• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • IBM Patches 13 Security Vulnerabilities in IBM i JDK

    July 20, 2016 Alex Woodie

    Time to shore up your Java. Last month IBM patched 13 security vulnerabilities that impact the Java Development Kit (JDK) for IBM i versions 6.1, 7.1, 7.2, and 7.3. The flaws range from being small nuisances to severe, particularly the four flaws that earned perfect 10s on the CVSS impact scale.

    Of the 13 vulnerabilities that IBM identified in a June 27 security bulletin, all but three of them were first disclosed to the world by Oracle, which directs development of the semi open-source language and patched the problems. Big Red disclosed the existence of most of the flaws that IBM recently issued security patches for in its April critical patch update.

    We’ll start with the vulnerabilities with the biggest potential impacts–i.e., those that got perfect 10s in the CVSS base score, indicating maximum potential impacts in the confidentiality, integrity, and availability of computers running Java, including IBM i.

    CVE-2016-3427 describes an unspecified vulnerability in the JMX component of various Java products (including Oracle Java, SE Java SE Embedded and JRockit) that could allow a remote attacker to gain full control over an affected system. According to Oracle’s security report, the flaw can be exploited on client and server Java implementations, is invoke-able via API, and can even impact sandboxed Java environments. It’s CVSS temporal score is 7.4, which is still considered high.

    IBM is also redistributing Oracle’s patch for CVE-2016-3443, an unspecified flaw in the Oracle Java SE 2D component that could enable an attacker to gain full control over an affected server. This flaw has a perfect CVSS base score of 10, and a temporal score of 7.4, making it a critical flaw.

    Hackers can also gain full control through CVE-2016-0687, another nasty little vulnerability first reported to Oracle in April. This flaw impacts the Java SE Embedded Hotspot component, and earns a perfect CVSS base score of 10 and has a CVSS temporal score of 7.4, making it a lock for silver.

    Meanwhile, CVE-2016-0686 describes a problem in the serialization component of Java SE and Java SE Embedded that could allow an attacker to gain full control over an affected server. This flaw is a perfect 10 in terms of CVSS base score, and earns a 7.4 on the temporal table.

    IBM also issued a patch for CVE-2016-3449, which is another unspecified flaw in Oracle’s Standard Edition (SE) of Java versions 6 through 8 that an attacker could access remotely to impact a server. This flaw, also discovered in April and also patched by Oracle, carries a CVSS base score of 7.6, and a temporal score of 5.6.

    The patch for CVE-2016-3425 will fix another problem in the Java SE for versions 6 through 8 that could allow an attacker to launch a denial of service (DOS) attack. This flaw carries a CVSS base score of 5, making it a medium threat, and a temporal score of 3.7, reflecting greater difficulty of an attacker actually carrying this out in the wild.

    The next flaw that IBM patched in its IBM i JDKs is related to CVE-2016-3422, which also carries a DOS threat via problems in the Java SE and the 2D component. This threat, which carries a CVSS base score of 5 and a temporal score of 3.7, does not affect sandboxed Java server environments that run trusted code.

    A vulnerability with a relatively low threat, CVE-2016-0695 carries with it a risk for information disclosure over the network. This threat carries a low CVSS base score and temporal scores–2.6 and 1.9, respectively. Like the other Java vulns, this was discovered in April.

    IBM is also re-distributing Oracle’s patch for CVE-2016-3426, another unspecified vulnerability discovered in April that carries a medium-to-low threat of a victim losing information.

    A particularly nasty bugger identified by CVE-2016-0636 was also fixed. First discovered in March, this flaw in Oracle Java SE versions 6 through 8 could allow a remote attacker to execute arbitrary code on the system by persuading a victim to visit a specially crafted website. It carries a CVSS base score of 9.3 and a temporal score of 6.9.

    Now, onto the flaws IBM discovered and fixed in its own technology.

    The first is CVE-2016-0363, which describes a vulnerability in the IBM ORB implementation of the IBM SDK, Java Technology Edition 6 that could allow untrusted code running under a security manager to elevate its privileges. The flaw, which was discovered in May, carries a CVSS base code of 8.1 and a temporal score of 7.1.

