IBM Patches 13 Security Vulnerabilities in IBM i JDK
July 20, 2016 Alex Woodie
Time to shore up your Java. Last month IBM patched 13 security vulnerabilities that impact the Java Development Kit (JDK) for IBM i versions 6.1, 7.1, 7.2, and 7.3. The flaws range from being small nuisances to severe, particularly the four flaws that earned perfect 10s on the CVSS impact scale.
Of the 13 vulnerabilities that IBM identified in a June 27 security bulletin, all but three of them were first disclosed to the world by Oracle, which directs development of the semi open-source language and patched the problems. Big Red disclosed the existence of most of the flaws that IBM recently issued security patches for in its April critical patch update.
We’ll start with the vulnerabilities with the biggest potential impacts–i.e., those that got perfect 10s in the CVSS base score, indicating maximum potential impacts in the confidentiality, integrity, and availability of computers running Java, including IBM i.
CVE-2016-3427 describes an unspecified vulnerability in the JMX component of various Java products (including Oracle Java, SE Java SE Embedded and JRockit) that could allow a remote attacker to gain full control over an affected system. According to Oracle’s security report, the flaw can be exploited on client and server Java implementations, is invoke-able via API, and can even impact sandboxed Java environments. It’s CVSS temporal score is 7.4, which is still considered high.
IBM is also redistributing Oracle’s patch for CVE-2016-3443, an unspecified flaw in the Oracle Java SE 2D component that could enable an attacker to gain full control over an affected server. This flaw has a perfect CVSS base score of 10, and a temporal score of 7.4, making it a critical flaw.
Hackers can also gain full control through CVE-2016-0687, another nasty little vulnerability first reported to Oracle in April. This flaw impacts the Java SE Embedded Hotspot component, and earns a perfect CVSS base score of 10 and has a CVSS temporal score of 7.4, making it a lock for silver.
Meanwhile, CVE-2016-0686 describes a problem in the serialization component of Java SE and Java SE Embedded that could allow an attacker to gain full control over an affected server. This flaw is a perfect 10 in terms of CVSS base score, and earns a 7.4 on the temporal table.
IBM also issued a patch for CVE-2016-3449, which is another unspecified flaw in Oracle’s Standard Edition (SE) of Java versions 6 through 8 that an attacker could access remotely to impact a server. This flaw, also discovered in April and also patched by Oracle, carries a CVSS base score of 7.6, and a temporal score of 5.6.
The patch for CVE-2016-3425 will fix another problem in the Java SE for versions 6 through 8 that could allow an attacker to launch a denial of service (DOS) attack. This flaw carries a CVSS base score of 5, making it a medium threat, and a temporal score of 3.7, reflecting greater difficulty of an attacker actually carrying this out in the wild.
The next flaw that IBM patched in its IBM i JDKs is related to CVE-2016-3422, which also carries a DOS threat via problems in the Java SE and the 2D component. This threat, which carries a CVSS base score of 5 and a temporal score of 3.7, does not affect sandboxed Java server environments that run trusted code.
A vulnerability with a relatively low threat, CVE-2016-0695 carries with it a risk for information disclosure over the network. This threat carries a low CVSS base score and temporal scores–2.6 and 1.9, respectively. Like the other Java vulns, this was discovered in April.
IBM is also re-distributing Oracle’s patch for CVE-2016-3426, another unspecified vulnerability discovered in April that carries a medium-to-low threat of a victim losing information.
A particularly nasty bugger identified by CVE-2016-0636 was also fixed. First discovered in March, this flaw in Oracle Java SE versions 6 through 8 could allow a remote attacker to execute arbitrary code on the system by persuading a victim to visit a specially crafted website. It carries a CVSS base score of 9.3 and a temporal score of 6.9.
Now, onto the flaws IBM discovered and fixed in its own technology.
The first is CVE-2016-0363, which describes a vulnerability in the IBM ORB implementation of the IBM SDK, Java Technology Edition 6 that could allow untrusted code running under a security manager to elevate its privileges. The flaw, which was discovered in May, carries a CVSS base code of 8.1 and a temporal score of 7.1.
Another nasty little bugger exists in CVE-2016-0376, a problem in some versions of the IBM SDK, Java Technology Edition 6 that could allow an attacker to break out of the sandbox and execute arbitrary code. Like the previous flaw, this flaw carries a CVSS base code of 8.1 and a temporal score of 7.1.
The final flaw that IBM fixed in its own technology is a buffer overflow problem in IBM’s JVM identified as CVE-2016-0264. IBM says this flaw, which it discovered in May, can only be exploited in certain circumstances. It carries a CVSS base score of 5.6 and a temporal score of 4.9, reflecting a medium threat.