9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
0.032 Low
EPSS
Percentile
91.2%
There are multiple vulnerabilities in IBM® Runtime Environment Java™ Version 6.0.16.21 and earlier that is shipped with Tivoli Storage Productivity Center for download and use with its Java WebStart GUI. These issues were disclosed as part of the IBM Java SDK updates in April 2016.
CVEID: CVE-2016-0363** *DESCRIPTION: IBM SDK, Java Technology Edition contains a vulnerability in the IBM ORB implementation that may allow untrusted code running under a security manager to elevate its privileges. This vulnerability was originally reported as CVE-2013-3009.
CVSS Base Score: 8.1
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/112016 _for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
IBM® Runtime Environment Java™ Technology Edition, Version 6.0.16.21 and earlier that is provided for download and use with the Java WebStart GUI from the following versions:
The versions listed above apply to all licensed offerings of Tivoli Storage Productivity Center, including IBM SmartCloud Virtual Storage Center Storage Analytics Engine.
System Storage Productivity Center is affected if it has one of the versions listed above installed.
Note:
The Tivoli Storage Productivity Center server component is not directly affected. However, the affected versions listed above provide an interface to download the affected IBM® Runtime Environment Java™ Technology Edition. It you did not download and install this IBM® Runtime Environment Java™ Technology Edition on any systems, such as is required for the Tivoli Storage Productivity Center GUI that launches using Java WebStart, you are not affected and do not need to apply a fix.
Starting with IBM Spectrum Control 5.2.8, the IBM Runtime Environment Java Technology Edition is not included and IBM Spectrum Control is not affected.
Fix:
Apply an interim fix, fix pack or refresh pack containing APAR IT15482, as noted below.
If you have downloaded and installed an affected IBM Runtime Environment Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 21 or earlier from any version of Tivoli Storage Productivity Center, the interim fix provides a replacement package to install. Do not use the IBM JRE 1.6.0 or IBM SDK 1.6.0 links provided with the affected Tivoli Storage Productivity Center versions.
**
Note:** It is always recommended to have a current backup before applying any update procedure.
For 5.2.0 through 5.2.7.1:
-- OR –
For 5.1.0 through 5.1.1.10:
-- OR –
For Tivoli Storage Productivity Center 3.x, and 4.x, IBM recommends upgrading to a fixed, supported version of the product.
Upgrading to IBM Spectrum Control 5.2.8 or higher and uninstalling the IBM Runtime Environment Java Technology Edition is an acceptable solution.
None
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
0.032 Low
EPSS
Percentile
91.2%