Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM License Metric Tool v9 and IBM BigFix Inventory v9

Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 8 used by IBM License Metric Tool and IBM BigFix Inventory. These issues were disclosed as part of the IBM Java SDK updates in Jan 2018

Vulnerability Details

CVEID: CVE-2018-2579 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base Score: 3.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/137833&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-2602 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded I18n component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and low availability impact.
CVSS Base Score: 4.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/137854&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID: CVE-2018-2599 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JNDI component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and low availability impact.
CVSS Base Score: 4.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/137851&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)

CVEID: CVE-2018-2603 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/137855&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-2618 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.
CVSS Base Score: 5.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/137870&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-2633 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JNDI component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/137885&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

Affected Products and Versions

IBM License Metric Tool 9.0 - 9.2.11

IBM BigFix Inventory 9.0 - 9.2.11

Remediation/Fixes

Upgrade to version 9.2.12 or later using the following procedure:

• In IBM Endpoint Manager console, expand IBM BigFix InventoryorIBM License Reporting (ILMT) node underSites node in the tree panel.
• Click Fixlets and Tasks node.Fixlets and Tasks panel will be displayed on the right.
• In the Fixlets and Tasks panel locate _Upgrade to the latest version of __IBM BigFix Inventory 9.x _or _Upgrade to the latest version of IBM License Metric Tool _9.x fixlet and run it against the computer that hosts your server.

Workarounds and Mitigations

None