Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware and IBM Tivoli Storage FlashCopy Manager for VMware (CVE-2016-3426)

Summary

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition that is used by IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware (IBM Spectrum Protect™ for Virtual Environments) and IBM Tivoli Storage FlashCopy Manager for VMware (IBM Spectrum Protect™ Snapshot). These issues were disclosed as part of the IBM Java SDK updates in April 2016.

Vulnerability Details

CVEID: CVE-2016-3426**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112457 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

The following products and versions are affected.

• Tivoli Storage Manager for Virtual Environments: Data Protection for VMware (IBM Spectrum Protect for Virtual Environments):
  - 7.1.0.0 through 7.1.4.x
  (Note there is no 7.1.5 version.)
• Tivoli Storage FlashCopy Manager for VMware (IBM Spectrum Protect Snapshot):
  - 4.1.0.0 through 4.1.4.x
  (Note there is no 4.1.5 version.)

Remediation/Fixes

Tivoli Storage Manager for VE: Data Protection for VMware Release

| First Fixing VRMF Level|Client Platform|Link to Fix / Fix Availability Target
—|—|—|—
7.1| 7.1.6| Linux
Windows| http://www.ibm.com/support/docview.wss?uid=swg24042232 **_Tivoli Storage

Workarounds and Mitigations

None