ESB-2018.3852.2 - UPDATE [Win][Linux][Solaris][AIX] IBM Security Directory Server: Multiple vulnerabilities - 2019-01-14


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.3852.2
                       ISDS receives Java SDK update
                              14 January 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Security Directory Server
Publisher:         IBM
Operating System:  AIX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Access Privileged Data          -- Remote/Unauthenticated
                   Modify Arbitrary Files          -- Remote/Unauthenticated
                   Increased Privileges            -- Existing Account      
                   Create Arbitrary Files          -- Remote/Unauthenticated
                   Delete Arbitrary Files          -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-2800 CVE-2018-2794 CVE-2018-2783
                   CVE-2018-2634 CVE-2018-2633 CVE-2018-2603
                   CVE-2018-2602 CVE-2018-2579 CVE-2017-10388
                   CVE-2017-10357 CVE-2017-10356 CVE-2017-10355
                   CVE-2017-10350 CVE-2017-10349 CVE-2017-10348
                   CVE-2017-10347 CVE-2017-10346 CVE-2017-10345
                   CVE-2017-10309 CVE-2017-10295 CVE-2017-10293
                   CVE-2017-10285 CVE-2017-10281 CVE-2017-10274
                   CVE-2017-10243 CVE-2017-10198 CVE-2017-10193
                   CVE-2017-10176 CVE-2017-10135 CVE-2017-10125
                   CVE-2017-10118 CVE-2017-10116 CVE-2017-10115
                   CVE-2017-10111 CVE-2017-10110 CVE-2017-10109
                   CVE-2017-10108 CVE-2017-10107 CVE-2017-10105
                   CVE-2017-10102 CVE-2017-10101 CVE-2017-10096
                   CVE-2017-10090 CVE-2017-10089 CVE-2017-10087
                   CVE-2017-10081 CVE-2017-10078 CVE-2017-10074
                   CVE-2017-10067 CVE-2017-10053 CVE-2017-1376
                   CVE-2016-10165 CVE-2016-9843 CVE-2016-9842
                   CVE-2016-9841 CVE-2016-9840 CVE-2016-5549
                   CVE-2016-5548 CVE-2016-5547 CVE-2016-5546
                   CVE-2016-2183  

Reference:         ASB-2017.0028
                   ESB-2017.2842
                   ESB-2017.1333
                   ESB-2017.0607
                   ESB-2017.0409
                   ESB-2017.0391
                   ESB-2016.2990
                   ESB-2016.2238

Original Bulletin: 
   https://www.ibm.com/support/docview.wss?uid=ibm10718843

Revision History:  January  14 2019: Update Software Versions
                   December 13 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security
Directory Server

Workarounds and Mitigations

None

More support for: IBM Security Directory Server

Software version: 6.3, 6.3.1, 6.4

Operating system(s): AIX, Linux, Solaris, Windows

Reference #: 0718843

Modified date: 11 January 2019

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

25 September 2018



Summary

There are multiple vulnerabilities in IBM(R) SDK Java(TM) Technology Edition,
Version 6 and Version 8 used by IBM Security Directory Server (SDS). These
issues were disclosed as part of the IBM Java SDK updates in July 2018, April
2018, January 2018, October 2017, July 2017, and January 2017.

Vulnerability Details

July 2018

CVEID:  CVE-2018-1656
DESCRIPTION: The IBM Java Runtime Environment''s Diagnostic Tooling Framework
for Java (DTFJ) does not protect against path traversal attacks when extracting
compressed dump files.
CVSS Base Score: 7.4
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
144882  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

CVEID:  CVE-2018-2973
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded JSSE component could allow an unauthenticated attacker to
cause no confidentiality impact, high integrity impact, and no availability
impact.
CVSS Base Score: 5.9
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
146835  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:  CVE-2018-12539
DESCRIPTION: Eclipse OpenJ9 could allow a local attacker to gain elevated
privileges on the system, caused by the failure to restrict the use of Java
Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and
use Attach API operations to only the process owner. An attacker could exploit
this vulnerability to execute untrusted native code and gain elevated
privileges on the system.
CVSS Base Score: 8.4
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
148389  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

April 2018

CVEID:  CVE-2018-2800
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, JRockit RMI component could allow an unauthenticated attacker to cause low
confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 4.2
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
141956  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)

CVEID:  CVE-2018-2783
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Security component could allow an unauthenticated
attacker to cause high confidentiality impact, high integrity impact, and no
availability impact.
CVSS Base Score: 7.4
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
141939  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:  CVE-2018-2794
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, JRockit Security component could allow an unauthenticated attacker to take
control of the system.
CVSS Base Score: 7.7
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
141950  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

