Malware Devil

Loading...

Monday, August 10, 2020

ESB-2020.2736 – [Linux][AIX] WebSphere Application Server Patterns: Multiple vulnerabilities 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2736
    Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects
        WebSphere Application Server July 2020 CPU that is bundled
              with IBM WebSphere Application Server Patterns
                              10 August 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           WebSphere Application Server Patterns
Publisher:         IBM
Operating System:  AIX
                   Linux variants
Impact/Access:     Modify Arbitrary Files   -- Remote/Unauthenticated
                   Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-14621 CVE-2020-14593 CVE-2020-14583
                   CVE-2020-14581 CVE-2020-14579 CVE-2020-14578
                   CVE-2020-14577 CVE-2020-14556 CVE-2020-2601
                   CVE-2020-2590 CVE-2019-17639 

Reference:         ASB-2020.0131
                   ASB-2020.0128
                   ESB-2020.2725
                   ESB-2020.2690
                   ESB-2020.2545

Original Bulletin: 
   https://www.ibm.com/support/pages/node/6257557

- --------------------------BEGIN INCLUDED TEXT--------------------

Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server
July 2020 CPU that is bundled with IBM WebSphere Application Server Patterns


Document Information

More support for: WebSphere Application Server Patterns
Software version: Version Independent
Operating system(s): AIX, Linux
Document number: 6257557
Modified date: 07 August 2020 


Security Bulletin

Summary

There are multiple vulnerabilities in the IBM SDK Java Technology Edition that
is shipped with IBM WebSphere Application Server. These issues were disclosed
in the IBM Java SDK updates in July 2020.

Vulnerability Details

CVEID: CVE-2020-2601
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded Security component could allow an unauthenticated attacker
to obtain sensitive information resulting in a high confidentiality impact
using unknown attack vectors.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
174548 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)

CVEID: CVE-2020-14583
DESCRIPTION: An unspecified vulnerability in Java SE related to the Libraries
component could allow an unauthenticated attacker to cause low confidentiality
impact, low integrity impact, and no availability impact.
CVSS Base score: 8.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
185061 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2020-14593
DESCRIPTION: An unspecified vulnerability in Java SE related to the 2D
component could allow an unauthenticated attacker to cause no confidentiality
impact, high integrity impact, and no availability impact.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
185071 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

CVEID: CVE-2020-14621
DESCRIPTION: An unspecified vulnerability in Java SE related to the JAXP
component could allow an unauthenticated attacker to cause no confidentiality
impact, low integrity impact, and no availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
185099 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2020-14556
DESCRIPTION: An unspecified vulnerability in Java SE related to the Libraries
component could allow an unauthenticated attacker to cause low confidentiality
impact, low integrity impact, and no availability impact.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
185034 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID: CVE-2020-14581
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and Java SE
Embedded related to the 2D component could allow an unauthenticated attacker to
obtain sensitive information resulting in a low confidentiality impact using
unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
185059 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2020-14579
DESCRIPTION: An unspecified vulnerability in Java SE related to the Libraries
component could allow an unauthenticated attacker to cause a denial of service
resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
185057 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2020-14578
DESCRIPTION: An unspecified vulnerability in Java SE related to the Libraries
component could allow an unauthenticated attacker to cause a denial of service
resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
185056 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2020-14577
DESCRIPTION: An unspecified vulnerability in Java SE related to the JSSE
component could allow an unauthenticated attacker to obtain sensitive
information resulting in a low confidentiality impact using unknown attack
vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
185055 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2019-17639
DESCRIPTION: Eclipse OpenJ9 could allow a remote attacker to obtain sensitive
information, caused by the premature return of the current method with an
undefined return value. By invoking the System.arraycopy method with a length
longer than the length of the source or destination array can, an attacker
could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
185437 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2020-2590
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
Security component could allow an unauthenticated attacker to cause no
confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
174538 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

IBM Java SDK shipped with IBM WebSphere Application Server Patterns 1.0.0.0
through 1.0.0.7 and 2.2.0.0 through 2.3.3.0.

Remediation/Fixes

Please see the IBM Java SDK Security Bulletin for WebSphere Application Server 
to determine which WebSphere Application Server versions are affected and to
obtain the JDK fixes. The interim fix 1.0.0.0-WS-WASPATTERNS-JDK-2007 can be
used to apply the April 2020 SDK iFixes in a PureApplication or Cloud Pak
System Environment.

Download and apply the interim fix 1.0.0.0-WS-WASPATTERNS-JDK-2007.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXzDVVuNLKJtyKPYoAQjJVw//ZriZlNnD7mv/xyIwOj9h7j5NueMR2PCh
gy4z0FK5KsF0fLZxfg73oZ9eCHrtk8rkvCFbuyRJ0/1smAxnbX7k2AEr2QEU5Ys4
zbGnGYYA6tdOrPBq8vXutUvHZ+Pd/Enm2jIPhRrkvLtfNEfyvpB8VLY1wXMO8YXY
zNCz/CHYDiHxKloz9MWajBHEzcgfgbHtxhKGNkopyEOC7Asjd0K8YA3J3aLsHViN
kT2kFf9w804ROigDLdmD/eVcUNiry5rK3jD5pI5zRqitewsT5yU7A3fXgjWgA30q
24k9DaN2mvqTCHjAiusJtTqDuBEj06o9pQBoKNXPgXJGKj8Bsa/lU/90+hvFf9EO
tvqOy1VBsqm+xfVjP/8iu78WiPLL1OG90jIud5HO+yP13JT3bebka6ZxtddQSZ4h
zk/UrWuY+c/85+mk+xnDxDZRgf8OM+lDHi0f9t78hjLbJ2/5UV2y98cF+jnq3BbC
QX0Rs7lCBvpDnFYjCun9TmieMj9Srg0sOaENplFOu3Lma+EzJdZPfwUr/j/DbOQ7
QV13MgCBddxTUP+Ie0793m+kqzL1IwghbXw+xWQ403e4+8mLa77aMeW5Tktgt0W2
dx4Pbk5dHgviBGW8alR0goAu3YDfnni72LO5nBEp9x2qJNyXD1Jq5G4yZkkZc7s7
bDBaOVRdY6o=
=QPX8
-----END PGP SIGNATURE-----

Read More



https://www.malwaredevil.com/2020/08/10/esb-2020-2736-linuxaix-websphere-application-server-patterns-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-2736-linuxaix-websphere-application-server-patterns-multiple-vulnerabilities
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Barbary Pirates and Russian Cybercrime

In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...