Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1730.2 Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server April 2020 CPU that is bundled with IBM WebSphere Application Server Patterns 18 May 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: WebSphere Application Server Patterns Publisher: IBM Operating System: AIX Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-2830 CVE-2020-2805 CVE-2020-2803 CVE-2020-2800 CVE-2020-2781 CVE-2020-2757 CVE-2020-2756 CVE-2020-2755 CVE-2020-2754 CVE-2020-2654 CVE-2019-2949 Reference: ASB-2020.0076 ASB-2020.0028 ESB-2020.1644 ESB-2020.1468 Original Bulletin: https://www.ibm.com/support/pages/node/6209285 Revision History: May 18 2020: Sending with new PGP key May 15 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server April 2020 CPU that is bundled with IBM WebSphere Application Server Patterns Document Information Product: WebSphere Application Server Patterns Operating system(s): AIX, Linux Document number: 6209285 Modified date: 14 May 2020 Security Bulletin Summary There are multiple vulnerabilities in the IBM SDK Java Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed in the IBM Java SDK updates in April 2020. Vulnerability Details CVEID: CVE-2019-2949 DESCRIPTION: An unspecified vulnerability in Java SE related to the Kerberos component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. CVSS Base score: 6.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 169254 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N) CVEID: CVE-2020-2654 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 174601 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2020-2805 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Libraries component could allow an unauthenticated attacker to take control of the system. CVSS Base score: 8.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 179703 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) CVEID: CVE-2020-2803 DESCRIPTION: An unspecified vulnerability in multiple Oracle products could allow an unauthenticated attacker to take control of the system. CVSS Base score: 8.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 179701 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) CVEID: CVE-2020-2830 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Concurrency component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 179728 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2020-2781 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE JSSE component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 179681 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2020-2800 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Lightweight HTTP Server component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 4.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 179698 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) CVEID: CVE-2020-2757 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 179657 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2020-2756 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 179656 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2020-2755 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Scripting component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 179655 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2020-2754 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Scripting component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 179654 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Affected Products and Versions IBM Java SDK shipped with IBM WebSphere Application Server Patterns 1.0.0.0 through 1.0.0.7 and 2.2.0.0 through 2.3.3.0. Remediation/Fixes Please see the IBM Java SDK Security Bulletin for WebSphere Application Server to determine which WebSphere Application Server versions are affected and to obtain the JDK fixes. The interim fix 1.0.0.0-WS-WASPATTERNS-JDK-2004 can be used to apply the April 2020 SDK iFixes in a PureApplication or Cloud Pak System Environment. Download and apply the interim fix 1.0.0.0-WS-WASPATTERNS-JDK-2004. Workarounds and Mitigations None Get Notified about Future Security Bulletins References - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXsHfuuNLKJtyKPYoAQgF8BAAm1d4TsazJvl4zWQGvN+TDHr2g+ySXMVf uV7EwlSkWKIRmSQrs6RrJpOmmymogw7BJ1Y1k+qh3mnIcy+GECj7iIDz2Vmzgsn7 b8eWTmP1jlwPMy1x8Yq5J6Wq42blnpaCa3d/s1agD1LhF+21kpVCmQM6VZgbDnlh JLYDLYCGTtaybb+wJeFqHIJzrHsQ2yNOnZhjqg73Tecud0Rm6Lu+gzrO2sKivtIu +54fuIPMNYXAWc2A2Tpk3jBjGDV0mr2jxPr1X6aYqDINEn73zo4TtBkZ/pSd9sQ0 inbHLROngoV6MX9adrnuMKWg1tMZp3cYGS/gcaCXI8vDUjkxgmSUaVqGaQU5HxjG 7Jslqwp47WB+WjoOmP9ZowOvSVqOxUO/HxgRe/hZjLn8S1KOv+P3rBfrpZC8PTXI eI04NSw3nQ2FiKqyx437XVojZctJG8o1GTSg6g1MJo45z/9i0M9YKnzdny/rrtRB q6MI0Rt/BHHXR9DTawNq7l/XPwk19Rz9KAq8CzxCp4QT1gY0vrm9VCJEZJFUocZA mxoBt1J6HIuDG6WX5gmYkCjahqHGPFW1oAcTs5YD+Tljs/DvhRSG0ihvr+e/qQas zi7kAVOGiedALdnzn/xsPL2ER1WHbVm+lL3RxjQrCcai52PbbBVB3AB5r8qknvu0 +2Fk+vfl/uc= =Qv7r -----END PGP SIGNATURE-----