January 2018

CVEID:  CVE-2018-2579
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Libraries component could allow an
unauthenticated attacker to obtain sensitive information resulting in a low
confidentiality impact using unknown attack vectors.
CVSS Base Score: 3.7
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
137833  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:  CVE-2018-2602
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded I18n component could allow an unauthenticated attacker to
cause low confidentiality impact, low integrity impact, and low availability
impact.
CVSS Base Score: 4.5
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
137854  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID:  CVE-2018-2603
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Libraries component could allow an
unauthenticated attacker to cause a denial of service resulting in a low
availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
137855  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:  CVE-2018-2634
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded JGSS component could allow an unauthenticated attacker to
obtain sensitive information resulting in a high confidentiality impact using
unknown attack vectors.
CVSS Base Score: 6.8
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
137886  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)

CVEID:  CVE-2018-2633
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit JNDI component could allow an unauthenticated
attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
137885  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

October 2017

CVEID:  CVE-2017-10345
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Serialization component could allow an
unauthenticated attacker to cause a denial of service resulting in a low
availability impact using unknown attack vectors.
CVSS Base Score: 3.1
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
133774  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:  CVE-2017-10295
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Networking component could allow an
unauthenticated attacker to cause no confidentiality impact, low integrity
impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
133729  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N)

CVEID:  CVE-2017-10281
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Serialization component could allow an
unauthenticated attacker to cause a denial of service resulting in a low
availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
133720  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:  CVE-2017-10350
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded JAX-WS component could allow an unauthenticated attacker
to cause a denial of service resulting in a low availability impact using
unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
133779  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:  CVE-2017-10347
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, JRockit Serialization component could allow an unauthenticated attacker to
cause a denial of service resulting in a low availability impact using unknown
attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
133776  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:  CVE-2017-10349
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded JAXP component could allow an unauthenticated attacker to
cause a denial of service resulting in a low availability impact using unknown
attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
133778  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:  CVE-2017-10348
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded Libraries component could allow an unauthenticated
attacker to cause a denial of service resulting in a low availability impact
using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
133777  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:  CVE-2017-10357
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded Serialization component could allow an unauthenticated
attacker to cause a denial of service resulting in a low availability impact
using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
133786  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:  CVE-2017-10355
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Networking component could allow an
unauthenticated attacker to cause a denial of service resulting in a low
availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
133784  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:  CVE-2016-9841
DESCRIPTION: zlib is vulnerable to a denial of service, caused by an
out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open
a specially crafted document, a remote attacker could exploit this
vulnerability to cause a denial of service.
CVSS Base Score: 3.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
120509  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:  CVE-2017-10293
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE Javadoc component could allow an unauthenticated attacker to cause low
confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 6.1
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
133727  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:  CVE-2017-10356
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Security component could allow an unauthenticated
attacker to obtain sensitive information resulting in a high confidentiality
impact using unknown attack vectors.
CVSS Base Score: 6.2
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
133785  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:  CVE-2017-10274
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE Smart Card IO component could allow an unauthenticated attacker to cause
high confidentiality impact, high integrity impact, and no availability impact.
CVSS Base Score: 6.8
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
133714  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N)

CVEID:  CVE-2017-10309
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE Deployment component could allow an unauthenticated attacker to cause low
confidentiality impact, low integrity impact, and low availability impact.
CVSS Base Score: 7.1
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
133738  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L)

CVEID:  CVE-2017-10388
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded Libraries component could allow an unauthenticated
attacker to take control of the system.
CVSS Base Score: 7.5
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
133813  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:  CVE-2017-10285
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded RMI component could allow an unauthenticated attacker to
take control of the system.
CVSS Base Score: 9.6
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
133723  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID:  CVE-2017-10346
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded Hotspot component could allow an unauthenticated attacker
to take control of the system.
CVSS Base Score: 9.6
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
133775  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID:  CVE-2016-9843
DESCRIPTION: zlib is vulnerable to a denial of service, caused by a big-endian
out-of-bounds pointer. By persuading a victim to open a specially crafted
document, a remote attacker could exploit this vulnerability to cause a denial
of service.
CVSS Base Score: 3.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
120511  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:  CVE-2016-9842
DESCRIPTION: zlib is vulnerable to a denial of service, caused by an undefined
left shift of negative number. By persuading a victim to open a specially
crafted document, a remote attacker could exploit this vulnerability to cause a
denial of service.
CVSS Base Score: 3.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
120510  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:  CVE-2016-9840
DESCRIPTION: zlib is vulnerable to a denial of service, caused by an
out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open
a specially crafted document, a remote attacker could exploit this
vulnerability to cause a denial of service.
CVSS Base Score: 3.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
120508  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:  CVE-2016-10165
DESCRIPTION: Little CMS is vulnerable to a denial of service, caused by an
out-of-bounds read in Type_MLU_Read function in cmstypes.c. By using a
specially-crafted image, a remote attacker could exploit this vulnerability to
cause the application to crash or obtain sensitive information.
CVSS Base Score: 6.5
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
127028  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

