Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Application Dependency Discovery Manager (TADDM)

Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7 SR10-FP35 and Version 8 SR5-FP25 used by IBM Tivoli Application Dependency Discovery Manager (TADDM). These issues were disclosed as part of the IBM Java SDK updates in Jan 2019.

Vulnerability Details

CVEID: CVE-2018-11212 DESCRIPTION: libjpeg is vulnerable to a denial of service, caused by divide-by-zero error in the alloc_sarray function in jmemmgr.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/143429 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2019-2426 DESCRIPTION: An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/155744 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2019-2449 DESCRIPTION: An unspecified vulnerability related to the Java SE Deployment component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/155766 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2019-2422 DESCRIPTION: An unspecified vulnerability related to the Java SE Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/155741 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-12547 DESCRIPTION: Eclipse OpenJ9 is vulnerable to a buffer overflow, caused by improper bounds checking by the jio_snprintf() and jio_vsnprintf() functions. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/157512 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-12549 DESCRIPTION: Eclipse OpenJ9 could allow a remote attacker to execute arbitrary code on the system, caused by the failure to omit a null check on the receiver object of an Unsafe call when accelerating it. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/157513 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-1890 DESCRIPTION: IBM SDK, Java Technology Edition Version 8 on the AIX platform uses absolute RPATHs which may facilitate code injection and privilege elevation by local users.
CVSS Base Score: 5.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/152081 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L)

Affected Products and Versions

TADDM 7.2.2.5

TADDM 7.3 (7.3.0.0 - 7.3.0.6)

Remediation/Fixes

efix_jdk8.0.5.30_FP6190313.zip

|

7.3.0.6

| None |

[Download eFix](<https://www.secure.ecurep.ibm.com/download/?id=YJTMUk5DePDgDx2PgTY5GYRtj3KlqrP4VQQ5gJaXGzI >)

[efix_jdk7.0.10.40_FP420171214.zip](<https://www.secure.ecurep.ibm.com/download/?id=ZrV3fsm9stxhyAIxHNXvLmgol0HE1fMGDN53Cki7cbM >) | 7.3.0.4 | None | Download eFix

efix_jdk7.0.10.40_FP520160209.zip

| 7.2.2.5 | None |

[Download eFix](<https://www.secure.ecurep.ibm.com/download/?id=9ieGcjXh4iLCfVM2xeZoz1LXULTwkcV8jzycT9PNLpc >)

The eFix provided for 7.3.0.6 has been tested to work successfully on top on 7.3.0.5. Similarly, the eFix provided for 7.3.0.4 has been tested to work successfully on 7.3.0.0 - 7.3.0.3.

Please get familiar with the eFix readme in etc/efix_readme.txt

For each TADDM release (7.3.0, 7.2.2) there is a prepared replacement for Windows® 32-bit IBM JRE, Java Technology Edition, shipped separately on TADDM installation DVD discs.

ibm-java-jre-70-win-i386

|

7.3.0 (7.3.0.0 - 7.3.0.4) and 7.2.2

| None |

Download eFix

ibm-java-jre-80-win-i386

|

7.3.0.5 and 7.3.0.6

| None |

Download eFix