• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • IBM Patches 13 Security Vulnerabilities in IBM i JDK

    July 20, 2016 Alex Woodie

    Time to shore up your Java. Last month IBM patched 13 security vulnerabilities that impact the Java Development Kit (JDK) for IBM i versions 6.1, 7.1, 7.2, and 7.3. The flaws range from being small nuisances to severe, particularly the four flaws that earned perfect 10s on the CVSS impact scale.

    Of the 13 vulnerabilities that IBM identified in a June 27 security bulletin, all but three of them were first disclosed to the world by Oracle, which directs development of the semi open-source language and patched the problems. Big Red disclosed the existence of most of the flaws that IBM recently issued security patches for in its April critical patch update.

    We’ll start with the vulnerabilities with the biggest potential impacts–i.e., those that got perfect 10s in the CVSS base score, indicating maximum potential impacts in the confidentiality, integrity, and availability of computers running Java, including IBM i.

    CVE-2016-3427 describes an unspecified vulnerability in the JMX component of various Java products (including Oracle Java, SE Java SE Embedded and JRockit) that could allow a remote attacker to gain full control over an affected system. According to Oracle’s security report, the flaw can be exploited on client and server Java implementations, is invoke-able via API, and can even impact sandboxed Java environments. It’s CVSS temporal score is 7.4, which is still considered high.

    IBM is also redistributing Oracle’s patch for CVE-2016-3443, an unspecified flaw in the Oracle Java SE 2D component that could enable an attacker to gain full control over an affected server. This flaw has a perfect CVSS base score of 10, and a temporal score of 7.4, making it a critical flaw.

    Hackers can also gain full control through CVE-2016-0687, another nasty little vulnerability first reported to Oracle in April. This flaw impacts the Java SE Embedded Hotspot component, and earns a perfect CVSS base score of 10 and has a CVSS temporal score of 7.4, making it a lock for silver.

    Meanwhile, CVE-2016-0686 describes a problem in the serialization component of Java SE and Java SE Embedded that could allow an attacker to gain full control over an affected server. This flaw is a perfect 10 in terms of CVSS base score, and earns a 7.4 on the temporal table.

    IBM also issued a patch for CVE-2016-3449, which is another unspecified flaw in Oracle’s Standard Edition (SE) of Java versions 6 through 8 that an attacker could access remotely to impact a server. This flaw, also discovered in April and also patched by Oracle, carries a CVSS base score of 7.6, and a temporal score of 5.6.

    The patch for CVE-2016-3425 will fix another problem in the Java SE for versions 6 through 8 that could allow an attacker to launch a denial of service (DOS) attack. This flaw carries a CVSS base score of 5, making it a medium threat, and a temporal score of 3.7, reflecting greater difficulty of an attacker actually carrying this out in the wild.

    The next flaw that IBM patched in its IBM i JDKs is related to CVE-2016-3422, which also carries a DOS threat via problems in the Java SE and the 2D component. This threat, which carries a CVSS base score of 5 and a temporal score of 3.7, does not affect sandboxed Java server environments that run trusted code.

    A vulnerability with a relatively low threat, CVE-2016-0695 carries with it a risk for information disclosure over the network. This threat carries a low CVSS base score and temporal scores–2.6 and 1.9, respectively. Like the other Java vulns, this was discovered in April.

    IBM is also re-distributing Oracle’s patch for CVE-2016-3426, another unspecified vulnerability discovered in April that carries a medium-to-low threat of a victim losing information.

    A particularly nasty bugger identified by CVE-2016-0636 was also fixed. First discovered in March, this flaw in Oracle Java SE versions 6 through 8 could allow a remote attacker to execute arbitrary code on the system by persuading a victim to visit a specially crafted website. It carries a CVSS base score of 9.3 and a temporal score of 6.9.

    Now, onto the flaws IBM discovered and fixed in its own technology.

    The first is CVE-2016-0363, which describes a vulnerability in the IBM ORB implementation of the IBM SDK, Java Technology Edition 6 that could allow untrusted code running under a security manager to elevate its privileges. The flaw, which was discovered in May, carries a CVSS base code of 8.1 and a temporal score of 7.1.

    Another nasty little bugger exists in CVE-2016-0376, a problem in some versions of the IBM SDK, Java Technology Edition 6 that could allow an attacker to break out of the sandbox and execute arbitrary code. Like the previous flaw, this flaw carries a CVSS base code of 8.1 and a temporal score of 7.1.

