Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.3852.2
ISDS receives Java SDK update
14 January 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Security Directory Server
Publisher: IBM
Operating System: AIX
Linux variants
Solaris
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Create Arbitrary Files -- Remote/Unauthenticated
Delete Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-2800 CVE-2018-2794 CVE-2018-2783
CVE-2018-2634 CVE-2018-2633 CVE-2018-2603
CVE-2018-2602 CVE-2018-2579 CVE-2017-10388
CVE-2017-10357 CVE-2017-10356 CVE-2017-10355
CVE-2017-10350 CVE-2017-10349 CVE-2017-10348
CVE-2017-10347 CVE-2017-10346 CVE-2017-10345
CVE-2017-10309 CVE-2017-10295 CVE-2017-10293
CVE-2017-10285 CVE-2017-10281 CVE-2017-10274
CVE-2017-10243 CVE-2017-10198 CVE-2017-10193
CVE-2017-10176 CVE-2017-10135 CVE-2017-10125
CVE-2017-10118 CVE-2017-10116 CVE-2017-10115
CVE-2017-10111 CVE-2017-10110 CVE-2017-10109
CVE-2017-10108 CVE-2017-10107 CVE-2017-10105
CVE-2017-10102 CVE-2017-10101 CVE-2017-10096
CVE-2017-10090 CVE-2017-10089 CVE-2017-10087
CVE-2017-10081 CVE-2017-10078 CVE-2017-10074
CVE-2017-10067 CVE-2017-10053 CVE-2017-1376
CVE-2016-10165 CVE-2016-9843 CVE-2016-9842
CVE-2016-9841 CVE-2016-9840 CVE-2016-5549
CVE-2016-5548 CVE-2016-5547 CVE-2016-5546
CVE-2016-2183
Reference: ASB-2017.0028
ESB-2017.2842
ESB-2017.1333
ESB-2017.0607
ESB-2017.0409
ESB-2017.0391
ESB-2016.2990
ESB-2016.2238
Original Bulletin:
https://www.ibm.com/support/docview.wss?uid=ibm10718843
Revision History: January 14 2019: Update Software Versions
December 13 2018: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security
Directory Server
Workarounds and Mitigations
None
More support for: IBM Security Directory Server
Software version: 6.3, 6.3.1, 6.4
Operating system(s): AIX, Linux, Solaris, Windows
Reference #: 0718843
Modified date: 11 January 2019
Related Information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
25 September 2018
Summary
There are multiple vulnerabilities in IBM(R) SDK Java(TM) Technology Edition,
Version 6 and Version 8 used by IBM Security Directory Server (SDS). These
issues were disclosed as part of the IBM Java SDK updates in July 2018, April
2018, January 2018, October 2017, July 2017, and January 2017.
Vulnerability Details
July 2018
CVEID: CVE-2018-1656
DESCRIPTION: The IBM Java Runtime Environment''s Diagnostic Tooling Framework
for Java (DTFJ) does not protect against path traversal attacks when extracting
compressed dump files.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
144882 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)
CVEID: CVE-2018-2973
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded JSSE component could allow an unauthenticated attacker to
cause no confidentiality impact, high integrity impact, and no availability
impact.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
146835 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2018-12539
DESCRIPTION: Eclipse OpenJ9 could allow a local attacker to gain elevated
privileges on the system, caused by the failure to restrict the use of Java
Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and
use Attach API operations to only the process owner. An attacker could exploit
this vulnerability to execute untrusted native code and gain elevated
privileges on the system.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
148389 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
April 2018
CVEID: CVE-2018-2800
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, JRockit RMI component could allow an unauthenticated attacker to cause low
confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 4.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
141956 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVEID: CVE-2018-2783
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Security component could allow an unauthenticated
attacker to cause high confidentiality impact, high integrity impact, and no
availability impact.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
141939 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
CVEID: CVE-2018-2794
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, JRockit Security component could allow an unauthenticated attacker to take
control of the system.
CVSS Base Score: 7.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
141950 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
January 2018
CVEID: CVE-2018-2579
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Libraries component could allow an
unauthenticated attacker to obtain sensitive information resulting in a low
confidentiality impact using unknown attack vectors.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137833 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2018-2602
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded I18n component could allow an unauthenticated attacker to
cause low confidentiality impact, low integrity impact, and low availability
impact.
CVSS Base Score: 4.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137854 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L)
CVEID: CVE-2018-2603
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Libraries component could allow an
unauthenticated attacker to cause a denial of service resulting in a low
availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137855 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-2634
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded JGSS component could allow an unauthenticated attacker to
obtain sensitive information resulting in a high confidentiality impact using
unknown attack vectors.
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137886 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)
CVEID: CVE-2018-2633
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit JNDI component could allow an unauthenticated
attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137885 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
October 2017
CVEID: CVE-2017-10345
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Serialization component could allow an
unauthenticated attacker to cause a denial of service resulting in a low
availability impact using unknown attack vectors.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
133774 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2017-10295
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Networking component could allow an
unauthenticated attacker to cause no confidentiality impact, low integrity
impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
133729 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N)
CVEID: CVE-2017-10281
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Serialization component could allow an
unauthenticated attacker to cause a denial of service resulting in a low
availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
133720 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2017-10350
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded JAX-WS component could allow an unauthenticated attacker
to cause a denial of service resulting in a low availability impact using
unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
133779 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2017-10347
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, JRockit Serialization component could allow an unauthenticated attacker to
cause a denial of service resulting in a low availability impact using unknown
attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
133776 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2017-10349
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded JAXP component could allow an unauthenticated attacker to
cause a denial of service resulting in a low availability impact using unknown
attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
133778 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2017-10348
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded Libraries component could allow an unauthenticated
attacker to cause a denial of service resulting in a low availability impact
using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
133777 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2017-10357
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded Serialization component could allow an unauthenticated
attacker to cause a denial of service resulting in a low availability impact
using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
133786 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2017-10355
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Networking component could allow an
unauthenticated attacker to cause a denial of service resulting in a low
availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
133784 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2016-9841
DESCRIPTION: zlib is vulnerable to a denial of service, caused by an
out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open
a specially crafted document, a remote attacker could exploit this
vulnerability to cause a denial of service.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
120509 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2017-10293
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE Javadoc component could allow an unauthenticated attacker to cause low
confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
133727 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2017-10356
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Security component could allow an unauthenticated
attacker to obtain sensitive information resulting in a high confidentiality
impact using unknown attack vectors.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
133785 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2017-10274
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE Smart Card IO component could allow an unauthenticated attacker to cause
high confidentiality impact, high integrity impact, and no availability impact.
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
133714 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N)
CVEID: CVE-2017-10309
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE Deployment component could allow an unauthenticated attacker to cause low
confidentiality impact, low integrity impact, and low availability impact.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
133738 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L)
CVEID: CVE-2017-10388
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded Libraries component could allow an unauthenticated
attacker to take control of the system.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
133813 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2017-10285
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded RMI component could allow an unauthenticated attacker to
take control of the system.
CVSS Base Score: 9.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
133723 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2017-10346
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded Hotspot component could allow an unauthenticated attacker
to take control of the system.
CVSS Base Score: 9.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
133775 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2016-9843
DESCRIPTION: zlib is vulnerable to a denial of service, caused by a big-endian
out-of-bounds pointer. By persuading a victim to open a specially crafted
document, a remote attacker could exploit this vulnerability to cause a denial
of service.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
120511 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2016-9842
DESCRIPTION: zlib is vulnerable to a denial of service, caused by an undefined
left shift of negative number. By persuading a victim to open a specially
crafted document, a remote attacker could exploit this vulnerability to cause a
denial of service.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
120510 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2016-9840
DESCRIPTION: zlib is vulnerable to a denial of service, caused by an
out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open
a specially crafted document, a remote attacker could exploit this
vulnerability to cause a denial of service.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
120508 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2016-10165
DESCRIPTION: Little CMS is vulnerable to a denial of service, caused by an
out-of-bounds read in Type_MLU_Read function in cmstypes.c. By using a
specially-crafted image, a remote attacker could exploit this vulnerability to
cause the application to crash or obtain sensitive information.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
127028 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)
July 2017
CVEID: CVE-2017-10198
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Security component could allow an unauthenticated
attacker to obtain sensitive information resulting in a high confidentiality
impact using unknown attack vectors.
