IBM has announced solutions to five vulnerabilities in Java runtime. The bugs make various versions of Watson Explorer and Watson Content Analytics vulnerable to all kinds of attacks, reports ZDNet. The company therefore speaks of critical leaks.
The most serious vulnerability, CVE-2018-2602, was already addressed in Oracle’s critical patch update in January last year. After that, the leak was closed in an update by IBM itself in March 2018. The company continued to supplement an article on this subject throughout the year with information on solutions for other Watson products and components.
The Java error is according to the company “difficult to abuse”, but let an “unauthorized attacks with network access through multiple protocols Java SE, Java SE Embedded and JRockit compromise”.
“Successful attacks require human interaction from a person who is not the attacker, and while the vulnerability in Java SE, Java SE Embedded and JRockit sit, attacks can have a significant impact on other products. Successful attacks through this vulnerability can result in takeovers of Java, Java SE Embedded and JRockit.”
Other bugs
IBM’s product security incident response team (PSIRT) also sent out a warning of a critical vulnerability impacting the IBM Decision Optimization Center, which uses IBM SDK Java and IBM Runtime Environment Java versions 7 and 8. These have been affected by two bugs.
One of those bugs, CVE-2018-12547, is a serious buffer overflow, which affects the open source Eclipse Open J9 Java virtual machine. The vulnerability can enable a remote attacker to execute arbitrary code on the system or crash an application. “The recommended solution is to download and install the IBM Java SDK as soon as possible,” said the company. There are no other temporary solutions or restrictive factors.
The same Open 9 Java bug also affects the IBM Runtime Environment Java used in the IBM CPLEX Optimization Studio and IBM CPLEX Enterprise Server versions 12.9 and older. The CPLEX updates further address a Java SE error, CVE-2019-2426, which Oracle patched in January, as well as a vulnerability to be exploited in the IBM SDK, Java Technology Edition Version 8 on the AIX Platform.
Other products affected by the three bugs are IBM SDK, Java Technology Edition, Version 7 Service Refresh 10 Fix Pack 35 and earlier versions, and IBM SDK, Java Technology Edition, Version 8 Service Refresh 5 Fix Pack 27 and earlier versions.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.