IBMD2E6106EF11AF348014EE9CB5334DD52CE182E04767C75DCC2A3844B2D07F15BSecurity Bulletin: Vulnerability in IBM Java Runtime affects IBM Spectrum Protect Snapshot on AIX and Linux (CVE-2020-27221)
EPSS
Percentile
74.6%
Summary
Vulnerabilities in IBM® Runtime Environment Java™ were disclosed as part of the IBM Java SDK updates in January 2021. IBM® Runtime Environment Java™ is used by IBM Spectrum Protect Snapshot which may be affected by CVE-2020-27221 on AIX and Linux. UPDATED: 26 May 2021 - Added Fix for 4.1 and instructions for IBM Spectrum Protect Snapshot Prerequisite Checker.
Vulnerability Details
CVEID:CVE-2020-27221
**DESCRIPTION:**Eclipse OpenJ9 is vulnerable to a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/195353 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Spectrum Protect Snapshot for Db2 on AIX and Linux | 8.1.0.0-8.1.11.0 |
| 4.1.0.0-4.1.6.4 |
IBM Spectrum Protect Snapshot for Custom Applications on AIX and Linux| 8.1.0.0-8.1.11.0
4.1.0.0-4.1.6.4
IBM Spectrum Protect Snapshot for Oracle on AIX and Linux
| 8.1.0.0-8.1.11.0
4.1.0.0-4.1.6.4
IBM Spectrum Protect Snapshot for Oracle with SAP on AIX and Linux
| 8.1.0.0-8.1.11.0
4.1.0.0-4.1.6.4
IBM Spectrum Protect Snapshot Prerequisite Checker
| 8.1.0.0-8.1.11.0
4.1.0.0-4.1.6.4
Remediation/Fixes
| IBM Spectrum Protect Snapshot Release | First Fixing VRM Level | Platform | Link to Fix |
|---|---|---|---|
| 8.1 | 8.1.11.1 | AIX | |
| Linux | <https://www.ibm.com/support/pages/node/6445123> | ||
| 4.1 | |||
| 4.1.6.5 | |||
| AIX | |||
| Linux | |||
| <https://www.ibm.com/support/pages/node/6454871> |
Instructions for IBM Spectrum Protect Snapshot Prerequisite Checker
The IBM Java Runtime Environment (JRE) shipped with IBM Spectrum Protect Snapshot Prerequisite Checker on AIX and Linux may be affected by CVE-2020-27221. IBM Spectrum Protect Snapshot Prerequisite Checker ONLY uses the JRE duringinstallation and uninstallation of the product. During normal operation of IBM Spectrum Protect Snapshot Prerequisite Checker, the JRE is not used. To make sure this vulnerability cannot be exploited, the JRE should be deleted. Remove the folder /opt/tivoli/tsfcm/fcmprereqchecker/jre/
If you need to uninstall the IBM Spectrum Protect Snapshot Prerequisite Checker, you must first install an IBM JRE at level 8.0.6.25 or higher as the system JRE. Future updates of IBM Spectrum Protect Snapshot Prerequisite Checker will contain a JRE that is not affected by CVE-2020-27221.
Workarounds and Mitigations
None
Related
EPSS
Percentile
74.6%