This document provides information on how to address Java security vulnerabilities and how to obtain updates/patches to fix these vulnerabilities for the various IBM Java for AIX versions that are supported.
Jump to section: (Introduction) (Support for third party generated scanning reports) (Cross Referencing CVE numbers to Java fixes) (Identification of fixes) (Consideration 1: Monitoring for the availability of fixes) (Consideration 2 : Applying the fixes) (Consideration 3 : Java 5 - Out of Support) (Before contacting IBM)
Overview
Step-by-Step Instructions

Introduction

IBM uses various methods to communicate security vulnerability information to customers. The company uses Security Bulletins when publicly disclosing security vulnerabilities discovered in IBM offerings and leverages alternative tools and processes, where appropriate (i.e., for System z, managed and cloud-based services), for more targeted and discrete communications with entitled customers. To help protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted an analysis of the product and issued fixes and/or mitigations.

For information about Security Bulletins please monitor :

Support for third party generated scanning reports

IBM does not support vulnerability or defect reports generated from non-IBM products as per the IBM Support Handbook. The handbook clearly says:

Interpretation or triage of customer or third party generated defect scanning reports is beyond the Support's scope.

(Reference to IBM Software Support Handbook : http://www-304.ibm.com/support/customercare/sas/f/handbook/getsupport.html#6)

Cross Referencing CVE numbers to Java fixes

Search for each one of the CVE numbers you want a fix for on the following alerts page:

http://www.ibm.com/developerworks/java/jdk/alerts/

If the CVE number you are looking for is identified on the alerts page, proceed with Consideration 2.

If the CVE number is not found on the alerts page, proceed with Consideration 1.

Identification of Fixes

To identify the Java versions installed on your system, please run the following commands:

# lslpp -L | grep Java

Vulnerability updates need only be downloaded and applied for installed versions of Java.

If Java 5 is one of the Java versions installed on your system, go to Consideration 3 below to know how to handle this scenario.

For the supported IBM Java versions, follow the instructions in Consideration 1 below to obtain the Java fixes that have been already released.

Consideration 1:
Monitoring for the availablility of fixes

The alerts page given below is frequently updated with the vulnerabilities that come up and the releases they are fixed in for various Java versions:

https://www.ibm.com/developerworks/java/jdk/alerts/

Periodically search the above alerts page using the CVE number(e.g. CVE-2016-0603) of the security vulnerability you need the fix for.

Whenever the alerts page is updated with the security vulnerability you are monitoring for, proceed to Consideration 2 to download and apply the fixes for the security vulnerabilities for the IBM Java versions on your AIX systems.

If the security vulnerabilities are not found on the alerts page above, they are more likely to be released soon, hence continue monitoring the alerts page for the availability of the fixes.

Consideration 2:
Applying the fixes

Once the CVE has been identified, use the release numbers(e.g. 6.0.16.21 which is Java 6 SR 16 FP 21) for each one of the Java verions in the CVE row on the alerts page to know the Java levels in which the vulnerability is fixed. Java fixes are cumulative, hence upgrading to these release levels or to higher release levels will fix the vulnerability.

Vulnerability updates need only be downloaded and applied for installed versions of Java.

To apply the fix, download the specific release levels or the latest release levels(if they are higher than the fix's release level) from the following web page:

http://www-01.ibm.com/support/docview.wss?uid=isg3T1022644

Follow the instructions from web page below to upgrade:

http://www-01.ibm.com/support/docview.wss?uid=isg3T1022693

Consideration 3:
Java 5 - Out of Support

Java 5 is out of support as of September,2015 as per the following webpage:

http://www.ibm.com/developerworks/java/jdk/lifecycle/index.html

Since, Java 5 is out of support subsequent fixes will not be provided. Please move to one of the supported Java versions listed in the following web page:

http://www-01.ibm.com/support/docview.wss?uid=isg3T1022644

Follow the instructions from the web page below to uninstall Java 5:

http://www-01.ibm.com/support/docview.wss?uid=isg3T1022684

The document also talks about removing any software having dependency on Java 5 and the AIX teams you can take help
from when in doubt about removing the dependent software.

Before contacting IBM

Open an IBM support call to resolve any vulnerability issues that were not addressed in one of the above sections.

When the support call is opened, please confirm that you have reviewed and completed all the actions on this web page.

Step 9:

ACTION

Step 10:

ACTION

Step 11:

ACTION

Step 12:

ACTION

Step 13:

ACTION

Step 14:

ACTION

Step 15:

ACTION

Step 16:

ACTION

Step 17:

ACTION

Step 18:

ACTION

Step 19:

ACTION

Step 20:

ACTION

Step 21:

ACTION

Document Type: Instruction
Content Type: Howto
Hardware: all Power
Operating System: all AIX Versions
IBM Java: all Java Versions
Author(s): Vidya Makineedi
Reviewer(s): Roger Leuckie
Click here to submit feedback for this document.