    Another nasty little bugger exists in CVE-2016-0376, a problem in some versions of the IBM SDK, Java Technology Edition 6 that could allow an attacker to break out of the sandbox and execute arbitrary code. Like the previous flaw, this flaw carries a CVSS base code of 8.1 and a temporal score of 7.1.

    The final flaw that IBM fixed in its own technology is a buffer overflow problem in IBM’s JVM identified as CVE-2016-0264. IBM says this flaw, which it discovered in May, can only be exploited in certain circumstances. It carries a CVSS base score of 5.6 and a temporal score of 4.9, reflecting a medium threat.

    RELATED STORIES

    Verizon Outlines Disturbing AS/400 Breach At Water District

    IBM Patches Pair Of TLS Flaws In IBM i

    IBM Tops List of Security Vulnerabilities, But What Does It Mean?

    IBM Patches Pair of Security Flaws in iAccess for Windows 7.1

    IBM Patches More OpenSSL Flaws In IBM i

    Keeping Up With Security Threats To IBM i

    IBM Blocks ‘Bar Mitzvah’ Attack In SSL/TLS

    State of IBM i Security? Still Horrible, After All These Years

    IBM Patches BIND and OpenSSL Flaws in IBM i

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    VISUAL LANSA 16 WEBINAR

    Trying to balance stability and agility in your IBM i environment?

    Join this webinar and explore Visual LANSA 16 – our enhanced professional low-code platform designed to help organizations running on IBM i evolve seamlessly for what’s next.

    🎙️VISUAL LANSA 16 WEBINAR

    Break Monolithic IBM i Applications and Unlock New Value

    Explore modernization without rewriting. Decouple monolithic applications and extend their value through integration with modern services, web frameworks, and cloud technologies.

    🗓️ July 10, 2025

    ⏰ 9 AM – 10 AM CDT (4 PM to 5 PM CEST)

    See the webinar schedule in your time zone

    Register to join the webinar now

    What to Expect

    • Get to know Visual LANSA 16, its core features, latest enhancements, and use cases
    • Understand how you can transition to a MACH-aligned architecture to enable faster innovation
    • Discover native REST APIs, WebView2 support, cloud-ready Azure licensing, and more to help transform and scale your IBM i applications

    Read more about V16 here.

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Sponsored Links

    System i Developer:  RPG & DB2 Summit - October 4-6 2016 in Chicago. Register now!
    COMMON:  Open Source and Systems Management at the COMMON Forum. August 24-25 in Chicago.
    LaserVault:  Webinar → Simplify IBM i backup and recovery. July 27, 2pm EST. Enter to win a drone!

    New OLAP Aggregate Functions In DB2 For i, Part 2 Surviving A Change Management Migration

    One thought on “IBM Patches 13 Security Vulnerabilities in IBM i JDK”

    • IBM Patches Samba Vulnerabilities In IBM i - Global Tech Works says:
      April 16, 2018 at 1:08 am

      […] IBM Patches 13 Protection Vulnerabilities in IBM i JDK […]

      Reply

    Leave a Reply Cancel reply

Volume 26, Number 31 -- July 20, 2016
THIS ISSUE SPONSORED BY:

Maxava
Profound Logic Software
LaserVault
COMMON
Baseline Data Services

Table of Contents

  • Blue Stack Deadline Looms for JD Edwards Shops
  • IBM Patches 13 Security Vulnerabilities in IBM i JDK
  • Raz-Lee Claims Technological Edge with IBM i Encryption
  • DRV Check Printing Software A Laser Sharp Cost Cutter
  • IBM Delivers WebSphere 9 with Web Enablement for IBM i 1.1

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • With Power11, Power Systems “Go To Eleven”
  • With Subscription Price, IBM i P20 And P30 Tiers Get Bigger Bundles
  • Izzi Buys CNX, Eyes Valence Port To System Z
  • IBM i Shops “Attacking” Security Concerns, Study Shows
  • IBM i PTF Guide, Volume 27, Number 26
  • Liam Allan Shares What’s Coming Next With Code For IBM i
  • From Stable To Scalable: Visual LANSA 16 Powers IBM i Growth – Launching July 8
  • VS Code Will Be The Heart Of The Modern IBM i Platform
  • The AS/400: A 37-Year-Old Dog That Loves To Learn New Tricks
  • IBM i PTF Guide, Volume 27, Number 25

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2025 IT Jungle