Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM InfoSphere Discovery (CVE-2016-0264, CVE-2016-3426)

Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 6 that is used by IBM InfoSphere Discovery. This issue was disclosed as part of the IBM Java SDK updates in April 2016.

Vulnerability Details

CVEID: CVE-2016-0264** *DESCRIPTION: A buffer overflow vulnerability in the IBM JVM facilitates arbitrary code execution under certain limited circumstances.
CVSS Base Score: 5.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110867 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-3426** *DESCRIPTION: An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112457 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM InfoSphere Discovery, IBM InfoSphere Discovery for Information Integration, and IBM InfoSphere Discovery for zOS, versions 4.1.1 and 4.5 on Windows, and version 4.6 running on all platforms

Remediation/Fixes

Product

| VRMF|APAR|Remediation/First Fix
—|—|—|—
All InfoSphere Discovery products| 4.6| IT15190| --Apply IT15190
All InfoSphere Discovery products| 4.5| IT15190| --Upgrade to Discovery 4.6.2.2
--Apply IT15190
All InfoSphere Discovery products| 4.1.1| IT15190| --Upgrade to Discovery 4.6.2.2
--Apply IT15190

Workarounds and Mitigations

None