1. Introduction
The AIX Java Advisory : java_apr2019_advisory.asc (April 2019 CPU) addresses multiple vulnerabilities in the Java SDK installed on AIX systems. These vulnerabilities could allow a remote, unauthenticated attacker to cause denial of service or gain control of the system. This affects servers and applications running Java on AIX platforms. A successful exploit could lead to loss of availability, integrity compromise, or complete system takeover.
2. Technical Explanation
The vulnerabilities reside in various subcomponents of the Java SDK including Libraries, RMI component, 2D component and Eclipse OpenJ9. These flaws stem from issues like missing input validation and unspecified weaknesses that allow attackers to execute malicious code or disrupt service. An attacker could exploit these by sending crafted requests to a vulnerable Java application. CVE-2019-2602 is an example of a flaw in Libraries causing denial of service.
- Root cause: Flaws exist in multiple subcomponents including missing input validation, unspecified weaknesses and flaws within Eclipse OpenJ9.
- Exploit mechanism: An attacker can send malicious requests to the Java application exploiting these vulnerabilities.
- Scope: AIX systems running affected versions of Java SDK.
3. Detection and Assessment
To confirm vulnerability, check the installed Java version. A thorough assessment involves reviewing logs for exploit attempts.
- Quick checks: Use the command
java -versionto identify the installed Java SDK version. - Scanning: Nessus plugins with IDs 7cd5eba2, 4918cb7e, 6763c01c, 816ae152 and 38db0cea may detect these vulnerabilities. These are examples only.
- Logs and evidence: Check application logs for unusual errors or activity related to Java components.
java -version4. Solution / Remediation Steps
Apply the fixes available from IBM AIX website by downloading and installing the appropriate version.
4.1 Preparation
- A change window may be required depending on the environment and impact.
4.2 Implementation
- Step 1: Download the appropriate patch from the IBM AIX website for your Java SDK version.
- Step 2: Install the downloaded patch using the appropriate installation procedure for AIX.
4.3 Config or Code Example
No configuration changes are required, this is a software update.
Before
After
4.4 Security Practices Relevant to This Vulnerability
Practices like a regular patch cadence and least privilege can help mitigate the impact of this vulnerability.
- Practice 1: Implement a regular patch management process for Java SDKs to ensure timely updates.
- Practice 2: Apply the principle of least privilege to limit the access rights of Java applications, reducing potential damage from exploitation.
4.5 Automation (Optional)
No automation steps are provided as this is a software update.
5. Verification / Validation
- Post-fix check: Run
java -versionagain to confirm the updated Java SDK version is installed. - Re-test: Re-run the Nessus scan or other vulnerability assessment tools to verify the issue is resolved.
- Smoke test: Test key applications and services that rely on Java to ensure they are functioning as expected.
java -version6. Preventive Measures and Monitoring
Update security baselines with the patched Java SDK version. Consider adding checks in CI/CD pipelines.
- Baselines: Update your security baseline to include the latest Java SDK versions and associated patches.
- Asset and patch process: Review and update your asset inventory and patch management processes to ensure timely updates for all Java installations.
7. Risks, Side Effects, and Roll Back
Patching may cause temporary service disruptions. Ensure you have a rollback plan in place.
- Risk or side effect 1: Patching may require restarting services, causing brief downtime.
- Risk or side effect 2: In rare cases, patching could introduce compatibility issues with existing applications.
8. References and Resources
Refer to official IBM advisories for detailed information about this vulnerability.
- Vendor advisory or bulletin: http://www.nessus.org/u?7cd5eba2
- NVD or CVE entry: CVE-2019-10245, CVE-2019-2602, CVE-2019-2684, CVE-2019-2697, CVE-2019-2698
- Product or platform documentation relevant to the fix: IBM AIX website.