ESB-2018.3482 - [Win][UNIX/Linux] IBM Java SDK: Multiple vulnerabilities 2018-11-07

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3482
                      IBM Java gets October CPU fixes
                              7 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Java SDK
Publisher:         IBM
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Modify Arbitrary Files          -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-13785 CVE-2018-3214 CVE-2018-3183
                   CVE-2018-3180 CVE-2018-3169 CVE-2018-3149
                   CVE-2018-3139 CVE-2018-3136 

Reference:         ASB-2018.0256
                   ESB-2018.3164

Original Bulletin: 
   https://www.ibm.com/support/docview.wss?uid=ibm10735551

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Multiple vulnerabilities may affect IBM SDK, Java
Technology Edition

Document information
Software version: All Versions
Operating system(s): Platform Independent
Reference #: 0735551
Modified date: 06 November 2018

Summary

Java SE issues disclosed in the Oracle October 2018 Critical Patch Update

Vulnerability Details

CVE IDs: CVE-2018-3183 CVE-2018-3169 CVE-2018-3149 CVE-2018-3180 CVE-2018-3214
CVE-2018-13785 CVE-2018-3136 CVE-2018-3139

DESCRIPTION: This bulletin covers all applicable Java SE CVEs published by
Oracle as part of their October 2018 Critical Patch Update. For more
information please refer to Oracle's October 2018 CPU Advisory and the X-Force
database entries referenced below.

CVEID: CVE-2018-3183
DESCRIPTION: An unspecified vulnerability related to the Java SE Scripting
component could allow an unauthenticated attacker to take control of the
system.
CVSS Base Score: 9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151500 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVEID: CVE-2018-3169
DESCRIPTION: An unspecified vulnerability related to the Java SE VM component
could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151486 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2018-3149
DESCRIPTION: An unspecified vulnerability related to the Java SE JNDI component
could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151465 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2018-3180
DESCRIPTION: An unspecified vulnerability related to the Java SE JSSE component
could allow an unauthenticated attacker to cause low confidentiality impact,
low integrity impact, and low availability impact.
CVSS Base Score: 5.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151497 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2018-3214
DESCRIPTION: An unspecified vulnerability related to the Java SE Sound
component could allow an unauthenticated attacker to cause a denial of service
resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151530 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-13785
DESCRIPTION: libpng is vulnerable to a denial of service, caused by a wrong
calculation of row_factor in the png_check_chunk_length function in pngrutil.c.
By persuading a victim to open a specially-crafted file, a remote attacker
could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
146015 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-3136
DESCRIPTION: An unspecified vulnerability related to the Java SE Security
component could allow an unauthenticated attacker to cause no confidentiality
impact, low integrity impact, and no availability impact.
CVSS Base Score: 3.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151452 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N)

CVEID: CVE-2018-3139
DESCRIPTION: An unspecified vulnerability related to the Java SE Networking
component could allow an unauthenticated attacker to obtain sensitive
information resulting in a low confidentiality impact using unknown attack
vectors.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151455 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 70 and
earlier releases
IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 70 and
earlier releases
IBM SDK, Java Technology Edition, Version 7 Service Refresh 10 Fix Pack 30 and
earlier releases
IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 4 Fix Pack 30 and
earlier releases
IBM SDK, Java Technology Edition, Version 8 Service Refresh 5 Fix Pack 22 and
earlier releases

For detailed information on which CVEs affect which releases, please refer to
the IBM SDK, Java Technology Edition Security Vulnerabilities page.

Remediation/Fixes

Fixes for applicable vulnerabilities are included in IBM SDK, Java Technology
Edition, Version 6 Service Refresh 16 Fix Pack 75 and subsequent releases,
where embedded with supported IBM products
Fixes for applicable vulnerabilities are included in IBM SDK, Java Technology
Edition, Version 6R1 Service Refresh 8 Fix Pack 75 and subsequent releases,
where embedded with supported IBM products
Fixes for applicable vulnerabilities are included in IBM SDK, Java Technology
Edition, Version 7 Service Refresh 10 Fix Pack 35 and subsequent releases
Fixes for applicable vulnerabilities are included in IBM SDK, Java Technology
Edition, Version 7R1 Service Refresh 4 Fix Pack 35 and subsequent releases
Fixes for applicable vulnerabilities are included in IBM SDK, Java Technology
Edition, Version 8 Service Refresh 5 Fix Pack 25 and subsequent releases

IBM SDK, Java Technology Edition releases can be downloaded, subject to the
terms of the developerWorks license, from the Java Developer Center.

IBM customers requiring an update for an SDK shipped with an IBM product should
contact IBM support, and/or refer to the appropriate product security bulletin.

APAR numbers are as follows:

IJ10930 (CVE-2018-3183)
IJ10931 (CVE-2018-3169)
IJ10932 (CVE-2018-3149)
IJ10894 (CVE-2018-3180)
IJ10933 (CVE-2018-3214)
IJ10934 (CVE-2018-13785)
IJ10935 (CVE-2018-3136)
IJ10895 (CVE-2018-3139)

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z
Security Portal to receive the latest critical System z security and integrity
service. If you are not subscribed, see the instructions on the System z
Security web site. Security and integrity APARs and associated fixes will be
posted to this portal. IBM suggests reviewing the CVSS scores and applying all
security or integrity fixes as soon as possible to minimize any potential risk.

Change History

November 6 2018: Original Version Published

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW+JI3WaOgq3Tt24GAQjqgRAA0TZuQ0o0U3AYa0ZVJNQN+Ng4Kj5d5YG0
8pUIKpG6oWpffF87tIrHEVPvOOYsc11doxQ+vHYp9MjsfhvBOb0ZhCF+nI1vBM1g
Gq4rMFNn/MxIJik+4KyQRS4LHpBbv4YQzfER3xPqpV2KgzW/HrkCNWuvQymuSrIm
mj04e9BZ/pRg/DS5SMKVmJ6d8pdiZyt2sUJirnyPEZLWUrWxZ1FeyVsL82ZB6R09
kERJ49vKmHott3IwZEvZSDoi+8gscr37V/tB1BEElDjBIhlQ0FHV+kmaBf6pwr8l
tRbDOAcRyHX//3DUBgcwrtKkqYjOCTzaF6htEtiPyXMhd+xEbW/KqRAal3o6j7tB
/5eSHqL5IvoBb0cslyBW37HWUbiIg9Bfp4iC/qyvoGzrSd4EQN+ysFbiOLVPvrcF
s4idDggmpSMS7xAj6Yy0+H2QF1hfnV+1tUQsapvouNBpTbhn3PWcpETSLzMCGCqL
hI+FOHVOV0r1KuXa94bfHkhIYg8/vO4fdnO6NGpC59BbnVzQO+QlEjs8ko942Mo5
kQpjOQjcsxLXZHGq/3N07MNAWlGVoN86cJjENOFbg60e+J/stZMJuOJYwrdYCjdx
XGTh9ifxWZvbuShL0gbU60G/hFEIcAf2nYDkcgxSadx/dml6VLK0n/G0QbFItnV5
Xrrw2ZEi4sk=
=Edgm
-----END PGP SIGNATURE-----

« Back to bulletins