July 2017

CVEID:  CVE-2017-10198
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Security component could allow an unauthenticated
attacker to obtain sensitive information resulting in a high confidentiality
impact using unknown attack vectors.
CVSS Base Score: 6.8
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
128937  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)

CVEID:  CVE-2017-10125
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE Deployment component could allow an unauthenticated attacker to take control
of the system.
CVSS Base Score: 7.1
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
128885  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVEID:  CVE-2017-10067
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE Security component could allow an unauthenticated attacker to take control
of the system.
CVSS Base Score: 7.5
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
128831  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:  CVE-2017-10115
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated
attacker to obtain sensitive information resulting in a high confidentiality
impact using unknown attack vectors.
CVSS Base Score: 7.5
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
128876  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:  CVE-2017-10118
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated
attacker to obtain sensitive information resulting in a high confidentiality
impact using unknown attack vectors.
CVSS Base Score: 7.5
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
128879  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:  CVE-2017-10176
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Security component could allow an unauthenticated
attacker to obtain sensitive information resulting in a high confidentiality
impact using unknown attack vectors.
CVSS Base Score: 7.5
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
128918  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:  CVE-2017-10078
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE Scripting component could allow an authenticated attacker to cause high
confidentiality impact, high integrity impact, and no availability impact.
CVSS Base Score: 8.1
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
128840  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)

CVEID:  CVE-2017-10074
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded Hotspot component could allow an unauthenticated attacker
to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
128837  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID:  CVE-2017-10090
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded Libraries component could allow an unauthenticated
attacker to take control of the system.
CVSS Base Score: 9.6
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
128852  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID:  CVE-2017-10096
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded JAXP component could allow an unauthenticated attacker to
take control of the system.
CVSS Base Score: 9.6
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
128858  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID:  CVE-2017-10101
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded JAXP component could allow an unauthenticated attacker to
take control of the system.
CVSS Base Score: 9.6
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
128862  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID:  CVE-2017-10116
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Security component could allow an unauthenticated
attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
128877  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID:  CVE-2017-10102
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded RMI component could allow an unauthenticated attacker to
take control of the system.
CVSS Base Score: 9
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
128863  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVEID:  CVE-2017-10087
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded Libraries component could allow an unauthenticated
attacker to take control of the system.
CVSS Base Score: 9.6
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
128849  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID:  CVE-2017-10089
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE ImageIO component could allow an unauthenticated attacker to take control of
the system.
CVSS Base Score: 9.6
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
128851  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID:  CVE-2017-10107
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded RMI component could allow an unauthenticated attacker to
take control of the system.
CVSS Base Score: 9.6
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
128868  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID:  CVE-2017-10110
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE AWT component could allow an unauthenticated attacker to take control of the
system.
CVSS Base Score: 9.6
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
128871  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID:  CVE-2017-10111
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded Libraries component could allow an unauthenticated
attacker to take control of the system.
CVSS Base Score: 9.6
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
128872  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID:  CVE-2017-1376
DESCRIPTION: A flaw in the IBM J9 VM class verifier allows untrusted code to
disable the security manager and elevate its privileges.
CVSS Base Score: 9.8
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
126873  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:  CVE-2017-10193
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded Security component could allow an unauthenticated attacker
to obtain sensitive information resulting in a low confidentiality impact using
unknown attack vectors.
CVSS Base Score: 3.1
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
128934  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)

CVEID:  CVE-2017-10081
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded Hotspot component could allow an unauthenticated attacker
to cause no confidentiality impact, low integrity impact, and no availability
impact.
CVSS Base Score: 4.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
128843  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)

CVEID:  CVE-2017-10105
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE Deployment component could allow an unauthenticated attacker to cause no
confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 4.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
128866  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)

CVEID:  CVE-2017-10053
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit 2D component could allow an unauthenticated
attacker to cause a denial of service resulting in a low availability impact
using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
128822  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:  CVE-2017-10108
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Serialization component could allow an
unauthenticated attacker to cause a denial of service resulting in a low
availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
128869  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:  CVE-2017-10109
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Serialization component could allow an
unauthenticated attacker to cause a denial of service resulting in a low
availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
128870  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:  CVE-2017-10135
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated
attacker to obtain sensitive information resulting in a high confidentiality
impact using unknown attack vectors.
CVSS Base Score: 5.9
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
128894  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:  CVE-2017-10243
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit JAX-WS component could allow an unauthenticated
attacker to cause low confidentiality impact, no integrity impact, and low
availability impact.
CVSS Base Score: 6.5
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
128980  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

