===================================================================== CERT-Renater Note d'Information No. 2021/VULN415 _____________________________________________________________________ DATE : 20/08/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): AIX, Linux running WebSphere Application Server Patterns versions 1.0.0.0 up to and including 1.0.0.7, 2.2.0.0 up to and including 2.3.3.3. ===================================================================== https://www.ibm.com/support/pages/node/6482283 _____________________________________________________________________ Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server July 2021 CPU that is bundled with IBM WebSphere Application Server Patterns Document Information Document number : 6482283 Modified date : 18 August 2021 Product : WebSphere Application Server Patterns Component : Not Applicable Software version : Version Independent Operating system(s): AIX Linux Edition : All Editions Summary There are multiple vulnerabilities in the IBM SDK Java Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed in the IBM Java SDK updates in July 2021. Vulnerability Details CVEID: CVE-2021-2388 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow an unauthenticated attacker to take control of the system. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 205815 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) CVEID: CVE-2021-2369 DESCRIPTION: An unspecified vulnerability in Java SE related to the Library component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 4.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 205796 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) CVEID: CVE-2021-2432 DESCRIPTION: An unspecified vulnerability in Java SE related to the JNDI component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 205856 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2021-2341 DESCRIPTION: An unspecified vulnerability in Java SE related to the Networking component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base score: 3.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 205768 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N) Affected Products and Versions IBM Java SDK shipped with IBM WebSphere Application Server Patterns 1.0.0.0 through 1.0.0.7 and 2.2.0.0 through 2.3.3.3. Remediation/Fixes Please see the IBM Java SDK Security Bulletin for WebSphere Application Server to determine which WebSphere Application Server versions are affected and to obtain the JDK fixes. The interim fix 1.0.0.0-WS-WASPATTERNS-JDK-2107 can be used to apply the July 2021 SDK iFixes in a PureApplication or Cloud Pak System Environment. Download and apply the interim fix 1.0.0.0-WS-WASPATTERNS-JDK-2107. Workarounds and Mitigations None Change History 18 Aug 2021: Initial Publication ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================