    The final flaw that IBM fixed in its own technology is a buffer overflow problem in IBM’s JVM identified as CVE-2016-0264. IBM says this flaw, which it discovered in May, can only be exploited in certain circumstances. It carries a CVSS base score of 5.6 and a temporal score of 4.9, reflecting a medium threat.

    RELATED STORIES

    Verizon Outlines Disturbing AS/400 Breach At Water District

    IBM Patches Pair Of TLS Flaws In IBM i

    IBM Tops List of Security Vulnerabilities, But What Does It Mean?

    IBM Patches Pair of Security Flaws in iAccess for Windows 7.1

    IBM Patches More OpenSSL Flaws In IBM i

    Keeping Up With Security Threats To IBM i

    IBM Blocks ‘Bar Mitzvah’ Attack In SSL/TLS

    State of IBM i Security? Still Horrible, After All These Years

    IBM Patches BIND and OpenSSL Flaws in IBM i

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    Krengeltech

    When it comes to consuming web APIs on your IBM i, your options often boil down to one of two things:

    First, you end up having to rely on a variety of open source and non-RPG solutions. This adds developer complexity, taking away time that could have been better spent invested in other projects. Of course, open source software is free, but generally comes at the cost of no professional support, which adds an element of risk in your production environment. RXS is completely professionally supported, and is complemented by a staff of trained IBM i developers who can address your nuanced development challenges, head on.

    Second, if you choose not to pursue an open-source solution, you’re often left having to shake up your current program architecture with proprietary software, external dependencies, and partial RPG implementations – many of which are sub-par compared to RPG-XML Suite’s wide range of features. RXS aims to simplify the efforts of developers with tools like code generators, useful commands, and subprocedures written in 100% RPG – no Java. Because they are entirely RPG, the RXS subprocedures are easy to add to new or existing ILE programs and architecture, helping to cut your development time. RPG-XML Suite offers powerful capabilities in an accessible, easy-to-implement format.

    With RPG-XML Suite, you can accomplish a variety of complex tasks, such as:

    • Calling REST and SOAP web services from your IBM i
    • Offering APIs from your IBM i
    • Creating JSON & XML
    • Parsing JSON & XML
    • Text manipulation, Base64 encoding/decoding, CCSID handling, hashing and encryption functions, and more.

    To try RXS for yourself, we recommend a free proof of concept, which not only gives you access to all of RPG-XML Suite’s subprocedures and utilities but also includes a tailor-made software demonstration that can be used as a starting point for your future API implementations.

    For a free proof of concept, contact us at sales@krengeltech.com, or visit our website for more information.

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Sponsored Links

    System i Developer:  RPG & DB2 Summit - October 4-6 2016 in Chicago. Register now!
    COMMON:  Open Source and Systems Management at the COMMON Forum. August 24-25 in Chicago.
    LaserVault:  Webinar → Simplify IBM i backup and recovery. July 27, 2pm EST. Enter to win a drone!

    New OLAP Aggregate Functions In DB2 For i, Part 2 Surviving A Change Management Migration

    One thought on “IBM Patches 13 Security Vulnerabilities in IBM i JDK”

    • IBM Patches Samba Vulnerabilities In IBM i - Global Tech Works says:
      April 16, 2018 at 1:08 am

      […] IBM Patches 13 Protection Vulnerabilities in IBM i JDK […]

      Reply

    Leave a Reply Cancel reply

Volume 26, Number 31 -- July 20, 2016
THIS ISSUE SPONSORED BY:

Maxava
Profound Logic Software
LaserVault
COMMON
Baseline Data Services

Table of Contents

  • Blue Stack Deadline Looms for JD Edwards Shops
  • IBM Patches 13 Security Vulnerabilities in IBM i JDK
  • Raz-Lee Claims Technological Edge with IBM i Encryption
  • DRV Check Printing Software A Laser Sharp Cost Cutter
  • IBM Delivers WebSphere 9 with Web Enablement for IBM i 1.1

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • IBM i 7.3 TR12: The Non-TR Tech Refresh
  • IBM i Integration Elevates Operational Query and Analytics
  • Simplified IBM i Stack Bundling Ahead Of Subscription Pricing
  • More Price Hikes From IBM, Now For High End Storage
  • Big Blue Readies Power10 And IBM i 7.5 Training for Partners
  • IBM Delivers More Out-of-the-Box Security with IBM i 7.5
  • Groundhog Day For Malware
  • IBM i Community Reacts to IBM i 7.5
  • Four Hundred Monitor, May 11
  • IBM i PTF Guide, Volume 24, Number 19

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2022 IT Jungle

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.