Security Bulletin: vulnerabilities in in IBM® Runtime Environment Java™ Version 8 affect IBM WIoTP MessageGateway (CVE-2020-2805, CVE-2020-2803, CVE-2020-2781, CVE-2020-2755, CVE-2020-2754)

2020-05-1518:46:23

www.ibm.com

0.004 Low

EPSS

Percentile

72.2%

JSON

Summary

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Version 8 that affect IBM WIoTP MessageGateway

Vulnerability Details

CVEID:CVE-2020-2805
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Java SE Libraries component could allow an unauthenticated attacker to take control of the system.
CVSS Base score: 8.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/179703 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID:CVE-2020-2803
**DESCRIPTION:**An unspecified vulnerability in multiple Oracle products could allow an unauthenticated attacker to take control of the system.
CVSS Base score: 8.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/179701 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID:CVE-2020-2781
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Java SE JSSE component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/179681 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2020-2755
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Java SE Scripting component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/179655 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2020-2754
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Java SE Scripting component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/179654 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM WIoTP MessageGateway	5.0.0.1
IBM IoT MessageSight	5.0.0.0
IBM IoT MessageSight	2.0

Remediation/Fixes

Product

5.0.0.2

IT32841

| 5.0.0.2-IBM-IMA-IFIT32841
IBM MessageSight|

5.0.0.0

IT32841

| 5.0.0.0-IBM-IMA-IFIT32841
IBM MessageSight|

2.0.0.2

IT32841

| 2.0.0.2-IBM-IMA-IFIT32841

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm watson iot platform - message gatewayeq2.0.0.2
ibm watson iot platform - message gatewayeq5.0.0.0
ibm watson iot platform - message gatewayeq5.0.0.1
ibm watson iot platform - message gatewayeq5.0.0.2

Name	Operator	Version
ibm watson iot platform - message gateway	eq	2.0.0.2
ibm watson iot platform - message gateway	eq	5.0.0.0
ibm watson iot platform - message gateway	eq	5.0.0.1
ibm watson iot platform - message gateway	eq	5.0.0.2