Site icon API Security Blog

Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects APM Agents for Monitoring

## Summary

Multiple vulnerabilities in the Oracle Java SE and the Java SE Embedded impact the IBM SDK, Java Technology Edition. This effects all IBM Cloud Application Performance Management agents, all versions.

## Vulnerability Details

** CVEID: **[CVE-2021-28167]()
** DESCRIPTION: **Eclipse Openj9 could allow a remote attacker to bypass security restrictions, caused by a flaw in the jdk.internal.reflect.ConstantPool API. By sending a specially-crafted request, an attacker could exploit this vulnerability to call static methods or access static members without running the class initialization method.
CVSS Base score: 6.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/200533]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

## Affected Products and Versions

Affected Product(s)| Version(s)
—|—
APM Agents for Monitoring| all

## Remediation/Fixes

_Product_

| _Product
VRMF_| _Remediation_
—|—|—
IBM Cloud Application Performance Management, Base Private

IBM Cloud Application Performance Management, Advanced Private| _8.1.4_| The vulnerabilities can be remediated by applying the Core Framework interim fix8.1.4.0-IBM-APM-CORE-FRAMEWORK-APM-IF0025 to all systems where Cloud APM agents are installed:

IBM Cloud Application Performance Management| _N/A_| After your subscription is upgraded to V8.1.4, the vulnerabilities can be remediated by either

a) downloading the Core Framework interim fix 8.1.4.0-IBM-APM-CORE-FRAMEWORK-APM-IF0025 to all systems where Cloud APM agents are installed and applying the fix by following the instructions at this link:

b) downloading the Cloud APM agent packages for the operating systems that your agents run on and using the downloaded packages to upgrade existing agents to use the updated Core Framework or to install new agents with the updated Core Framework.

Please refer to the link for details
on downloading agent packages from IBM Marketplace

Please refer to the link
for details on upgrading existing agents.

Please refer to the link
for details on installing new agents.
| |

## Workarounds and Mitigations

None

##Read More

Exit mobile version