Lucene search

IBM3E56F9A32627FEC11A2909A31B502EF3DE5268DADBBF8F87DC0C48E006019AE8

HistorySep 04, 2024 - 2:41 p.m.

Security Bulletin: Multiple vulnerabilities in Open JDK affecting Rational Functional Tester / DevOps Test UI

2024-09-0414:41:47

www.ibm.com

open jdk

rational functional tester

devops test ui

cve-2024-21131

cve-2024-21144

cve-2024-21145

vulnerabilities

java se

concurrency

10.0

10.1

10.2

10.5

11.0

windows

linux

mac os

remediation

fix

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

5.7

Confidence

High

JSON

Summary

There are multiple vulnerabilities in Open JDK Version 8, OpenJ9 used by Rational Functional Tester (RFT) / Open JDK Version 17, OpenJ9 used by DevOps Test UI (Test UI). RFT/Test UI has addressed the applicable CVEs.

Vulnerability Details

CVEID:CVE-2024-21131
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low integrity impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/298464 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2024-21144
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Concurrency component could allow a remote attacker to cause low availability impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/298470 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2024-21145
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the 2D component could allow a remote attacker to cause low confidentiality, low integrity impacts.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/298467 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
Rational Functional Tester (RFT)	RFT 10.0 - 10.0.2.1
Rational Functional Tester (RFT)	RFT 10.1 - 10.1.3
Rational Functional Tester (RFT)	RFT 10.2 - 10.2.3
Rational Functional Tester (RFT)	RFT 10.5 - 10.5.4
DevOps Test UI (Test UI)	Test UI 11.0 - 11.0.2

Remediation/Fixes

Product	Version	APAR	Operating System
RFT
Test UI	10.0 to 10.5.4
11.0.0 and 11.0.1	None	Windows 32 bit	<https://github.com/ibmruntimes/semeru8-binaries/releases/download/jdk8u422-b05_openj9-0.46.0/ibm-semeru-open-jdk_x86-32_windows_8u422b05_openj9-0.46.0.zip>
Windows 64 bit	<https://github.com/ibmruntimes/semeru8-binaries/releases/download/jdk8u422-b05_openj9-0.46.0/ibm-semeru-open-jdk_x64_windows_8u422b05_openj9-0.46.0.zip>
Linux	<https://github.com/ibmruntimes/semeru8-binaries/releases/download/jdk8u422-b05_openj9-0.46.0/ibm-semeru-open-jdk_x64_linux_8u422b05_openj9-0.46.0.tar.gz>
Mac OS	<https://github.com/ibmruntimes/semeru8-binaries/releases/download/jdk8u422-b05_openj9-0.46.0/ibm-semeru-open-jdk_x64_mac_8u422b05_openj9-0.46.0.tar.gz>

Download the correct version of JDK for your platform to manually replace the JDK.

Note: Please take a backup of the existing _${RFTinstallLocation}/_jdk folder.

Product	Version	APAR	Operating System	Remediation/ Fix
Test UI	11.0.0 and 11.0.1	None	Windows 32 bit	<https://github.com/ibmruntimes/semeru17-binaries/releases/download/jdk-17.0.12%2B7_openj9-0.46.0/ibm-semeru-open-jre_x64_windows_17.0.12_7_openj9-0.46.0.zip>
Windows 64 bit	<https://github.com/ibmruntimes/semeru17-binaries/releases/download/jdk-17.0.12%2B7_openj9-0.46.0/ibm-semeru-open-jre_x64_windows_17.0.12_7_openj9-0.46.0.zip>
Linux	<https://github.com/ibmruntimes/semeru17-binaries/releases/download/jdk-17.0.12%2B7_openj9-0.46.0/ibm-semeru-open-jre_x64_linux_17.0.12_7_openj9-0.46.0.tar.gz>
Mac OS	<https://github.com/ibmruntimes/semeru17-binaries/releases/download/jdk-17.0.12%2B7_openj9-0.46.0/ibm-semeru-open-jre_x64_mac_17.0.12_7_openj9-0.46.0.tar.gz>

Download the correct version of JRE for your platform to manually replace the JRE.
Note: Please take a backup of the existing _${TestUIinstallLocation}/_jre17/jre folder.

