Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2300
Security Vulnerabilities in IBM Java SDK April 2020 CPU affect multiple IBM
Continuous Engineering products based on IBM Jazz Technology
6 July 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: SDK Java Technology
Publisher: IBM
Operating System: Windows
Linux variants
AIX
HP-UX
Solaris
Mac OS
Impact/Access: Root Compromise -- Remote with User Interaction
Denial of Service -- Remote/Unauthenticated
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-2830 CVE-2020-2805 CVE-2020-2803
CVE-2020-2800 CVE-2020-2781 CVE-2020-2757
CVE-2020-2756 CVE-2020-2755 CVE-2020-2754
CVE-2020-2654 CVE-2019-2949
Original Bulletin:
https://www.ibm.com/support/pages/node/6243888
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin
Summary
There are multiple vulnerabilities in IBM(R) SDK Java Technology Edition from
April 2020 CPU and the CVE-2019-2949 (deferred from Oracle Oct 2019 CPU) that
are used by IBM Jazz Team Server affecting the following IBM Jazz Team Server
based Applications: Engineering Lifecycle Management (ELM), IBM Engineering
Requirements Management DOORS Next (DOORS Next), IBM Engineering Lifecycle
Optimization - Engineering Insights (ENI), IBM Engineering Workflow Management
(EWM), IBM Engineering Systems Design Rhapsody - Design Manager (RDM), IBM
Engineering Systems Design Rhapsody - Model Manager (RMM). These issues were
disclosed as part of the IBM Java SDK updates in April 2020.
Vulnerability Details
CVEID: CVE-2020-2805
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
Libraries component could allow an unauthenticated attacker to take control of
the system.
CVSS Base score: 8.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179703 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2020-2803
DESCRIPTION: An unspecified vulnerability in multiple Oracle products could
allow an unauthenticated attacker to take control of the system.
CVSS Base score: 8.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179701 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2020-2830
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
Concurrency component could allow an unauthenticated attacker to cause a denial
of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179728 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2020-2781
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
JSSE component could allow an unauthenticated attacker to cause a denial of
service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179681 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2020-2800
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
Lightweight HTTP Server component could allow an unauthenticated attacker to
cause low confidentiality impact, low integrity impact, and no availability
impact.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179698 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2020-2757
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
Serialization component could allow an unauthenticated attacker to cause a
denial of service resulting in a low availability impact using unknown attack
vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179657 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2020-2756
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
Serialization component could allow an unauthenticated attacker to cause a
denial of service resulting in a low availability impact using unknown attack
vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179656 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2020-2755
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
Scripting component could allow an unauthenticated attacker to cause a denial
of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179655 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2020-2754
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
Scripting component could allow an unauthenticated attacker to cause a denial
of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179654 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|Rhapsody DM |6.0.6 |
+--------------------+----------+
|Rhapsody DM |6.0.6.1 |
+--------------------+----------+
|Rhapsody DM |6.0.2 |
+--------------------+----------+
|RDM |7.0 |
+--------------------+----------+
|RPE |2.1.0 |
+--------------------+----------+
|RPE |2.1.2 |
+--------------------+----------+
|RPE |6.0.6 |
+--------------------+----------+
|RPE |6.0.6.1 |
+--------------------+----------+
|PUB |7.0 |
+--------------------+----------+
|RPE |2.1.1 |
+--------------------+----------+
|CLM |6.0.6.1 |
+--------------------+----------+
|CLM |6.0.6 |
+--------------------+----------+
|CLM |6.0.2 |
+--------------------+----------+
|ELM |7.0 |
+--------------------+----------+
|RELM |6.0.6.1 |
+--------------------+----------+
|RELM |6.0.6 |
+--------------------+----------+
|RELM |6.0.2 |
+--------------------+----------+
|ENI |7.0 |
+--------------------+----------+
Remediation/Fixes
1. If your product is deployed on WebSphere Application Server (WAS) and your
deployment does not use an Eclipse based client nor the RM Browser plugin,
then it is sufficient to continue using the existing version of your IBM
Continuous Engineering product, and only upgrade the JRE in the WAS server.
