A new security bulletin has just been released at the beginning of February 2024! It turns out that a multitude of vulnerabilities are present in IBM® Runtime Environment java™ Version 8 used by IBM Installation manager and IBM Packaging utility.
Firstly, an unspecified vulnerability in Java SE linked to the JSSE component could allow a remote attacker to cause an impact on the confidentiality, integrity or availability of your service.
The “Eclipse OpenJ9” Java Virtual Machine is also vulnerable to a denial-of-service attack. This can be caused by a flaw when a stop signal (SIGTERM, SIGINT or SIGHUP) is received before the JVM (Java Virtual Machine) has finished initializing. By sending a specifically crafted request, an authenticated local attacker can exploit this vulnerability to cause an infinite lock on a spinlock or a segmentation error.
It’s important to note that IBM Installation Manager is notably used by older versions of RDI (up to and including 9.6), so it’s even more important to upgrade to version 9.8.
So even if the basic CVSS scores are “low” (5.3 for java SE and 4.1 for the JVM), Gayte.IT and IBM support strongly recommend that you install the updates you can find in the Remediation/Fixes section of the IBM site:
https://lnkd.in/eiENbXYX