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
128937 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)
CVEID: CVE-2017-10125
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE Deployment component could allow an unauthenticated attacker to take control
of the system.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
128885 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVEID: CVE-2017-10067
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE Security component could allow an unauthenticated attacker to take control
of the system.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
128831 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2017-10115
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated
attacker to obtain sensitive information resulting in a high confidentiality
impact using unknown attack vectors.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
128876 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2017-10118
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated
attacker to obtain sensitive information resulting in a high confidentiality
impact using unknown attack vectors.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
128879 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2017-10176
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Security component could allow an unauthenticated
attacker to obtain sensitive information resulting in a high confidentiality
impact using unknown attack vectors.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
128918 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2017-10078
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE Scripting component could allow an authenticated attacker to cause high
confidentiality impact, high integrity impact, and no availability impact.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
128840 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
CVEID: CVE-2017-10074
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded Hotspot component could allow an unauthenticated attacker
to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
128837 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2017-10090
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded Libraries component could allow an unauthenticated
attacker to take control of the system.
CVSS Base Score: 9.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
128852 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2017-10096
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded JAXP component could allow an unauthenticated attacker to
take control of the system.
CVSS Base Score: 9.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
128858 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2017-10101
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded JAXP component could allow an unauthenticated attacker to
take control of the system.
CVSS Base Score: 9.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
128862 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2017-10116
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Security component could allow an unauthenticated
attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
128877 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2017-10102
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded RMI component could allow an unauthenticated attacker to
take control of the system.
CVSS Base Score: 9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
128863 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVEID: CVE-2017-10087
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded Libraries component could allow an unauthenticated
attacker to take control of the system.
CVSS Base Score: 9.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
128849 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2017-10089
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE ImageIO component could allow an unauthenticated attacker to take control of
the system.
CVSS Base Score: 9.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
128851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2017-10107
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded RMI component could allow an unauthenticated attacker to
take control of the system.
CVSS Base Score: 9.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
128868 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2017-10110
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE AWT component could allow an unauthenticated attacker to take control of the
system.
CVSS Base Score: 9.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
128871 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2017-10111
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded Libraries component could allow an unauthenticated
attacker to take control of the system.
CVSS Base Score: 9.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
128872 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2017-1376
DESCRIPTION: A flaw in the IBM J9 VM class verifier allows untrusted code to
disable the security manager and elevate its privileges.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
126873 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2017-10193
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded Security component could allow an unauthenticated attacker
to obtain sensitive information resulting in a low confidentiality impact using
unknown attack vectors.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
128934 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)
CVEID: CVE-2017-10081
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded Hotspot component could allow an unauthenticated attacker
to cause no confidentiality impact, low integrity impact, and no availability
impact.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
