IBM has released security updates to address several high- and medium-severity flaws affecting some of its enterprise products, including IBM Java Runtime, IBM Planning Analytics Workspace, and IBM Kenexa LMS On Premise.
Two issues, tracked as CVE-2020-14782 and CVE-2020-27221, affect Runtime Environment Java 7 and 8 which is used in IBM Integration Designer.
IBM Integration Designer is a complete authoring environment that you use for end-to-end integration in your service-oriented architecture (SOA). Based on Eclipse, Integration Designer is a tool for building SOA-based business process management and integration solutions across Business Automation Workflow and WebSphere Adapters.
The most severe issue, tracked as CVE-2020-27221, is a stack-based buffer overflow that resides in Eclipse OpenJ9. The issue could be used by remote attackers to execute arbitrary code or cause an application crash.
“Eclipse OpenJ9 is vulnerable to a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.” reads the advisory.
The vulnerability received a CVSS base score of 9.8.
The CVE-2020-14782 flaw affects the Java SE’s library component that could be exploited by attackers to compromise Java SE via multiple protocols.
“An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.” reads the advisory published by IBM.
Big Blue also published an advisory to report five vulnerabilities in the Planning Analytics Workspace, which is a component of Planning Analytics, a collaboration and management planning product.
The IT giant also addressed five low-impact vulnerabilities in IBM Kenexa LMS On Premise, which is an enterprise learning management system.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, IBM)