Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2300 Security Vulnerabilities in IBM Java SDK April 2020 CPU affect multiple IBM Continuous Engineering products based on IBM Jazz Technology 6 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: SDK Java Technology Publisher: IBM Operating System: Windows Linux variants AIX HP-UX Solaris Mac OS Impact/Access: Root Compromise -- Remote with User Interaction Denial of Service -- Remote/Unauthenticated Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-2830 CVE-2020-2805 CVE-2020-2803 CVE-2020-2800 CVE-2020-2781 CVE-2020-2757 CVE-2020-2756 CVE-2020-2755 CVE-2020-2754 CVE-2020-2654 CVE-2019-2949 Original Bulletin: https://www.ibm.com/support/pages/node/6243888 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin Summary There are multiple vulnerabilities in IBM(R) SDK Java Technology Edition from April 2020 CPU and the CVE-2019-2949 (deferred from Oracle Oct 2019 CPU) that are used by IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Engineering Lifecycle Management (ELM), IBM Engineering Requirements Management DOORS Next (DOORS Next), IBM Engineering Lifecycle Optimization - Engineering Insights (ENI), IBM Engineering Workflow Management (EWM), IBM Engineering Systems Design Rhapsody - Design Manager (RDM), IBM Engineering Systems Design Rhapsody - Model Manager (RMM). These issues were disclosed as part of the IBM Java SDK updates in April 2020. Vulnerability Details CVEID: CVE-2020-2805 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Libraries component could allow an unauthenticated attacker to take control of the system. CVSS Base score: 8.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 179703 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) CVEID: CVE-2020-2803 DESCRIPTION: An unspecified vulnerability in multiple Oracle products could allow an unauthenticated attacker to take control of the system. CVSS Base score: 8.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 179701 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) CVEID: CVE-2020-2830 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Concurrency component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 179728 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2020-2781 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE JSSE component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 179681 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2020-2800 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Lightweight HTTP Server component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 4.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 179698 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) CVEID: CVE-2020-2757 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 179657 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2020-2756 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 179656 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2020-2755 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Scripting component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 179655 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2020-2754 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Scripting component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 179654 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Affected Products and Versions +--------------------+----------+ |Affected Product(s) |Version(s)| +--------------------+----------+ |Rhapsody DM |6.0.6 | +--------------------+----------+ |Rhapsody DM |6.0.6.1 | +--------------------+----------+ |Rhapsody DM |6.0.2 | +--------------------+----------+ |RDM |7.0 | +--------------------+----------+ |RPE |2.1.0 | +--------------------+----------+ |RPE |2.1.2 | +--------------------+----------+ |RPE |6.0.6 | +--------------------+----------+ |RPE |6.0.6.1 | +--------------------+----------+ |PUB |7.0 | +--------------------+----------+ |RPE |2.1.1 | +--------------------+----------+ |CLM |6.0.6.1 | +--------------------+----------+ |CLM |6.0.6 | +--------------------+----------+ |CLM |6.0.2 | +--------------------+----------+ |ELM |7.0 | +--------------------+----------+ |RELM |6.0.6.1 | +--------------------+----------+ |RELM |6.0.6 | +--------------------+----------+ |RELM |6.0.2 | +--------------------+----------+ |ENI |7.0 | +--------------------+----------+ Remediation/Fixes 1. If your product is deployed on WebSphere Application Server (WAS) and your deployment does not use an Eclipse based client nor the RM Browser plugin, then it is sufficient to continue using the existing version of your IBM Continuous Engineering product, and only upgrade the JRE in the WAS server. 2. For the below remediations, if you have a WAS deployment, then WAS must also be remediated, in addition to performing your product upgrades. Follow instructions at Security Bulletin: Multiple Vulnerabilities in IBM(R) Java SDK affect WebSphere Application Server April 2020 CPU plus deferred CVE-2019-2949 and CVE-2020-2654 to get the WAS remediation. 3. If you are deploying the IBM Engineering products to a WAS Liberty or a Tomcat Server, you will need to follow the instructions below to upgrade the JRE, and then must also configure to complete the upgrade process: ? How to update the IBM SDK for Java of IBM Engineering Lifecycle Management products based on version 6.0 or later of IBM's Jazz technology STEPS TO APPLY THE REMEDIATION: 1. Optionally, upgrade your products to an Extended Maintenance Release version: 6.0.6 or 6.0.6.1 Or optionally, upgrade to the latest 7.0 version. 2. Optionally, apply the latest iFix for your installed version. 3. Obtain the latest Java JRE CPU update for the IBM Java SDK using the following information. o For all releases upgrade to: JRE 8.0.6.10 or above ? Rational Collaborative Lifecycle Management 7.0 ? IBM Engineering Lifecycle Management 6.0.6.1 ? IBM Engineering Lifecycle Management 6.0.6 ? IBM Engineering Lifecycle Management 6.0.2 4. Upgrade your JRE following the instructions in the link below: How to update the IBM SDK for Java of IBM Engineering Lifecycle Management products based on version 6.0 or later of IBM's Jazz technology 5. Navigate to the server directory in your IBM Engineering product installation path, and go to jre/lib/security path. 6. Optionally, If you have not performed a Licenses upgrade as described in the link below, please follow the instructions to complete the setup: No IBM Rational trial, server, or client access licenses available after upgrading Java and/or listed products Workarounds and Mitigations None Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. References Complete CVSS v3 Guide On-line Calculator v3 Off Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Also, you can found that product names have been modified recently: https:// jazz.net/blog/index.php/2019/04/23/ renaming-the-ibm-continuous-engineering-portfolio/ Change History 03 Jul 2020: Initial Publication *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXwKeJ+NLKJtyKPYoAQj5ug//eQanl1VIzva/CXSyPBlgIzUz+fwbui7i U7N3h3Pt8N261jp43rbJZ/6D5bNb+NElm5FOree4GrehpSlf/zyC66s3EdK+iuoR +Pyjy8Tun4wPtqzqbay/Pmfh3Lpco6D0thk2zPAeXalQVvYYaY9JqibhVyho9gAH ZWeH8DWIW6Rpom3hdl2wIAQ1iD/Ps6wMVu9TisbOcojNbKrnDphpkVACr3uz/mOQ JGDvaa6OdLN0yH00IV0rp8b9uyWM92+ZeY6eGw8Q1d+P4iZv2Od8Wxbs9wKGjv9N p5LySWrQWQ4+jjvY9omyZO8HaGhu147QObORQwV54hVW0cMvatIQ0CZxkp/HQKIw TcguXEIWLjoQ9sVLvafaH2j+8kNLkwMwsO7snpI0e8NdlAJ1CpdxV4xrd5hpLvwY WOux8sgiJb5Ts+7pF+knWh28KOupqh60v38CKU/5SpaJVsMXDIyVT2xlTb76BSop bF4oGciuLAFfDRbubhEOAoKt3fprzQZn21EEQpK+RBSJeXOALlaYS6A1ULnIaQLp XfUE5PgPWCbKscLsQ5Wj5EnWUr6BqlbT65Ro41Oz83lf28qG9U4WPEjG2Or3vEK7 jerJ1EqLeSLraW9dRPimJ05T9OBoGGku2jYtQzD6y8iwARvrUMykEPw78x0Ud14b kBCgB/XgDsw= =HoI0 -----END PGP SIGNATURE-----