There are multiple vulnerabilities in IBM® Runtime Environment Java™ versions 8 used by IBM Spectrum Conductor with Spark 2.2.0, 2.2.1 and IBM Spectrum Conductor 2.3.0. IBM Spectrum Conductor has addressed the applicable CVEs.
If you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether additional Java vulnerabilities are applicable to your code. For a complete list of vulnerabilities, refer to the “IBM Java SDK Security Bulletin”, located in the References section for more information.
CVEID: CVE-2018-3139
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Networking component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base Score: 3.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/151455> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)
CVEID: CVE-2018-3136
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 3.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/151452> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N)
CVEID: CVE-2018-13785
DESCRIPTION: libpng is vulnerable to a denial of service, caused by a wrong calculation of row_factor in the png_check_chunk_length function in pngrutil.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 5.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/146015> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2018-3214
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Sound component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/151530> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-3180
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JSSE component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and low availability impact.
CVSS Base Score: 5.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/151497> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2018-3149
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JNDI component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/151465> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2018-3169
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Hotspot component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/151486> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2018-3183
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Scripting component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/151500> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
IBM Spectrum Conductor with Spark: 2.2.0 - 2.2.1
IBM Spectrum Conductor: 2.3.0
Product | VRMF | APAR | Remediation/First Fix |
---|---|---|---|
IBM Spectrum Conductor with Spark | 2.2.0 | P102842 |
IBM Spectrum Conductor with Spark | 2.2.1 | P102842 |
IBM Spectrum Conductor | 2.3.0 | P102842 |
For example, on Linux x86_64 hosts, enter:
> mkdir -p /tmp/cws22build509248
> tar zxof cws-2.2.0.0_x86_64_build509248.tgz -C /tmp/cws22build509248
> rpm -ivh --replacefiles --prefix $EGO_TOP --dbpath dbpath_location_ _/tmp/cws22build509248/egojre-8.0.5.25.x86_64.rpm
where $EGO_TOP specifies the path to where the cluster is installed and dbpath_location specifies the path to your database.
The _cshrc.jre _and profile.jre files are updated to the current JRE version. If you made copies of these files, ensure that you update the copied files with the new JRE version.
Source the cluster profile again and start the cluster:
> egosh ego start all
Log in to the cluster management console as the cluster administrator and start the required Spark instance groups.
Run the rpm –qa command to verify the installation:
> rpm -qa --dbpath dbpath_location |grep egojre
egojre-8.0.5.25-509248.x86_64
For example, on Linux x86_64 hosts, enter:
> mkdir -p /tmp/cws221build509249
> tar zxof cws-2.2.1.0_x86_64_build509249.tgz -C /tmp/cws221build509249
> rpm -ivh --replacefiles --prefix $EGO_TOP --dbpath dbpath_location_ _/tmp/cws221build509249/egojre-8.0.5.25.x86_64.rpm
where $EGO_TOP specifies the path to where the cluster is installed and dbpath_location specifies the path to your database.
The _cshrc.jre _and profile.jre files are updated to the current JRE version. If you made copies of these files, ensure that you update the copied files with the new JRE version.
egojre-8.0.5.25-509249.x86_64
egojre-8.0.5.25-509250.x86_64
IBM Spectrum Conductor with Spark 2.2.0
> rpm -e egojre-8.0.5.25-509248.x86_64 --dbpath dbpath_location --nodeps
> rpm -qa --dbpath dbpath_location |grep egojre
where dbpath_location specifies the path to your database.
For each previous egojre rpm, run:
> rpm -e [egojre_name] --dbpath dbpath_location --nodeps
Then, install the old JRE:
> mkdir -p /tmp/extract22
> cws-2.2.0.0_x86_64.bin --extract /tmp/extract22
> rpm -ivh --prefix $EGO_TOP --dbpath dbpath_location_ _/tmp/extract22/egojre-*.rpm
where $EGO_TOP specifies the path to where the cluster is installed and dbpath_location specifies the path to your database.
IBM Spectrum Conductor with Spark 2.2.1
> rpm -e egojre-8.0.5.25-509249.x86_64 --dbpath dbpath_location --nodeps
> rpm -qa --dbpath dbpath_location |grep egojre
where dbpath_location specifies the path to your database.
For each previous egojre rpm, run:
> rpm -e [egojre_name] --dbpath dbpath_location --nodeps
Then, install the old JRE:
> mkdir -p /tmp/extract221
> cws-2.2.1.0_x86_64.bin --extract /tmp/extract221
> rpm -ivh --prefix $EGO_TOP --dbpath dbpath_location_ _/tmp/extract221/egojre-*.rpm
where $EGO_TOP specifies the path to where the cluster is installed and dbpath_location specifies the path to your database.
IBM Spectrum Conductor 2.3.0
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm spectrum conductor | eq | 2.2.0 | |
ibm spectrum conductor | eq | 2.2.1 | |
ibm spectrum conductor | eq | 2.3.0 |