Operating System:

[Linux]

Published:

05 August 2019

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.2919
   Multiple vulnerabilities may affect IBM SDK, Java Technology Edition
                               5 August 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Java
Publisher:         IBM
Operating System:  Linux variants
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account      
                   Increased Privileges            -- Existing Account      
                   Modify Arbitrary Files          -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-11775 CVE-2019-11772 CVE-2019-11771
                   CVE-2019-7317 CVE-2019-4473 CVE-2019-2816
                   CVE-2019-2786 CVE-2019-2769 CVE-2019-2766
                   CVE-2019-2762  

Reference:         ASB-2019.0212
                   ESB-2019.2898
                   ESB-2019.2879
                   ESB-2019.2874.2

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10960422

- --------------------------BEGIN INCLUDED TEXT--------------------

Multiple vulnerabilities may affect IBM® SDK, Javaâ\x{132}¢ Technology Edition

Product:             IBM Java
Software version:    All Versions
Operating system(s): Platform Independent
Reference #:         0960422

Security Bulletin

Summary

Java SE issues disclosed in the Oracle July 2019 Critical Patch Update, plus
four additional vulnerabilities

Vulnerability Details

VULNERABILITY DETAILS:

CVE IDs: CVE-2019-7317 CVE-2019-2769 CVE-2019-2762 CVE-2019-2816 CVE-2019-2786
CVE-2019-2766 CVE-2019-11772 CVE-2019-11775 CVE-2019-4473 CVE-2019-11771

DESCRIPTION: This bulletin covers all applicable Java SE CVEs published by
Oracle as part of their July 2019 Critical Patch Update, plus four additional
vulnerabilities. For more information please refer to Oracle's July 2019 CPU
Advisory and the X-Force database entries referenced below.

CVEID: CVE-2019-7317
DESCRIPTION: libpng is vulnerable to a denial of service, caused by a
use-after-free in png_image_free in png.c. By persuading a victim to open a
specially-crafted file, a remote attacker could exploit this vulnerability to
cause a denial of service.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
156548 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2019-2769
DESCRIPTION: An unspecified vulnerability related to the Java SE Utilities
component could allow an unauthenticated attacker to cause a denial of service
resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
163832 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2019-2762
DESCRIPTION: An unspecified vulnerability related to the Java SE Utilities
component could allow an unauthenticated attacker to cause a denial of service
resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
163826 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2019-2816
DESCRIPTION: An unspecified vulnerability related to the Java SE Networking
component could allow an unauthenticated attacker to cause low confidentiality
impact, low integrity impact, and no availability impact.
CVSS Base Score: 4.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
163878 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID: CVE-2019-2786
DESCRIPTION: An unspecified vulnerability related to the Java SE Security
component could allow an unauthenticated attacker to obtain sensitive
information resulting in a low confidentiality impact using unknown attack
vectors.
CVSS Base Score: 3.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
163849 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N)

CVEID: CVE-2019-2766
DESCRIPTION: An unspecified vulnerability related to the Java SE Networking
component could allow an unauthenticated attacker to obtain sensitive
information resulting in a low confidentiality impact using unknown attack
vectors.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
163829 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)

CVEID: CVE-2019-11772
DESCRIPTION: Eclipse OpenJ9 could allow a local attacker to gain elevated
privileges on the system, caused by an out-of-bounds write in the
String.getBytes method. An attacker could exploit this vulnerability to corrupt
memory and write to any 32-bit address or beyond the end of a byte array within
Java code run under a SecurityManager.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
163990 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2019-11775
DESCRIPTION: Eclipse OpenJ9 could allow a local attacker to gain elevated
privileges on the system, caused by an error where the loop versioner fails to
privatize a value that is pulled out of the loop by versioning. An attacker
could exploit this vulnerability to corrupt memory and trigger an
out-of-array-bounds and perform invalid actions.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
164479 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2019-4473
DESCRIPTION: Multiple binaries in IBM SDK, Java Technology Edition on the AIX
platform use insecure absolute RPATHs, which may facilitate code injection and
privilege elevation by local users.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
163984 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2019-11771
DESCRIPTION: Eclipse OpenJ9 could allow a local attacker to gain elevated
privileges on the system, caused by the inclusion of unused RPATHS in AIX
builds. An attacker could exploit this vulnerability to inject code and gain
elevated privileges on the system.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
163989 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM SDK, Java Technology Edition, Version 7 Service Refresh 10 Fix Pack 45 and
earlier releases
IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 4 Fix Pack 45 and
earlier releases
IBM SDK, Java Technology Edition, Version 8 Service Refresh 5 Fix Pack 37 and
earlier releases

