IBM SECURITY ADVISORY First Issued: Mon Sep 18 09:05:13 CDT 2017 |Updated: Mon Oct 2 09:00:12 CDT 2017 |Update 1: Impacted fileset information and iFixes added for AIX Java 6 | VRMFs from 6.0.0.215 to 6.0.0.465. | Complete impacted filesets now listed as: | Java6.sdk: 6.0.0.215-6.0.0.645 | Java6_64.sdk: 6.0.0.215-6.0.0.645 The most recent version of this document is available here: http://aix.software.ibm.com/aix/efixes/security/java6_advisory.asc https://aix.software.ibm.com/aix/efixes/security/java6_advisory.asc ftp://aix.software.ibm.com/aix/efixes/security/java6_advisory.asc Security Bulletin: Vulnerability in IBM Java 6 SDK for AIX =============================================================================== SUMMARY: There is a vulnerability in the AIX IBM Java 6 SDK installp and updatep packages. =============================================================================== VULNERABILITY DETAILS: CVEID: CVE-2017-1541 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1541 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1541 DESCRIPTION: A flaw in the AIX JRE/SDK installp and updatep packages prevented the java.security, java.policy and javaws.policy files from being updated correctly. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/130809 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) AFFECTED PRODUCTS AND VERSIONS: AIX 5.3, 6.1, 7.1, 7.2 VIOS 2.2.x The following fileset levels (VRMF) are vulnerable, if the respective Java version is installed: | Java6.sdk: 6.0.0.215-6.0.0.645 | Java6_64.sdk: 6.0.0.215-6.0.0.645 Note: To find out whether the affected Java filesets are installed on your systems, refer to the lslpp command found in AIX user's guide. Example: lslpp -L | grep -i java REMEDIATION: | Note: If running any level of Java6 from 6.0.0.215 to 6.0.0.645, then read the following before proceeding: http://www-01.ibm.com/support/docview.wss?uid=isg3T1025683 I. Recommended remediation is to always install the most recent Java package available for the respective Java version. Current Java 6 package is Service Refresh 16 Fix Pack 50, VRMF 6.0.0.650. IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 50 and subsequent releases: 32-bit: https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=6.0.0.0&platform=AIX+32-bit,+pSeries&function=all 64-bit: https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=6.0.0.0&platform=AIX+64-bit,+pSeries&function=all | II. If upgrading to IBM Java 6 SDK SR16 FP50 or later is not | possible, then interim fixes (iFixes) are available for Java 6 | fileset levels from 6.0.0.215 to 6.0.0.645. IBM SDK, Java Technology Edition, Version 6 iFixes for 32-bit: 32-bit: http://www-01.ibm.com/support/docview.wss?uid=isg3T1022644#ibmjava6032 Java6.sdk (32-bit) Level Interim Fix (*.Z) ----------------------------------------------------- | 6.0.0.215 J632SR8F1.170917.epkg.Z | 6.0.0.255 J632SR9.170917.epkg.Z | 6.0.0.265 J632SR9F1.170917.epkg.Z | 6.0.0.280 J632SR9F2.170917.epkg.Z | 6.0.0.325 J632SR10.170917.epkg.Z | 6.0.0.345 J632SR10F1.170917.epkg.Z | 6.0.0.385 J632SR12.170917.epkg.Z | 6.0.0.396 J632SR13.170914.epkg.Z | 6.0.0.406 J632SR13F1.170914.epkg.Z | 6.0.0.415 J632SR13F2.170914.epkg.Z | 6.0.0.426 J632SR14.170914.epkg.Z | 6.0.0.435 J632SR15.170914.epkg.Z | 6.0.0.445 J632SR15F1.170914.epkg.Z | 6.0.0.455 J632SR16.170914.epkg.Z | 6.0.0.460 J632SR16F1.170914.epkg.Z | 6.0.0.465 J632SR16F2.170914.epkg.Z 6.0.0.474 J632SR16F3.170911.epkg.Z 6.0.0.480 J632SR16F4.170911.epkg.Z 6.0.0.485 J632SR16F5.170911.epkg.Z 6.0.0.495 J632SR16F7.170911.epkg.Z 6.0.0.510 J632S16F15.170911.epkg.Z 6.0.0.535 J632S16F20.170911.epkg.Z 6.0.0.561 J632S16F26.170911.epkg.Z 6.0.0.585 J632S16F30.170911.epkg.Z 6.0.0.635 J632S16F35.170911.epkg.Z 6.0.0.641 J632S16F41.170911.epkg.Z 6.0.0.645 J632S16F45.170911.epkg.Z IBM SDK, Java Technology Edition, Version 6 iFixes for 64-bit: 64-bit: http://www-01.ibm.com/support/docview.wss?uid=isg3T1022644#ibmjava6064 Java6_64.sdk (64-bit) Level Interim Fix (*.Z) ----------------------------------------------------- | 6.0.0.215 J664SR8F1.170918.epkg.Z | 6.0.0.255 J664SR9.170918.epkg.Z | 6.0.0.265 J664SR9F1.170918.epkg.Z | 6.0.0.325 J664SR10.170918.epkg.Z | 6.0.0.385 J664SR12.170918.epkg.Z | 6.0.0.396 J664SR13.170911.epkg.Z | 6.0.0.406 J664SR13F1.170911.epkg.Z | 6.0.0.415 J664SR13F2.170911.epkg.Z | 6.0.0.425 J664SR14.170914.epkg.Z | 6.0.0.435 J664SR15.170911.epkg.Z | 6.0.0.445 J664SR15F1.170911.epkg.Z | 6.0.0.455 J664SR16.170911.epkg.Z | 6.0.0.460 J664SR16F1.170911.epkg.Z | 6.0.0.465 J664SR16F2.170911.epkg.Z 6.0.0.474 J664SR16F3.170911.epkg.Z 6.0.0.480 J664SR16F4.170911.epkg.Z 6.0.0.485 J664SR16F5.170911.epkg.Z 6.0.0.495 J664SR16F7.170911.epkg.Z 6.0.0.510 J664S16F15.170911.epkg.Z 6.0.0.535 J664S16F20.170911.epkg.Z 6.0.0.560 J664S16F26.170911.epkg.Z 6.0.0.585 J664S16F30.170911.epkg.Z 6.0.0.635 J664S16F35.170911.epkg.Z 6.0.0.641 J664S16F41.170911.epkg.Z 6.0.0.645 J664S16F45.170911.epkg.Z INTERIM FIX INSTALLATION AND REMOVAL: For additional details regarding AIX Java interim fix installation and removal, please read the following: http://www-01.ibm.com/support/docview.wss?uid=isg3T1025683 To preview an interim fix installation: emgr -e epkg_name -p # where epkg_name is the name of the # interim fix package being previewed. To install an interim fix package: emgr -e epkg_name -X # where epkg_name is the name of the # interim fix package being installed. The interim fix will need to be removed prior to upgrading Java levels. To remove an interim fix package: emgr -l # to list installed iFixes by label emgr -r -L