CVE-2018-1656

Name of the Vulnerable Software and Affected Versions IBM SDK, Java Technology Edition versions 6.0 through 8.0

Description The issue arises from the failure to properly restrict path names to directories with limited access, allowing potential path traversal attacks when extracting compressed dump files. This could enable a remote attacker to impact the integrity of protected information. Additionally, the vulnerability may allow a local attacker to gain elevated privileges on the system by exploiting the failure to restrict the use of Java Attach API, potentially leading to the execution of untrusted native code.

Recommendations For IBM SDK, Java Technology Edition versions 6.0 through 8.0, consider restricting access to the Diagnostic Tooling Framework for Java (DTFJ) until a patch is available. As a temporary workaround, consider disabling the use of Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine until the issue is resolved. Restrict the use of Attach API operations to only the process owner to minimize the risk of exploitation.