Product	Version	APAR	Operating System	Remediation/ Fix
Test UI	11.0.2	None	Windows 32 bit	<https://github.com/ibmruntimes/semeru17-binaries/releases/download/jdk-17.0.12%2B7_openj9-0.46.0/ibm-semeru-open-jdk_x64_windows_17.0.12_7_openj9-0.46.0.zip>
Windows 64 bit	<https://github.com/ibmruntimes/semeru17-binaries/releases/download/jdk-17.0.12%2B7_openj9-0.46.0/ibm-semeru-open-jdk_x64_windows_17.0.12_7_openj9-0.46.0.zip>
Linux	<https://github.com/ibmruntimes/semeru17-binaries/releases/download/jdk-17.0.12%2B7_openj9-0.46.0/ibm-semeru-open-jdk_x64_linux_17.0.12_7_openj9-0.46.0.tar.gz>
Mac OS	<https://github.com/ibmruntimes/semeru17-binaries/releases/download/jdk-17.0.12%2B7_openj9-0.46.0/ibm-semeru-open-jdk_x64_mac_17.0.12_7_openj9-0.46.0.tar.gz>

Download the correct version of JDK for your platform to manually replace the JDK.

Note: Please take a backup of the existing _${TestUIinstallLocation}/_jdk folder.

Additional steps for Mac OS:

For Rational Functional Tester 10.5.4 and earlier releases, DevOps Test UI 11.0.0 and 11.0.1 releases, run the following commands:

chmod -R +x ${RFTinstallLocation}/jdk/Contents/Home/bin
chmod -R +x ${RFTinstallLocation}/jdk/Contents/Home/jre/bin
chmod -R +x ${RFTinstallLocation}/jdk/Contents/Home/jre/lib/jspawnhelper
chmod -R +x ${RFTinstallLocation}/jdk/Contents/Home/jre/lib/*.dylib
rm -f ${RFTinstallLocation}/jdk/Contents/MacOS/libjli.dylib
ln -s ${RFTinstallLocation}/jdk/Contents/Home/jre/lib/jli/libjli.dylib ${RFTinstallLocation}/jdk/Contents/MacOS/libjli.dylib

For DevOps Test UI 11.0.0 and 11.0.1 releases, run the following additional commands:

chmod -R +x ${TestUIinstallLocation}/jre17/jre/Contents/Home/bin
chmod -R +x ${TestUIinstallLocation}/jre17/jre/Contents/Home/lib/jspawnhelper
chmod -R +x ${TestUIinstallLocation}/jre17/jre/Contents/Home/lib/*.dylib
rm -f ${TestUIinstallLocation}/jre17/jre/Contents/MacOS/libjli.dylib
ln -s ${TestUIinstallLocation}/jre17/jre/Contents/Home/lib/jli/libjli.dylib ${TestUIinstallLocation}/jre17/jre/Contents/MacOS/libjli.dylib

For DevOps Test UI 11.0.2 and later releases, run the following commands:

chmod -R +x ${TestUIinstallLocation}/jdk/Contents/Home/bin
chmod -R +x ${TestUIinstallLocation}/jdk/Contents/Home/lib/jspawnhelper
chmod -R +x ${TestUIinstallLocation}/jdk/Contents/Home/lib/*.dylib
rm -f ${TestUIinstallLocation}/jdk/Contents/MacOS/libjli.dylib
ln -s ${TestUIinstallLocation}/jdk/Contents/Home/lib/libjli.dylib ${TestUIinstallLocation}/jdk/Contents/MacOS/libjli.dylib

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmdevops_deployMatch10.0

ibmdevops_deployMatch11.0

VendorProductVersionCPE
ibmdevops_deploy10.0cpe:2.3:a:ibm:devops_deploy:10.0:*:*:*:*:*:*:*
ibmdevops_deploy11.0cpe:2.3:a:ibm:devops_deploy:11.0:*:*:*:*:*:*:*