For detailed information on which CVEs affect which releases, please refer to
the IBM SDK, Java Technology Edition Security Vulnerabilities page .

Remediation/Fixes

Fixes for applicable vulnerabilities are included in IBM SDK, Java Technology
Edition, Version 7 Service Refresh 10 Fix Pack 50 and subsequent releases
Fixes for applicable vulnerabilities are included in IBM SDK, Java Technology
Edition, Version 7R1 Service Refresh 4 Fix Pack 50 and subsequent releases
Fixes for applicable vulnerabilities are included in IBM SDK, Java Technology
Edition, Version 8 Service Refresh 5 Fix Pack 40 and subsequent releases

IBM SDK, Java Technology Edition releases can be downloaded, subject to the
terms of the developerWorks license, from the Java Developer Center .

IBM customers requiring an update for an SDK shipped with an IBM product should
contact IBM support , and/or refer to the appropriate product security
bulletin.

APAR numbers are as follows:

IJ17990 (CVE-2019-7317)
IJ17991 (CVE-2019-2769)
IJ17992 (CVE-2019-2762)
IJ17993 (CVE-2019-2816)
IJ17994 (CVE-2019-2786)
IJ17995 (CVE-2019-2766)
IJ17984 (CVE-2019-11772)
IJ18003 (CVE-2019-11775)
IJ17983 (CVE-2019-4473)
IJ17982 (CVE-2019-11771)

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z
Security Portal to receive the latest critical System z security and integrity
service. If you are not subscribed, see the instructions on the System z
Security web site . Security and integrity APARs and associated fixes will be
posted to this portal. IBM suggests reviewing the CVSS scores and applying all
security or integrity fixes as soon as possible to minimize any potential risk.

Oracle July 2019 Java SE Critical Patch Update Advisory
IBM SDK, Java Technology Edition Security Vulnerabilities

Change History

August 1 2019: Original Version Published

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXUe602aOgq3Tt24GAQiEGw/8DmFDXFthwsf2tNUjk+UsskICIb0LW9nf
CibgwJ9zGanT4BdEii3/HvFQ1eNdHNK59T+69CzDdi5eDffM6OelDB8fcVEfoBRO
d53rFwZ4RFSBkwpPaOoVZ8MA742wxLdoJYc2Y/GTJO9vHaIyqt9jrqx6xObFhxSx
fnfMfD3lfSc/CXFTXwOjrxa58zy25mm668QWh2xVFNVhr/IoUU1kPp/anEzzhgQo
7Lf67zkEPNvX871ZO4hMYpaPMmwKninKXPGfdO8t4sz4MfpmtNPn9RwskrMfxHMT
LEUe4muy5Q/MAP8WpPQ/Cw7GnQWXfTeCXJVAfUaF7bWCvTpkipQJNmtl1e264iXO
i/GmyJogS6acm0ZXIuKoYpMraVY3perfhQ/ILDE/2ENnkKTKura93HGnH9RllXZh
LXx/xn2tTV67h35yHjUWd1nf+MFBcj71CEMqubkKKB77eAlYXMtdvHTvfpTevdYS
vQxlJRgRatPnwxE9Dull4WeuEkRY5kdOmivM2p7wLVueTCuxtc5MrgNcUc5/IFgb
PaoKOUpmdt7+eTsiNCEs8SFY0PgzgZKK+fJaICKwexclWJwVsts3kQC4soRZehp/
xRDAeQBk653xoYTDngJraQO6PVRvbzMk5U7qJaqVKmiiLkmzkRsEmWWIgYYHhKqm
hRqPsLs2PDs=
=coAg
-----END PGP SIGNATURE-----