2. For the below remediations, if you have a WAS deployment, then WAS must
also be remediated, in addition to performing your product upgrades. Follow
instructions at Security Bulletin: Multiple Vulnerabilities in IBM(R) Java
SDK affect WebSphere Application Server April 2020 CPU plus deferred
CVE-2019-2949 and CVE-2020-2654 to get the WAS remediation.
3. If you are deploying the IBM Engineering products to a WAS Liberty or a
Tomcat Server, you will need to follow the instructions below to upgrade
the JRE, and then must also configure to complete the upgrade process:
? How to update the IBM SDK for Java of IBM Engineering Lifecycle
Management products based on version 6.0 or later of IBM's Jazz
technology
STEPS TO APPLY THE REMEDIATION:
1. Optionally, upgrade your products to an Extended Maintenance Release
version: 6.0.6 or 6.0.6.1 Or optionally, upgrade to the latest 7.0 version.
2. Optionally, apply the latest iFix for your installed version.
3. Obtain the latest Java JRE CPU update for the IBM Java SDK using the
following information.
o For all releases upgrade to: JRE 8.0.6.10 or above
? Rational Collaborative Lifecycle Management 7.0
? IBM Engineering Lifecycle Management 6.0.6.1
? IBM Engineering Lifecycle Management 6.0.6
? IBM Engineering Lifecycle Management 6.0.2
4. Upgrade your JRE following the instructions in the link below:
How to update the IBM SDK for Java of IBM Engineering Lifecycle Management
products based on version 6.0 or later of IBM's Jazz technology
5. Navigate to the server directory in your IBM Engineering product
installation path, and go to jre/lib/security path.
6. Optionally, If you have not performed a Licenses upgrade as described in the
link below, please follow the instructions to complete the setup:
No IBM Rational trial, server, or client access licenses available after
upgrading Java and/or listed products
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Off
Related Information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Also, you can found that product names have been modified recently: https://
jazz.net/blog/index.php/2019/04/23/
renaming-the-ibm-continuous-engineering-portfolio/
Change History
03 Jul 2020: Initial Publication
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXwKeJ+NLKJtyKPYoAQj5ug//eQanl1VIzva/CXSyPBlgIzUz+fwbui7i
U7N3h3Pt8N261jp43rbJZ/6D5bNb+NElm5FOree4GrehpSlf/zyC66s3EdK+iuoR
+Pyjy8Tun4wPtqzqbay/Pmfh3Lpco6D0thk2zPAeXalQVvYYaY9JqibhVyho9gAH
ZWeH8DWIW6Rpom3hdl2wIAQ1iD/Ps6wMVu9TisbOcojNbKrnDphpkVACr3uz/mOQ
JGDvaa6OdLN0yH00IV0rp8b9uyWM92+ZeY6eGw8Q1d+P4iZv2Od8Wxbs9wKGjv9N
p5LySWrQWQ4+jjvY9omyZO8HaGhu147QObORQwV54hVW0cMvatIQ0CZxkp/HQKIw
TcguXEIWLjoQ9sVLvafaH2j+8kNLkwMwsO7snpI0e8NdlAJ1CpdxV4xrd5hpLvwY
WOux8sgiJb5Ts+7pF+knWh28KOupqh60v38CKU/5SpaJVsMXDIyVT2xlTb76BSop
bF4oGciuLAFfDRbubhEOAoKt3fprzQZn21EEQpK+RBSJeXOALlaYS6A1ULnIaQLp
XfUE5PgPWCbKscLsQ5Wj5EnWUr6BqlbT65Ro41Oz83lf28qG9U4WPEjG2Or3vEK7
jerJ1EqLeSLraW9dRPimJ05T9OBoGGku2jYtQzD6y8iwARvrUMykEPw78x0Ud14b
kBCgB/XgDsw=
=HoI0
-----END PGP SIGNATURE-----