-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.4089
 Security Bulletin: An unspecified vulnerability in Java SE or Oracle Java
                SE could allow an unauthenticated attacker
                             18 November 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           DB2 Recovery Expert for Linux- UNIX and Windows
Publisher:         IBM
Operating System:  Linux variants
                   AIX
                   Solaris
                   Windows
Impact/Access:     Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
                   Reduced Security         -- Unknown/Unspecified   
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-14621 CVE-2020-14593 CVE-2020-14583
                   CVE-2020-14581 CVE-2020-14579 CVE-2020-14578
                   CVE-2020-14577 CVE-2020-14556 CVE-2019-17639

Reference:         ASB-2020.0128
                   ESB-2020.3232
                   ESB-2020.2736

Original Bulletin: 
   https://www.ibm.com/support/pages/node/6369131

- --------------------------BEGIN INCLUDED TEXT--------------------

An unspecified vulnerability in Java SE or Oracle Java SE could allow an
unauthenticated attacker

Document Information

Document number    : 6369131
Modified date      : 17 November 2020
Product            : DB2 Recovery Expert for Linux- UNIX and Windows
Software version   : 5.5.0.1 IF0
Operating system(s): Linux
                     AIX
                     Solaris
                     Windows

Security Bulletin

Summary

An unspecified vulnerability in Java SE related to the Libraries component
could allow an unauthenticated attacker to cause low confidentiality impact,
low integrity impact, and no availability impact. An unspecified vulnerability
in Java SE related to the 2D component could allow an unauthenticated attacker
to cause no confidentiality impact, high integrity impact, and no availability
impact. An unspecified vulnerability in Java SE related to the JAXP component
could allow an unauthenticated attacker to cause no confidentiality impact, low
integrity impact, and no availability impact. An unspecified vulnerability in
Java SE related to the Libraries component could allow an unauthenticated
attacker to cause low confidentiality impact, low integrity impact, and no
availability impact. An unspecified vulnerability in Oracle Java SE and Java SE
Embedded related to the 2D component could allow an unauthenticated attacker to
obtain sensitive information resulting in a low confidentiality impact using
unknown attack vectors. An unspecified vulnerability in Java SE related to the
Libraries component could allow an unauthenticated attacker to cause a denial
of service resulting in a low availability impact using unknown attack vectors.
An unspecified vulnerability in Java SE related to the Libraries component
could allow an unauthenticated attacker to cause a denial of service resulting
in a low availability impact using unknown attack vectors. An unspecified
vulnerability in Java SE related to the JSSE component could allow an
unauthenticated attacker to obtain sensitive information resulting in a low
confidentiality impact using unknown attack vectors. Eclipse OpenJ9 could allow
a remote attacker to obtain sensitive information, caused by the premature
return of the current method with an undefined return value.

Vulnerability Details

CVEID: CVE-2020-14583
DESCRIPTION: An unspecified vulnerability in Java SE related to the Libraries
component could allow an unauthenticated attacker to cause low confidentiality
impact, low integrity impact, and no availability impact.
CVSS Base score: 8.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
185061 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2020-14593
DESCRIPTION: An unspecified vulnerability in Java SE related to the 2D
component could allow an unauthenticated attacker to cause no confidentiality
impact, high integrity impact, and no availability impact.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
185071 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

CVEID: CVE-2020-14621
DESCRIPTION: An unspecified vulnerability in Java SE related to the JAXP
component could allow an unauthenticated attacker to cause no confidentiality
impact, low integrity impact, and no availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
185099 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2020-14556
DESCRIPTION: An unspecified vulnerability in Java SE related to the Libraries
component could allow an unauthenticated attacker to cause low confidentiality
impact, low integrity impact, and no availability impact.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
185034 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID: CVE-2020-14581
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and Java SE
Embedded related to the 2D component could allow an unauthenticated attacker to
obtain sensitive information resulting in a low confidentiality impact using
unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
185059 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2020-14579
DESCRIPTION: An unspecified vulnerability in Java SE related to the Libraries
component could allow an unauthenticated attacker to cause a denial of service
resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
185057 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2020-14578
DESCRIPTION: An unspecified vulnerability in Java SE related to the Libraries
component could allow an unauthenticated attacker to cause a denial of service
resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
185056 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2020-14577
DESCRIPTION: An unspecified vulnerability in Java SE related to the JSSE
component could allow an unauthenticated attacker to obtain sensitive
information resulting in a low confidentiality impact using unknown attack
vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
185055 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2019-17639
DESCRIPTION: Eclipse OpenJ9 could allow a remote attacker to obtain sensitive
information, caused by the premature return of the current method with an
undefined return value. By invoking the System.arraycopy method with a length
longer than the length of the source or destination array can, an attacker
could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
185437 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

+---------------------------+----------+
|Affected Product(s)        |Version(s)|
+---------------------------+----------+
|DB2 Recovery Expert for LUW|5.5       |
+---------------------------+----------+
|DB2 Recovery Expert for LUW|5.5 IF 1  |
+---------------------------+----------+
|DB2 Recovery Expert for LUW|5.5 IF 2  |
+---------------------------+----------+
|DB2 Recovery Expert for LUW|5.5.0.1   |
+---------------------------+----------+

Remediation/Fixes

The product needs to be installed or upgraded to the latest available level
using the latest 5.5.0.1 IF0 version available from Fix Central .

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX7SAH+NLKJtyKPYoAQj3+w//SMMMD6wDy+ZVDFAxavG02v4wsZdoVx0D
ZMAFySqF5g0L0HbVLNKL1tvGoqav0/ZnYQAMxIJsuvJl/sETBQSszx8Pid1gmyf1
OIM0PajO13rg1F+daXALjutatY7B88+W1VPqUES8vvGp3HxdQUUB2lN6a8nDLP3f
9tYl2UgAPXDtTMmGNnrlb+f5l5z+HsvtSHSlElNVgpGCqZzX/gFnuGjUqGJwG1o3
7uqekS/zxUYqcd7jO1f8hIrzzQOQsmKrAhwgY1N/CLh9bIWbdLvtHpjutb8wsB/j
xw2znFkf5U7hCrAKxI8NBkWrM61CXRZNW1rKGWZLiHcHpbkiWqbksZyzyFIjN7DF
KH8AvuWS4nvAS+yhLytOXTvWStCfk2dWERubYQXgM3qiRCnCsOpDFKBqi8GQKttN
oaNszvvDrnCY2x1LMU7WOcGCvSr4DjqHg2XokeR1nSnjDYV2m/N1LTzi5A1Ow/uD
Rf64bKK7j6fX7zOx+7/FEppsVYQf65Lu4Qyo3Wy+BboRauFcEbVQ/E8OCBDoWJIw
ss1s8SX0Rb4OR3HLzC8cA18QSYQ6tnpsvZiIzkN03UoBxgvu47o9ifuuogHvs86I
WcjRUdnDYYLv/W3YisYBCUCsJJ0FzkGAUzjyYItB4sLlmcQC9nq/fSLeJxK8cgj2
fgWEIC9QYmA=
=p206
-----END PGP SIGNATURE-----