Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2665 IBM Event Streams multiple vulnerabilities 18 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: WebSphere IBM Event Streams Publisher: IBM Operating System: Linux variants Impact/Access: Increased Privileges -- Remote/Unauthenticated Overwrite Arbitrary Files -- Remote with User Interaction Cross-site Scripting -- Remote/Unauthenticated Delete Arbitrary Files -- Remote with User Interaction Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-1002101 CVE-2019-11244 CVE-2019-9741 CVE-2019-4046 CVE-2019-0201 Reference: ESB-2019.2463 ESB-2019.2462 ESB-2019.2459 ESB-2019.2397 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10888067 http://www.ibm.com/support/docview.wss?uid=ibm10884414 http://www.ibm.com/support/docview.wss?uid=ibm10888065 http://www.ibm.com/support/docview.wss?uid=ibm10888071 Comment: This bulletin contains four (4) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- IBM Event Streams is affected by Apache ZooKeeper vulnerability CVE-2019-0201 Product: WebSphere IBM Event Streams Software version: All Versions Operating system(s): Linux Reference #: 0888067 Security Bulletin Summary IBM Event Streams has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-0201 DESCRIPTION: Apache ZooKeeper could allow a remote attacker to obtain sensitive information, caused by the failure to check permissions by the getACL() command. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 161303 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) Affected Products and Versions IBM Event Streams 2018.3.0 IBM Event Streams 2018.3.1 IBM Event Streams 2019.1.1 Remediation/Fixes Upgrade to IBM Event Streams 2019.2.1 which is available from Passport Advantage . