Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM6496982D8C337EAFD2590A3CE740A3D6714F899BE87D200BAEA08911D11319ED
HistoryMay 17, 2019 - 5:10 a.m.

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum LSF Process Manager

2019-05-1705:10:01
www.ibm.com
9

0.083 Low

EPSS

Percentile

94.4%

JSON

Summary

There are multiple vulnerabilities in IBM® Runtime Environment Java™Version 8 used by IBM Spectrum LSF Process Manager. These issues have been addressed by IBM Java SDK updates in April 2019.

Vulnerability Details

CVEID: CVE-2019-2699 DESCRIPTION: Oracle’s JREs/JDKs on Windows ship with an old version of a Microsoft DLL which contains a vulnerability.
CVSS Base Score: 9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/159791&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2019-2698 DESCRIPTION: An attacker can use a maliciously crafted font to exploit a flaw in the JDK’s font parsing code to overwrite memory addresses and cause a crash. Untrusted code running under a security manager may be able to elevate its privileges and execute arbitrary code.
CVSS Base Score: 8.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/159790&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2019-2697 DESCRIPTION: An attacker can use a maliciously crafted font to exploit a flaw in the JDK’s font parsing code to overwrite memory addresses and cause a crash. Untrusted code running under a security manager may be able to elevate its privileges and execute arbitrary code.
CVSS Base Score: 8.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/159789&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2019-2602 DESCRIPTION: A flaw in the java.math.BigDecimal API causes hangs when parsing certain String values. This potentially allows an attacker to inflict a denial-of-service.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/159698&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)

CVEID: CVE-2019-2684 DESCRIPTION: The Java runtime’s java.rmi.Registry implementation does not check access privileges correctly for some remote calls. This allows an attacker to effectively replace a number of predefined static skeleton classes with dynamic malicious skeletons.
CVSS Base Score: 5.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/159776&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2019-10245 DESCRIPTION: A flaw in the OpenJ9 class verifier potentially allows untrusted code to elevate its privileges and execute arbitrary code.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/160010&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Spectrum LSF Process Manager 10.2

Remediation/Fixes

<Product

|

VRMF

|

APAR

|

Remediation/First Fix

—|—|—|—

IBM Spectrum LSF Process Manager

|

10.2

|

None

|

  1. Download IBM JRE 8.0 from the following location: http://www.ibm.com/support/fixcentral by keyword ‘Runtimes for Java Technology’. (The followings steps are using x86_64 as an example.)
  2. Copy the tar package into the PM server host.
  3. Log on the PM server host as root, stop jfd.

jadmin stop

  1. On the PM server host, extract new JRE files and replace old folders with new ones.

chmod +x ibm-java-x86_64-jre-8.0-5.35.bin

./ibm-java-x86_64-jre-8.0-5.35.bin

mv /opt/ppm/10.2/linux2.6-glibc2.3-x86_64/jre /opt/ppm/10.2/linux2.6-glibc2.3-x86_64/jre-old

mkdir -p /opt/ppm/10.2/linux2.6-glibc2.3-x86_64/jre

cp -r ibm-java-x86_64-80/* /opt/ppm/10.2/linux2.6-glibc2.3-x86_64/jre

mv /opt/ppm/10.2/linux2.6-glibc2.3-x86_64/jre/jre/bin /opt/ppm/10.2/linux2.6-glibc2.3-x86_64/jre

mv /opt/ppm/10.2/linux2.6-glibc2.3-x86_64/jre/jre/lib /opt/ppm/10.2/linux2.6-glibc2.3-x86_64/jre

mv /opt/ppm/10.2/linux2.6-glibc2.3-x86_64/jre/jre/plugin /opt/ppm/10.2/linux2.6-glibc2.3-x86_64/jre

rm -rf /opt/ppm/10.2/linux2.6-glibc2.3-x86_64/jre/jre

  1. On the PM server host, start jfd

jadmin start

Workarounds and Mitigations

N/A

CPENameOperatorVersion
ibm spectrum lsf process managereqany

Related

ibm 51
nessus 67
openvas 31
redhat 13
kaspersky 1
aix 1
amazon 3
ubuntu 1
debian 2
osv 3
oraclelinux 7
centos 5
mageia 1
photon 2
suse 4
f5 1
prion 1
cvelist 1
redhatcve 1
veracode 1
cve 1
gentoo 1
ibm
ibm
Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum LSF Analytics
2019-05-17 05:10:01
Security Bulletin: Multiple security vulnerabilities may affect IBM SDK, Java Technology Edition shipped with Predictive Maintenance and Quality
2019-05-10 05:10:01
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, Platform HPC, and Spectrum Cluster Foundation.
2019-05-17 05:10:01
nessus
nessus
SUSE SLED15 / SLES15 Security Update : java-1_8_0-ibm (SUSE-SU-2019:1308-2)
2019-06-28 00:00:00
SUSE SLES11 Security Update : java-1_7_1-ibm (SUSE-SU-2019:14059-1)
2019-05-22 00:00:00
RHEL 7 : java-1.7.1-ibm (RHSA-2019:1166)
2019-05-14 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2019:1345-1)
2021-04-19 00:00:00
SUSE: Security Advisory (SUSE-SU-2019:1308-2)
2021-06-09 00:00:00
SUSE: Security Advisory (SUSE-SU-2019:14059-1)
2021-06-09 00:00:00
redhat
redhat
(RHSA-2019:1166) Important: java-1.7.1-ibm security update
2019-05-13 20:58:23
(RHSA-2019:1163) Important: java-1.8.0-ibm security update
2019-05-13 20:57:53
(RHSA-2019:1164) Important: java-1.8.0-ibm security update
2019-05-13 20:58:02
kaspersky
kaspersky
KLA11470 Multiple vulnerabilities in Oracle Java SE
2019-04-16 00:00:00
aix
aix
Multiple vulnerabilities in IBM Java SDK affect AIX
2019-06-28 13:47:27
amazon
amazon
Important: java-11-amazon-corretto
2019-06-11 23:21:00
Important: java-1.7.0-openjdk
2019-05-16 21:42:00
Important: java-1.8.0-openjdk
2019-08-07 23:35:00
ubuntu
ubuntu
OpenJDK vulnerabilities
2019-05-13 00:00:00
debian
debian
[SECURITY] [DSA 4453-1] openjdk-8 security update
2019-05-29 21:15:56
[SECURITY] [DLA 1782-1] openjdk-7 security update
2019-05-10 16:39:02
osv
osv
openjdk-8 - security update
2019-05-29 00:00:00
openjdk-7 - security update
2019-05-10 00:00:00
CVE-2019-10245
2019-04-19 14:29:00
oraclelinux
oraclelinux
java-1.7.0-openjdk security update
2019-04-22 00:00:00
java-1.8.0-openjdk security update
2019-04-17 00:00:00
java-1.8.0-openjdk security and bug fix update
2019-04-17 00:00:00
centos
centos
java security update
2019-04-22 22:45:55
java security update
2019-04-22 22:47:39
java security update
2019-04-19 18:53:44
mageia
mageia
Updated java-1.8.0-openjdk packages fix security vulnerability
2019-05-08 00:38:09
photon
photon
Important Photon OS Security Update - PHSA-2019-0232
2019-05-09 00:00:00
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2019-2.0-0159
2019-05-10 00:00:00
suse
suse
Security update for java-1_8_0-openjdk (important)
2019-05-23 00:00:00
Security update for java-11-openjdk (moderate)
2019-05-04 00:00:00
Security update for java-1_7_0-openjdk (moderate)
2019-06-03 00:00:00
f5
f5
K07519400 : Java SE vulnerabilities CVE-2019-2602, CVE-2019-2698, CVE-2019-2945, and CVE-2019-2962
2022-06-10 00:00:00
prion
prion
Code injection
2019-04-19 14:29:00
cvelist
cvelist
CVE-2019-10245
2019-04-19 13:43:31
redhatcve
redhatcve
CVE-2019-10245
2019-10-13 19:59:00
veracode
veracode
Denial Of Service
2019-05-16 04:17:27
cve
cve
CVE-2019-10245
2019-04-19 14:29:00
gentoo
gentoo
Oracle JDK/JRE: Multiple vulnerabilities
2019-08-15 00:00:00

0.083 Low

EPSS

Percentile

94.4%

JSON
Related for 6496982D8C337EAFD2590A3CE740A3D6714F899BE87D200BAEA08911D11319ED
ibm51nessus67openvas31redhat13kaspersky1aix1amazon3ubuntu1debian2osv3oraclelinux7centos5mageia1photon2suse4f51prion1cvelist1redhatcve1veracode1cve1gentoo1