support for the
fix.

v8.4.3 None See Workaround and Mitigations section

Workarounds and Mitigations

For Content Manager Enterprise Edition v8.4.3, upgrade to 8.5 fix pack 6 and 
apply the fix.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support 
alerts like this.

Important note

IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and 
integrity service. If you are not subscribed, see the instructions on the 
System z Security web site. Security and integrity APARs and associated fixes
will be posted to this portal. IBM suggests reviewing the CVSS scores and 
applying all security or integrity fixes as soon as possible to minimize any 
potential risk.

References

Complete CVSS v3 Guide

On-line Calculator v3

IBM Java SDK security bulletin

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Acknowledgement

None

Change History

19th January 2018: Original version published

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the 
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the 
Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWmUlbYx+lLeg9Ub1AQh32RAArhYYvIhJTqk+RW73AzCRVatOWxs+OAf2
IKUvXMe3pct8Dn49IvU/19RPu5TGgEXq93BQXrFjxa2u5wTqfFZo8xgje8XvG2NJ
MroiMWtaKdLLiwxk/wo6mNeAFpqJoCPOa10cDO6tpXV+N5o24sbNW1RO9H27Jkgx
R6q6H6S9TLxA/vHorg33ndXQUCHj0T6RWyHMjaHER5oSDiU9xqu1XggaeDqWsfkR
4sAXa1N6wrWUqu1o1jxjNOaLpZ9J0vI09Ya1nHpdi1vtBXJC2WwbaQMnteRRqpOp
t1CH8vhTbke+8vgZKWnsPKU4kqOVUEHkt6U9t3ok8N1EL+nog0o9RTsJ7Fjucerb
ft8gioGgjpPLXkrCD9mKIO3bEDcRJmwzAxyo5xoPmSPxEyVegNAr7Swhuh+cS5MI
hq8axD0fqZzj/4z46YJs3o55TspoNVcT3yX9Tp67JatqSYES/rHhwLBS9qp3aKEM
ep7HAb/DShK/K0dO3kilfFnGj4WnFqEHRkKUogYa6YmjFF53u2gIHDsIBYRz/Oh1
UObv+/4NlV5szdoQxcyJz+MyvILwXzu7BFy6lWCYjgZ5sYZh+kXkPyXEDMxJqmCl
BJ/BlG2PpDfkdNMNIPH1iz95M3I2HYnvtdQyxiLPvJWs9pTBjeep+vDu35r396tM
AOa1kXbGWJc=
=dgrC
-----END PGP SIGNATURE-----

« Back to bulletins