There are multiple vulnerabilities in IBM® Runtime Environment Java™ Version 7 used by IBM Security SiteProtector System. These issues were disclosed as part of the IBM Java SDK updates in Apr 2017.
CVEID: CVE-2017-3539
**DESCRIPTION:**An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/124915 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVEID: CVE-2017-1289
DESCRIPTION: IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources.
CVSS Base Score: 8.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125150 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)
IBM Security SiteProtector System 3.0 and 3.1.1
Apply the appropriate eXPress Updates (XPUs) as identified in the SiteProtector Console Agent view:
For SiteProtector 3.0:
SiteProtector Core Component
|
ServicePack3_0_0_16.xpu
—|—
SiteProtector Agent Manager
|
AgentManager_WINNT_XXX_ST_3_0_0_80.xpu
SiteProtector Event Collector
|
RSEvntCol_WINNT_XXX_ST_3_0_0_13.xpu
For SiteProtector 3.1.1:
SiteProtector Core Component
|
ServicePack3_1_1_12.xpu
—|—
Alternatively, the packages can be manually obtained from the IBM Security License Key and Download Center using the following URL:
CPE | Name | Operator | Version |
---|---|---|---|
ibm security siteprotector system | eq | 3.0 | |
ibm security siteprotector system | eq | 3.1.1 |