Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Oct 2019 - Includes Oracle Oct 2019 CPU minus CVE-2019-2949

Summary

All applicable Java SE CVEs published by Oracle as part of their October 2019 Critical Patch Update, except for CVE-2019-2949, plus one additional vulnerability. See attached document for full details. Note that the following CVEs were incorrectly added to the list of vulnerabilities associated with this Advisory: • CVE-2019-2894 • CVE-2019-2977 • CVE-2019-2987 These issues are not applicable for all releases of the IBM JDK on all platforms. Product teams should treat these CVEs as /A in their PVRs.

Vulnerability Details

CVEID:CVE-2019-2989
**DESCRIPTION:**An unspecified vulnerability in Java SE could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169295 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N)

CVEID:CVE-2019-2958
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169264 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2019-2977
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow an unauthenticated attacker to cause low confidentiality impact, no integrity impact, and low availability impact.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169283 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L)

CVEID:CVE-2019-2975
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Scripting component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and low availability impact.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169281 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)

CVEID:CVE-2019-2999
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Javadoc component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 4.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169305 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2019-2996
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Deployment component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 4.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169302 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)

CVEID:CVE-2019-2894
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169207 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2019-2992
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the 2D component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169298 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-2988
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the 2D component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169294 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-2987
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the 2D component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169293 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-2983
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169289 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-2981
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169287 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-2978
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Networking component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169284 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-2973
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169279 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-2962
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the 2D component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169268 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-2964
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Concurrency component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169270 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-2945
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Networking component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169250 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-2933
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169238 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)

CVEID:CVE-2019-17631
**DESCRIPTION:**Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the failure to performs an authorization check when an actor attempts to access a resource or perform an action. An attacker could exploit this vulnerability to gain access to diagnostic operations such as causing a GC or creating a diagnostic file.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169513 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

Please see “Workarounds”

Workarounds and Mitigations

Steps to update JRE - DataQuant:

1. Close DataQuant.
2. Download JRE (ibm-java-jre-80-win-i386) and extract the files to a temporary location.
3. Replace jre folder at the install directory location –> “C:\Program Files (x86)\IBM\IBM DataQuant\DataQuant for Workstation”. Replace with contents in step # 2.
4. Download eclipse oxygen from https://www.eclipse.org/downloads/download.php?file=/technology/epp/downloads/release/oxygen/3a/eclipse-jee-oxygen-3a-win32-x86_64.zip
5. Extract the eclipse oxygen and copy the plugin - org.apache.jasper.glassfish_2.2.2.v201501141630.jar from eclipse-jee-oxygen-3a-win32-x86_64\eclipse\plugins
6. Copy org.apache.jasper.glassfish_2.2.2.v201501141630.jar in the folder where DataQuant is installed - C:\Program Files (x86)\IBM\IBM DataQuant\DataQuant for Workstation\plugins
7. Delete the older plugin org.apache.jasper.glassfish_2.2.2.v201205150955.jar from the DataQuant install directory