Security Bulletin:Multiple vulnerabilities in IBM Java SDK 7 affect IBM Systems Director (CVE-2016-0264, CVE-2016-3426)

Summary

There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 7 that is used by IBM Systems Director . These issues were disclosed as part of the IBM Java SDK updates in April 2016.

Vulnerability Details

CVEID: CVE-2016-3426 DESCRIPTION: An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112457 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2016-0264 DESCRIPTION: A buffer overflow vulnerability in the IBM JVM facilitates arbitrary code execution under certain limited circumstances.
CVSS Base Score: 5.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110867 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

From the IBM System Director command line enter smcli lsver to determine the level of IBM System Director installed.

IBM Systems Director:

• 5.2.x.x
• 6.1.x.x
• 6.2.0.x
• 6.2.1.x
• 6.3.0.0
• 6.3.1.x
• 6.3.2.x
• 6.3.3.x
• 6.3.5.0
• 6.3.6.0
• 6.3.7.0

Remediation/Fixes

For Releases 5.2.x.x, 6.1.x.x , 6.2.x.x , 6.3.0.0 to 6.3.3.x IBM recommends upgrading to a fixed, supported version of the product.

Follow the instructions mentioned in Tech note 785241054 to apply the fix for releases:

• 6.3.5.0
• 6.3.6.0
• 6.3.7.0

Workarounds and Mitigations

None