-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.2665
                IBM Event Streams multiple vulnerabilities
                               18 July 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           WebSphere IBM Event Streams
Publisher:         IBM
Operating System:  Linux variants
Impact/Access:     Increased Privileges      -- Remote/Unauthenticated      
                   Overwrite Arbitrary Files -- Remote with User Interaction
                   Cross-site Scripting      -- Remote/Unauthenticated      
                   Delete Arbitrary Files    -- Remote with User Interaction
                   Denial of Service         -- Remote/Unauthenticated      
                   Access Confidential Data  -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-1002101 CVE-2019-11244 CVE-2019-9741
                   CVE-2019-4046 CVE-2019-0201 

Reference:         ESB-2019.2463
                   ESB-2019.2462
                   ESB-2019.2459
                   ESB-2019.2397

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10888067
   http://www.ibm.com/support/docview.wss?uid=ibm10884414
   http://www.ibm.com/support/docview.wss?uid=ibm10888065
   http://www.ibm.com/support/docview.wss?uid=ibm10888071

Comment: This bulletin contains four (4) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

IBM Event Streams is affected by Apache ZooKeeper vulnerability CVE-2019-0201

Product:             WebSphere IBM Event Streams
Software version:    All Versions
Operating system(s): Linux
Reference #:         0888067

Security Bulletin

Summary

IBM Event Streams has addressed the following vulnerability.

Vulnerability Details

CVEID: CVE-2019-0201
DESCRIPTION: Apache ZooKeeper could allow a remote attacker to obtain sensitive
information, caused by the failure to check permissions by the getACL()
command. By sending a specially-crafted request, a remote attacker could
exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
161303 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM Event Streams 2018.3.0
IBM Event Streams 2018.3.1
IBM Event Streams 2019.1.1

Remediation/Fixes

Upgrade to IBM Event Streams 2019.2.1 which is available from Passport
Advantage .

Change History

Initial version : June 2019

- ----------------------------------------------------------------------------------

IBM Event Streams is affected by Go vulnerabilities

Product:             WebSphere IBM Event Streams
Software version:    All Versions
Operating system(s): Linux
Reference #:         0884414

Security Bulletin

Summary

IBM Event Streams has addressed the following vulnerabilities in the Go
Runtimes shipped.

Vulnerability Details

CVEID: CVE-2019-9741
DESCRIPTION: Golang GO is vulnerable to HTTP header injection, caused by
improper validation of input in the http.NewRequest. By sending a
specially-crafted request, a remote attacker could exploit this vulnerability
to inject arbitrary HTTP headers, which will allow the attacker to conduct
various attacks against the vulnerable system, including cross-site scripting,
cache poisoning or session hijacking.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
158137 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

IBM Event Streams 2018.3.0
IBM Event Streams 2018.3.1
IBM Event Streams 2019.1.1

Remediation/Fixes

Upgrade to IBM Event Streams 2019.1.1 which is available from Passport
Advantage .

Change History

Initial Version: June 2019

- ----------------------------------------------------------------------------------

IBM Event Streams is affected by WebSphere Liberty Profile vulnerability
CVE-2019-4046

Product:             WebSphere IBM Event Streams
Software version:    All Versions
Operating system(s): Linux
Reference #:         0888065

Security Bulletin

Summary

IBM Event Streams has addressed the following vulnerability.

Vulnerability Details

CVEID: CVE-2019-4046
DESCRIPTION: IBM WebSphere Application Server is vulnerable to a denial of
service, caused by improper handling of request headers. A remote attacker
could exploit this vulnerability to cause the consumption of Memory.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
156242 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM Event Streams 2018.3.0
IBM Event Streams 2018.3.1
IBM Event Streams 2019.1.1

Remediation/Fixes

Upgrade to IBM Event Streams 2019.2.1 which is available from Passport
Advantage .

Change History

Initial version June 2019

- ----------------------------------------------------------------------------------

IBM Event Streams is affected by kubectl vulnerabilities

Product:             WebSphere IBM Event Streams
Software version:    All Versions
Operating system(s): Linux
Reference #:         0888071

Security Bulletin

Summary

IBM Event Streams has addressed the following vulnerabilities in the kubectl
versions shipped.

Vulnerability Details

CVEID: CVE-2019-1002101
DESCRIPTION: Kubernetes could allow a remote attacker to traverse directories
on the system, caused by the improper handling of symlinks. By persuading a
victim to use the kubectl cp command or the oc cp command with a malicious
container, an attacker could replace or delete arbitrary files on the host
machine.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
158804 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID: CVE-2019-11244
DESCRIPTION: Kubernetes could allow a remote attacker to bypass security
restrictions, caused by an improper directory permission issue with the
- --cache-dir option. By sending a specially-crafted request, an attacker could
exploit this vulnerability to modify the written files and disrupt the kubectl
invocation.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
160042 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

IBM Event Streams 2018.3.0
IBM Event Streams 2018.3.1
IBM Event Streams 2019.1.1

Remediation/Fixes

Upgrade to IBM Event Streams 2019.2.1 which is available from Passport
Advantage .

Change History

Initial version June 2019

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIUAwUBXS+8uGaOgq3Tt24GAQi33w/3agCfXvvZRYj6uaOhk2JBVX0z+l/a1qxj
WrFI0qTJZG/OgHn+JIdyjch38Wtejqg3aOVNE86zHDqEdaCG+hD1SjFNxM55+XOa
M7x28odWHpKINtHYmyxGfwl+BOOgo3wjBc45gukS8qYlHzh0AWXwwbxBoSFJs+RD
CCKNSPkdgtgFXBQ6fyH5vrt/2WTuOCp1fT41fcNYiw1Hf84yqX9lFLj7PYom8XXE
7spe9GpLE4MhR8d/rBcYOGC8xrqHslgtsMArKBO8jBvy0/YoggfsZEfA69qCDK3G
mSiCxjGwo8Ht1RGbqv0Wepv/01DZj9vQM7Mrq80P1wJqGelfUq1R4MOvKzknbz3y
/h88ulaOJc8qvdy/wG9XiwlueZmdP9H9fAbZktxcYwZ1CJtgtfN9V6GYSDfRYU3o
KczMQDGHRwehWv2P04jUN1QqQuXJZKjQFfjAKaui0nhx+PDhWA2SarWiGhPVfLvl
CGWfXqhDFjO9v3sXr+fw9KqeQD7GnaU8vWvBa6xq10L4eMwHztXo0QA6lqAwKH2A
VUQItp+SckMaBZIujMW2r/6CgS+SAFwJ+uizduZqjfpVSZIbqwqiuE0bH1GZMBw9
Uiu/7SEW94NEI3iaAvz7Ea1ot6O/Q2YTp602YHYlYSG49JPXg0TQv1wQL5JD3E8D
yS+Nj7D3Qg==
=rsI0
-----END PGP SIGNATURE-----