IBM Support

Security Bulletin: Multiple Vulnerabilites in IBM Java Runtime Affect Optim Data Growth, Test Data Management and Application Retirement

Security Bulletin


Summary

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Version 6 used by Optim Data Growth, Test Data Management and Application Retirement. These issues were disclosed as part of the IBM Java SDK updates in January 2017.

Vulnerability Details

If you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities are applicable to your code. For a complete list of vulnerabilities please refer to the link for “IBM Java SDK Security Bulletin" located in the “References” section for more information.

CVEID: CVE-2016-5546
DESCRIPTION: An unspecified vulnerability related to the Libraries component has no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120869 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID: CVE-2016-5548
DESCRIPTION: An unspecified vulnerability related to the Libraries component could allow a remote attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120864 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

CVEID: CVE-2016-5549
DESCRIPTION: An unspecified vulnerability related to the Libraries component could allow a remote attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120863 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

CVEID: CVE-2016-5547
DESCRIPTION: An unspecified vulnerability related to the Libraries component could allow a remote attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120871 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-2183
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the DES/3DES cipher, used as a part of the SSL/TLS protocol. By capturing large amounts of encrypted traffic between the SSL/TLS server and the client, a remote attacker able to conduct a man-in-the-middle attack could exploit this vulnerability to recover the plaintext data and obtain sensitive information. This vulnerability is known as the SWEET32 Birthday attack.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116337 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM InfoSphere Optim solutions and editions versions 9.1 and 11.3 running on all supported platforms are affected.

Both editions (Enterprise and Workgroup) of the following products are affected:

  • Optim Archive
  • Optim Data Privacy
  • Optim Test Data Management

All variations of the following solutions are affected:
  • Optim Data Growth Solution
  • Optim Solution for Application Retirement
  • Optim Test Data Management Solution

Remediation/Fixes

For the 11.3 release, fix pack 4 (11.3.0.4), iFix 153 and iFix 215 are required before installing iFix 032. That is, install 11.3.0.4, then iFix 153, then iFix 215, then iFix 032.

For the 9.1 release, fix pack 6 (9.1.0.6) and iFix 208 are required before installing iFix 025.



ProductVRMFiFixRemediation/First Fix
IBM InfoSphere Optim solutions and editions11.3.0032- Apply IBM InfoSphere Optim 11.3.0.4
- Apply IBM InfoSphere Optim iFix 153
- Apply IBM InfoSphere Optim iFix 215
IBM InfoSphere Optim solutions and editions9.1.0025- Apply IBM InfoSphere Optim 9.1.0.6
- Apply IBM InfoSphere Optim iFix 208

Installing this fix

For each release (9.1.0 and 11.3.0), there are 3 components that require this fix:
  1. Optim Designer
  2. Optim Runtime Services
  3. WAS CE

There are 2 alternatives to install the fixes:
  1. Use IBM Installation Manager to directly download the fix from IBM and apply it. An internet connection is required on the machine where Optim is installed for this alternative.
  2. Download the zip file and then use IBM Installation Manger to install it. An internet connection is not required on the machine where Optim is installed for this alternative, but the zip file will have to be placed on the machine via a diskette or USB drive to be used.

Here are the detailed instructions for each alternative:
  1. Use IBM Installation Manager to directly download an iFix from IBM and apply it. This method requires an external internet connection on the host machine containing Installation Manager and one, two or all of the following 3 Optim components: Designer, Runtime Services, and WAS CE.

    Use the following instructions:
    1. Shut down all Optim components.
    2. Start Installation Manager. If you have multiple instances of Installation Manager installed, make sure you choose the one used to install Optim.
    3. On the main Installation Manger window, select File->Preferences, then Repositories.
    4. At the bottom of the Installation Manager Repositories window, ensure the check box "Search service repositories during installation and updates." is selected.
    5. Select OK to save the settings and close the window.
    6. On the main Installation Manger window, select the Update icon.
    7. On the Update Packages window, select one of the following:
      1. "IBM InfoSphere” package group for machines where Optim Designer is installed
      2. “IBM Optim Runtime” package group for machines where Optim Runtime Services is installed
      3. “IBM Optim Shared” package group for machines where WAS CE is installed.
    8. Select the Next button.
    9. On the next window, ensure that the appropriate iFix is selected for the version of the Optim that is installed on your machine.
    10. Follow the wizard to complete the installation of the iFix.

      NOTES:
      1. You must be at either the 9.1.0.6 or 11.3.0.4 versions for this to work.
      2. Repeat this process for each Opim component (Designer, Runtime Services, WAS CE) that is installed on each machine where Optim is installed.
  2. Download the zip file and then use IBM Installation Manger to install it.

    Use the following instructions:
    1. To update Optim Designer download:
      1. For 11.3.0: http://public.dhe.ibm.com/software/rationalsdp/v75/nex/zips/OPDM-11.03.00-032DesignerPatch.zip
      2. For 9.1.0: http://public.dhe.ibm.com/software/rationalsdp/v75/nex/zips/OPDM-09.01.00-025DesignerPatch.zip
    2. To update Optim Runtime Services download:
      1. For 11.3.0: http://public.dhe.ibm.com/software/rationalsdp/v75/nex/zips/OPDM-11.03.00-032RuntimeServicesPatch.zip
      2. For 9.1.0: http://public.dhe.ibm.com/software/rationalsdp/v75/nex/zips/OPDM-09.01.00-025RuntimeServicesPatch.zip
    3. To update WAS CE download:
      1. For 11.3.0: http://public.dhe.ibm.com/software/rationalsdp/v75/nex/zips/OPDM-11.03.00-032WASCEPatch.zip
      2. For 9.1.0: http://public.dhe.ibm.com/software/rationalsdp/v75/nex/zips/OPDM-09.01.00-025WASCEPatch.zip
    4. Transfer to the computer where Optim is installed each of the above files for the components that are installed on the computer.
    5. Unzip the zip file(s).
    6. Follow the instructions in the ReadMe contained in the zip file(s).

      NOTES:

      1. If you have multiple components on a computer, you will have to install the fix for each component (Designer, Runtime Services, WAS CE) separately.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Complete CVSS v3 Guide
On-line Calculator v3

Off
IBM Java SDK Security Bulletin

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

16 June 2017: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSMLQ4","label":"IBM InfoSphere Optim Test Data Management Solution"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Client components","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.1;11.3.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
08 July 2021

UID

swg22003285

Page Feedback