Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security SiteProtector System

Summary

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Version 7 used by IBM Security SiteProtector System. These issues were disclosed as part of the IBM Java SDK updates in Apr 2017.

Vulnerability Details

CVEID: CVE-2017-3539

**DESCRIPTION:**An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.

CVSS Base Score: 3.1

CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/124915 for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)

CVEID: CVE-2017-1289

DESCRIPTION: IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources.

CVSS Base Score: 8.2

CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125150 for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)

Affected Products and Versions

IBM Security SiteProtector System 3.0 and 3.1.1

Remediation/Fixes

Apply the appropriate eXPress Updates (XPUs) as identified in the SiteProtector Console Agent view:

For SiteProtector 3.0:

SiteProtector Core Component

|

ServicePack3_0_0_16.xpu

—|—

SiteProtector Agent Manager

|

AgentManager_WINNT_XXX_ST_3_0_0_80.xpu

SiteProtector Event Collector

|

RSEvntCol_WINNT_XXX_ST_3_0_0_13.xpu

For SiteProtector 3.1.1:

SiteProtector Core Component

|

ServicePack3_1_1_12.xpu

—|—

Alternatively, the packages can be manually obtained from the IBM Security License Key and Download Center using the following URL:

<https://ibmss.flexnetoperations.com/service/ibms/login&gt;