Security Bulletin: Multiple vulnerabilities in Oracle® Java™ Runtime Environment version 1.7 that is used by IBM Flex System Manager (FSM) Storage Management Install Anywhere (SMIA)

Security Bulletin

Summary

There are multiple vulnerabilities in Oracle® Java™ Runtime Environment version 1.7 that is used by IBM Flex System Manager (FSM) Storage Management Install Anywhere (SMIA) configuration tool. These issues were disclosed as part of the Java updates from July 2015, October 2015, January 2016 and April 2016.

Vulnerability Details

CVEID: CVE-2015-2613
DESCRIPTION: An unspecified vulnerability and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104734 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-2601
DESCRIPTION: An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104733 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-2659
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the Security component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104736 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-4749
DESCRIPTION: An unspecified vulnerability related to the JNDI component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104740 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-4748
DESCRIPTION: An unspecified vulnerability related to the Security component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 7.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104729 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-2625
DESCRIPTION: An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 2.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104743 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-4872
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107361 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-4911
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107360 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-4893
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107359 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-4803
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107358 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2016-0483
DESCRIPTION: An unspecified vulnerability in Oracle Java SE Java SE Embedded and Jrockit related to the AWT component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109945 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2016-0475
DESCRIPTION: An unspecified vulnerability in Oracle Java SE Java SE Embedded and Jrockit related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 5.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109946 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVEID: CVE-2016-0466
DESCRIPTION: An unspecified vulnerability in Oracle Java SE Java SE Embedded and Jrockit related to the JAXP component could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109948 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2016-3427
DESCRIPTION: An unspecified vulnerability in Oracle Java, SE Java SE Embedded and JRockit related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112459 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2016-3425
DESCRIPTION: An unspecified vulnerability in Oracle Java SE Java, SE Embedded and JRockit related to the JAXP component could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112460 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2016-0695
DESCRIPTION: An unspecified vulnerability in Oracle Java SE Java SE Embedded and JRockit related to the Security component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors.
CVSS Base Score: 2.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112458 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Flex System Manager 1.3.4.x
Flex System Manager 1.3.3.x
Flex System Manager 1.3.2.x

Remediation/Fixes

IBM recommends updating the FSM SMIA configuration tool using the instructions referenced in this table.

IMPORTANT: Before installing a SMIA iFix you need to determine the version that is currently installed. To determine the SMIA version level installed on the FSM log into your FSM Web-based UI and navigate to the Home page and Applications tab. The version is listed next to the "SMIA Configuration Tool" link.

If your SMIA version is less than 12.3.4, update your FSM using the instructions listed in this Security Bulletin (https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5098656), restart the FSM and then install the iFix listed in this table.
If your version is 12.3.4 or greater, then install the iFix listed in this table.

Product	VRMF	APAR	SMIA Remediation
Flex System Manager	1.3.4.x	IT12600	Install fsmfix1.3.4.0_IT12600_IT17778.
Flex System Manager	1.3.3.x	IT12600	Install fsmfix1.3.3.0_IT12600_IT17778.
Flex System Manager	1.3.2.x	IT12600	Install fsmfix1.3.2.0_IT12600_IT17778

For a complete list of FSM security bulletins refer to this technote: http://www-01.ibm.com/support/docview.wss?uid=nas7797054ebc3d9857486258027006ce4a0&myns=purflex&mync=E&cm_sp=purflex-_-NULL-_-E

For 1.1.x.x, 1.2.x.x, 1.3.0.x and 1.3.1.x IBM recommends upgrading to a fixed, supported version/release of the product.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

Acknowledgement

None

Change History

06 December 2016: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only

3528/59722, 4021/64195, 4587/69709, 5254/76252

[{"Product":{"code":"HW94A","label":"Flex System Manager Node"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]

Tips

Security Bulletin: Multiple vulnerabilities in Oracle® Java™ Runtime Environment version 1.7 that is used by IBM Flex System Manager (FSM) Storage Management Install Anywhere (SMIA)