Security Bulletin: Multiple Java Vulnerabilities Impact IBM Control Center (CVE-2018-3180, CVE-2018-1890)

Summary

There is a vulnerability in IBM® Runtime Environment Java™ Technology Edition, Version 7 and 8 that is used by IBM Control Center. This issue was disclosed as part of the IBM Java SDK updates in October 2018 and January 2019.

Vulnerability Details

CVEID: CVE-2018-3180

DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JSSE component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and low availability impact.

CVSS Base Score: 5.6

CVSS Temporal Score: See[ ](<See https://exchange.xforce.ibmcloud.com/vulnerabilities/151497&gt;)<https://exchange.xforce.ibmcloud.com/vulnerabilities/151497&gt; for the current score

CVSS Environmental Score*: 4.9

CVSS Vector: (CVSS:3.0/ AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

VEID: CVE-2018-1890

DESCRIPTION: BM SDK, Java Technology Edition Version 8 on the AIX platform uses absolute RPATHs which may facilitate code injection and privilege elevation by local users.

CVSS Base Score: 5.9

CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152081&gt; for the current score

CVSS Environmental Score*: 1.8

CVSS Vector: (CVSS:3.0/ AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Control Center 6.0.0.0 through 6.0.0.2 iFix05
IBM Control Center 6.1.0.0 through 6.1.2.0 iFix01

Remediation/Fixes

Product

|

VRMF

|

iFix

|

APAR

|

Remediation / First Fix

—|—|—|—|—

IBM Control Center

|

6.0.0.2

|

iFix06

|

IT28645

|

Fix Central - 6.0.0.2

IBM Control Center

|

6.1.2.0

|

iFix02

|

IT28646

|

Fix Central - 6.1.2.0

Workarounds and Mitigations

None.