January 2017

CVEID:  CVE-2016-5546
DESCRIPTION: An unspecified vulnerability in Oracle Java SE Java SE Embedded
and Jrockit related to the Libraries component has no confidentiality impact,
high integrity impact, and no availability impact.
CVSS Base Score: 7.5
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
120869  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:  CVE-2016-5548
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and Java SE
Embedded related to the Libraries component could allow a remote attacker to
obtain sensitive information resulting in a high confidentiality impact using
unknown attack vectors.
CVSS Base Score: 6.5
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
120864  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

CVEID:  CVE-2016-5549
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and Java SE
Embedded related to the Libraries component could allow a remote attacker to
obtain sensitive information resulting in a high confidentiality impact using
unknown attack vectors.
CVSS Base Score: 6.5
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
120863  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

CVEID:  CVE-2016-5547
DESCRIPTION: An unspecified vulnerability in Oracle Java SE Java SE Embedded
and Jrockit related to the Libraries component could allow a remote attacker to
cause a denial of service resulting in a low availability impact using unknown
attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
120871  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:  CVE-2016-2183
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive
information, caused by an error in the DES/3DES cipher, used as a part of the
SSL/TLS protocol. By capturing large amounts of encrypted traffic between the
SSL/TLS server and the client, a remote attacker able to conduct a
man-in-the-middle attack could exploit this vulnerability to recover the
plaintext data and obtain sensitive information. This vulnerability is known as
the SWEET32 Birthday attack.
CVSS Base Score: 3.7
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
116337  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

+-----------------------------+----------------+-----------------+
|Product                      |Product Version |Java Version     |
+-----------------------------+----------------+-----------------+
|IBM Tivoli Directory Server  |6.3 - 6.3.0.48  |6.0.16.64 & below|
+-----------------------------+----------------+-----------------+
|IBM Security Directory Server|6.3.1 - 6.3.1.23|6.0.16.64 & below|
+-----------------------------+----------------+-----------------+
|IBM Security Directory Server|6.4 - 6.4.0.16  |8.0.5.15 & below |
+-----------------------------+----------------+-----------------+

Remediation/Fixes

+-----------------------------+----------------+-------------------------+
|Product                      |VRMF            |Remediation              |
+-----------------------------+----------------+-------------------------+
|IBM Tivoli Directory Server  |6.3 - 6.3.0.48  |6.3.0.49-ISS-ITDS-IF0049 |
+-----------------------------+----------------+-------------------------+
|IBM Security Directory Server|6.3.1 - 6.3.1.23|6.3.1.24-ISS-ISDS-IF0024 |
+-----------------------------+----------------+-------------------------+
|IBM Security Directory Server|6.4 - 6.4.0.16  |6.4.0.17-ISS-ISDS-IF0017 |
+-----------------------------+----------------+-------------------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXDwPMmaOgq3Tt24GAQj7jQ//fQF2o1D3sXUEn+kvMX832/Of2DaXuXhb
quGlxZ1kjIFCfYlnlFBuVT6k/MLqzzY3KZoykf/xxTCggXDUqKYKruDQhvI5Biax
kay65ApBJU0gYdB1NgjIckw9lR71lHb1JKIYVR2OyY3MwkVgdzscrFXretwESyxY
AghNjRieZBqMJyJrqb76/RyNFm7MuRBpmsA6kK3HV/d+nEmqnl6/MssMVeddfMvH
picTs5c1sBPZAJT2Pg+Bpr8JxBiAtf0OUKBUzZs9hB29Y5ISl2qI8QmSrAhrrU2z
mRojPhU0lLTdlthrdD12wtrl/ee3jqznMoyOfZBmMZ1mnwtn1LBhLMw6f/a+7A1k
S3DEWm4yJ4BTTst+A0xYG++IETnZLPcy+xLpJ4E2ZkS5FgZAIvGpiOcN+R/f9QZ8
k3vU5/RgOKQdgSFW/gTPZOOaKH+nTGoTimqmDeKOPy1mjgfIQdZDikFLLAKjyWM5
V5lGuKiWbqF7FeKn2l23ioWZ2wB/3i0OK08Y22Dkri6yp/xdQu5/MueEzLww6zfV
azDnzBqtsWs/qtIu32nWalmfiBlNxo56n3dAZOc89QLU5c2G0MFb500AePV6WNhQ
4RkoyJLsa+j7MsjuJCKo2grVWsFPhTRlkduJ07ARzmRqeVEclMNbB4OeM3Iud2jC
aer8eY9ZfXs=
=u4ug
-----END PGP SIGNATURE-----