IBM: Patch these critical Java, OpenJ9 Java bugs in Watson, analytics products

IBM warns Watson AI customers to check product versions after releasing new updates that address critical flaws.
Written by Liam Tung, Contributing Writer

IBM has announced fixes for five flaws in Java runtime that leave multiple versions of Watson Explorer and IBM Watson Content Analytics vulnerable to various attacks. 

The company's product security incident response team (PSIRT) has posted an alert about the "high severity" bugs affecting various Watson analytics products, consoles, and the content analytics studio. 

The most severe flaw, CVE-2018-2602, was actually addressed in Oracle's January 2018 critical-patch update, and then originally patched in an update IBM released in March 2018. IBM updated the advisory throughout the year with information about fixes for additional Watson products and components. 

The advisory notes that the Java bug is "difficult to exploit" but allows an "unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit".

"Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit."

IBM's PSIRT also put out an alert for a high-severity flaw affecting the IBM Decision Optimization Center, which uses the IBM SDK Java and IBM Runtime Environment Java versions 7 and 8. These are affected by two bugs. 

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

One the two bugs, CVE-2018-12547, is a severe buffer overflow affecting the open-source Eclipse OpenJ9 Java virtual machine. It has a CVSS 3.0 base score of 9.8 out of a possible 10 and could allow a remote attacker to execute arbitrary code on the system or crash an application. 

"The recommended solution is to download and install the IBM Java SDK as soon as practicable," IBM notes in its advisory, adding that there are no workarounds or mitigations. 

That same OpenJ9 Java bug also affects the IBM Runtime Environment Java used in the IBM CPLEX Optimization Studio and IBM CPLEX Enterprise Server releases 12.9 and earlier. 

The CPLEX product updates also address a Java SE flaw, CVE-2019-2426, which Oracle patched in January, and a locally exploitable flaw in the IBM SDK, Java Technology Edition Version 8 on the AIX platform. 

Other products affected by the trio of bugs include IBM SDK, Java Technology Edition, Version 7 Service Refresh 10 Fix Pack 35 and earlier releases, and IBM SDK, Java Technology Edition, Version 8 Service Refresh 5 Fix Pack 27 and earlier releases. 

Previous and related coverage

IBM aims to make Watson a set of microservices that can run across multiple clouds

IBM is increasingly plugging into multiple cloud environments--public, hybrid and private--and now aiming to expand the reach of Watson.

Brisbane City Council teaches IBM Watson sarcasm to understand citizen sentiment

It took seven weeks for Big Blue's AI to learn to speak 'council' and pick up the tone of social media posts.

IBM brings artificial intelligence to the heart of cybersecurity strategies

IBM hopes to bring AI, data, and cybersecurity vendors together to tackle ongoing and new threats through the launch of a new open platform.

How AI and machine learning can help you defend the enterprise from cyberattacks

As attack methodologies advance, tool-assisted detection is indispensable for security professionals to manage sprawling networks of devices that are not necessarily trustworthy.

IBM Watson IoT wants to improve field worker safety with wearables, but could it backfire? TechRepublic

IBM is partnering with Garmin Health, Mitsufuji, and SmartCone on wearables for workers, but other safety measures should not be forgone with the rise of these technologies.

IBM offers up Watson Assistant, its answer to Amazon's Alexa CNET

The business software giant unveils its digital helper a few months after Amazon introduces its rival service, Alexa for Business.

Editorial standards