Security Bulletin
Summary
There are multiple vulnerabilities in IBM® Runtime Environment Java™ versions, specifically Version 8 Service Refresh 5 Fix Pack 10 and earlier releases used by IBM Spectrum Conductor with Spark 2.2.0 and 2.2.1. These issues were disclosed as part of the IBM Java SDK updates in April 2018.
Vulnerability Details
If you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities is applicable to your code. For a complete list of vulnerabilities, refer to the link for “IBM Java SDK Security Bulletin" located in the “References” section.
CVEID: CVE-2018-2814
DESCRIPTION: An unspecified vulnerability related to the Java SE VM component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/141970 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2018-2794
DESCRIPTION: An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 7.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/141950 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2018-2783
DESCRIPTION: An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to cause high confidentiality impact, high integrity impact, and no availability impact.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/141939 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
CVEID: CVE-2018-2799
DESCRIPTION: An unspecified vulnerability related to the Java SE JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/141955 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-2798
DESCRIPTION: An unspecified vulnerability related to the Java SE AWT component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/141954 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-2797
DESCRIPTION: An unspecified vulnerability related to the Java SE JMX component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/141953 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-2796
DESCRIPTION: An unspecified vulnerability related to the Java SE Concurrency component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/141952 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-2795
DESCRIPTION: An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/141951 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-2800
DESCRIPTION: An unspecified vulnerability related to the Java SE RMI component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 4.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/141956 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVEID: CVE-2018-2790
DESCRIPTION: An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/141946 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)
Affected Products and Versions
IBM Spectrum Conductor with Spark 2.2.0
IBM Spectrum Conductor with Spark 2.2.1
Remediation/Fixes
Before installation
- Log in to the cluster management console as the cluster administrator and stop all Spark instance groups.
- Log on to the primary management host as the cluster administrator:
> egosh user logon -u Admin -x Admin - Stop all services and shut down the cluster:
> egosh service stop all
> egosh ego shutdown all
Installation
- Log on to each host in your cluster (root or sudo to root permission).
- Define the CLUSTERADMIN environment variable and set it to any valid operating user account, which then owns all installation files. For example:
> export CLUSTERADMIN=egoadmin - Upgrade the JRE by using the RPM in this interim fix.
NOTE: RPM version 4.2.1 or later must be installed on the host. Ensure that you replace dbpath_location in the following RPM commands with the path to your database.
For IBM Spectrum Conductor with Spark 2.2.0, take Linux x86_64 as example:
> mkdir -p /tmp/cws22build498783
> tar zxof cws-2.2.0.0_x86_64_build498783.tgz -C /tmp/cws22build498783
> rpm -ivh --replacefiles --prefix $EGO_TOP --dbpath dbpath_location /tmp/cws22build498783/egojre-8.0.5.17.x86_64.rpm
For IBM Spectrum Conductor with Spark 2.2.1, take Linux x86_64 as example:
> mkdir -p /tmp/cws221build498785
> tar zxof cws-2.2.1.0_x86_64_build498785.tgz -C /tmp/cws221build498785
> rpm -ivh --replacefiles --prefix $EGO_TOP --dbpath dbpath_location /tmp/cws221build498785/egojre-8.0.5.17.x86_64.rpm
The cshrc.jre and profile.jre files are updated to the current JRE version. If you made copies of these files, ensure that you update the copied files with the new JRE version. - Source the cluster profile again and start the cluster:
> egosh ego start all - Log in to the cluster management console as the cluster administrator and start the required Spark instance groups.
Verify the installation
Run the rpm –qa command to verify the installation.
For IBM Spectrum Conductor with Spark 2.2.0, enter:
> rpm -qa --dbpath dbpath_location |grep egojre
egojre-8.0.5.17-498783.x86_64
For IBM Spectrum Conductor with Spark 2.2.1, enter:
> rpm -qa --dbpath dbpath_location |grep egojre
egojre-8.0.5.17-498785.x86_64
Uninstallation (if required)
- Log in to the cluster management console as the cluster administrator and stop all Spark instance groups.
- Log on to the primary management host as the cluster administrator:
> egosh user logon -u Admin -x Admin - Stop services and shut down the cluster:
> egosh service stop all
> egosh ego shutdown all - Log on to each host in your cluster (root or sudo to root permission).
- Define the CLUSTERADMIN environment variable and set it to any valid operating user account, which then owns all installation files. For example:
> export CLUSTERADMIN=egoadmin - Uninstall the existing JRE and then install the old JRE.
NOTE: RPM version 4.2.1 or later must be installed on the host.
Ensure that you replace dbpath_location in the following RPM commands with the path to your database.
For IBM Spectrum Conductor with Spark 2.2.0, enter:
> rpm -e egojre-8.0.5.17-498783.x86_64 --dbpath dbpath_location --nodeps
> rpm -qa --dbpath dbpath_location |grep egojre
For each previous egojre rpm, run:
> rpm -e [egojre_name] --dbpath dbpath_location --nodeps
Then, install the old JRE:
> mkdir -p /tmp/extract22
> cws-2.2.0.0_x86_64.bin --extract /tmp/extract22
> rpm -ivh --prefix $EGO_TOP --dbpath dbpath_location /tmp/extract22/egojre-*.rpm
For IBM Spectrum Conductor with Spark 2.2.1, enter:
> rpm -e egojre-8.0.5.17-498785.x86_64 --dbpath dbpath_location --nodeps
> rpm -qa --dbpath dbpath_location |grep egojre
For each previous egojre rpm, run:
> rpm -e [egojre_name] --dbpath dbpath_location --nodeps
Then, install the old JRE:
> mkdir -p /tmp/extract221
> cws-2.2.1.0_x86_64.bin --extract /tmp/extract221
> rpm -ivh --prefix $EGO_TOP --dbpath dbpath_location /tmp/extract221/egojre-*.rpm - Source the cluster profile and start the cluster:
> egosh ego start all - Log in to the cluster management console as the cluster administrator and start the required Spark instance groups.
Packages
| Product | VRMF | APAR | Remediation/First Fix |
| IBM Spectrum Conductor with Spark | 2.2.0 | P102673 |
egojre-8.0.5.17.x86_64.rpm egojre-8.0.5.17.ppc64le.rpm |
| IBM Spectrum Conductor with Spark | 2.2.1 | P102673 |
egojre-8.0.5.17.x86_64.rpm egojre-8.0.5.17.ppc64le.rpm |
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Acknowledgement
None
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
02 August 2021
UID
ibm10720115