128843 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVEID: CVE-2017-10105
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE Deployment component could allow an unauthenticated attacker to cause no
confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
128866 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVEID: CVE-2017-10053
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit 2D component could allow an unauthenticated
attacker to cause a denial of service resulting in a low availability impact
using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
128822 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2017-10108
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Serialization component could allow an
unauthenticated attacker to cause a denial of service resulting in a low
availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
128869 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2017-10109
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Serialization component could allow an
unauthenticated attacker to cause a denial of service resulting in a low
availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
128870 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2017-10135
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated
attacker to obtain sensitive information resulting in a high confidentiality
impact using unknown attack vectors.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
128894 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2017-10243
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit JAX-WS component could allow an unauthenticated
attacker to cause low confidentiality impact, no integrity impact, and low
availability impact.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
128980 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)
January 2017
CVEID: CVE-2016-5546
DESCRIPTION: An unspecified vulnerability in Oracle Java SE Java SE Embedded
and Jrockit related to the Libraries component has no confidentiality impact,
high integrity impact, and no availability impact.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
120869 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2016-5548
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and Java SE
Embedded related to the Libraries component could allow a remote attacker to
obtain sensitive information resulting in a high confidentiality impact using
unknown attack vectors.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
120864 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVEID: CVE-2016-5549
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and Java SE
Embedded related to the Libraries component could allow a remote attacker to
obtain sensitive information resulting in a high confidentiality impact using
unknown attack vectors.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
120863 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVEID: CVE-2016-5547
DESCRIPTION: An unspecified vulnerability in Oracle Java SE Java SE Embedded
and Jrockit related to the Libraries component could allow a remote attacker to
cause a denial of service resulting in a low availability impact using unknown
attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
120871 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2016-2183
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive
information, caused by an error in the DES/3DES cipher, used as a part of the
SSL/TLS protocol. By capturing large amounts of encrypted traffic between the
SSL/TLS server and the client, a remote attacker able to conduct a
man-in-the-middle attack could exploit this vulnerability to recover the
plaintext data and obtain sensitive information. This vulnerability is known as
the SWEET32 Birthday attack.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
116337 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
+-----------------------------+----------------+-----------------+
|Product |Product Version |Java Version |
+-----------------------------+----------------+-----------------+
|IBM Tivoli Directory Server |6.3 - 6.3.0.48 |6.0.16.64 & below|
+-----------------------------+----------------+-----------------+
|IBM Security Directory Server|6.3.1 - 6.3.1.23|6.0.16.64 & below|
+-----------------------------+----------------+-----------------+
|IBM Security Directory Server|6.4 - 6.4.0.16 |8.0.5.15 & below |
+-----------------------------+----------------+-----------------+
Remediation/Fixes
+-----------------------------+----------------+-------------------------+
|Product |VRMF |Remediation |
+-----------------------------+----------------+-------------------------+
|IBM Tivoli Directory Server |6.3 - 6.3.0.48 |6.3.0.49-ISS-ITDS-IF0049 |
+-----------------------------+----------------+-------------------------+
|IBM Security Directory Server|6.3.1 - 6.3.1.23|6.3.1.24-ISS-ISDS-IF0024 |
+-----------------------------+----------------+-------------------------+
|IBM Security Directory Server|6.4 - 6.4.0.16 |6.4.0.17-ISS-ISDS-IF0017 |
+-----------------------------+----------------+-------------------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXDwPMmaOgq3Tt24GAQj7jQ//fQF2o1D3sXUEn+kvMX832/Of2DaXuXhb
quGlxZ1kjIFCfYlnlFBuVT6k/MLqzzY3KZoykf/xxTCggXDUqKYKruDQhvI5Biax
kay65ApBJU0gYdB1NgjIckw9lR71lHb1JKIYVR2OyY3MwkVgdzscrFXretwESyxY
AghNjRieZBqMJyJrqb76/RyNFm7MuRBpmsA6kK3HV/d+nEmqnl6/MssMVeddfMvH
picTs5c1sBPZAJT2Pg+Bpr8JxBiAtf0OUKBUzZs9hB29Y5ISl2qI8QmSrAhrrU2z
mRojPhU0lLTdlthrdD12wtrl/ee3jqznMoyOfZBmMZ1mnwtn1LBhLMw6f/a+7A1k
S3DEWm4yJ4BTTst+A0xYG++IETnZLPcy+xLpJ4E2ZkS5FgZAIvGpiOcN+R/f9QZ8
k3vU5/RgOKQdgSFW/gTPZOOaKH+nTGoTimqmDeKOPy1mjgfIQdZDikFLLAKjyWM5
V5lGuKiWbqF7FeKn2l23ioWZ2wB/3i0OK08Y22Dkri6yp/xdQu5/MueEzLww6zfV
azDnzBqtsWs/qtIu32nWalmfiBlNxo56n3dAZOc89QLU5c2G0MFb500AePV6WNhQ
4RkoyJLsa+j7MsjuJCKo2grVWsFPhTRlkduJ07ARzmRqeVEclMNbB4OeM3Iud2jC
aer8eY9ZfXs=
=u4ug
-----END PGP SIGNATURE-----