## Summary
Vulnerabilities in the IBM® Runtime Environment Java⢠Technology Edition affect IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500, IBM Spectrum Virtualize Software, IBM Spectrum Virtualize for Public Cloud and IBM FlashSystem V9000 and 9100 family products. The applicable CVEs are CVE-2018-1517, CVE-2018-2783 and CVE-2018-12539.
## Vulnerability Details
**CVEID:** [CVE-2018-1517]()
**DESCRIPTION:** A flaw in the java.math component in IBM SDK, Java Technology Edition may allow an attacker to inflict a denial-of-service attack with specially crafted String data.
CVSS Base Score: 5.9
CVSS Temporal Score: See for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
**CVEID:** [CVE-2018-2783]()
**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Security component could allow an unauthenticated attacker to cause high confidentiality impact, high integrity impact, and no availability impact.
CVSS Base Score: 7.4
CVSS Temporal Score: See for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
**CVEID:** [CVE-2018-12539]()
**DESCRIPTION:** Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the failure to restrict the use of Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations to only the process owner. An attacker could exploit this vulnerability to execute untrusted native code and gain elevated privileges on the system.
CVSS Base Score: 8.4
CVSS Temporal Score: See for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
## Affected Products and Versions
IBM SAN Volume Controller
IBM Storwize V7000
IBM Storwize V5000
IBM Storwize V3700
IBM Storwize V3500
IBM FlashSystem V9000
IBM FlashSystem 9100 Family
IBM Spectrum Virtualize Software
IBM Spectrum Virtualize for Public Cloud
All products are affected when running supported versions 7.5 to 8.2.
## Remediation/Fixes
IBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500, IBM Spectrum Virtualize Software, IBM Spectrum Virtualize for Public Cloud and IBM FlashSystem V9000 and 9100 family to the following code levels or higher:
7.8.1.8
8.1.3.3
8.2.0.0
8.2.1.0
[_Latest IBM SAN Volume Controller Code_]()
[_Latest IBM Storwize V7000 Code_]()
[_Latest IBM Storwize V5000 Code_]()
[_Latest IBM Storwize V3700 Code_]()
[_Latest IBM Storwize V3500 Code_]()
[_Latest IBM FlashSystem V9000 Code_]()
[_Latest IBM FlashSystem 9100 Family Code_]()
[_Latest IBM Spectrum Virtualize Software_]()
[_Latest IBM Spectrum Virtualize for Public Cloud_]()
For unsupported versions of the above products, IBM recommends upgrading to a fixed, supported version of code.
## Workarounds and Mitigations
Although IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall.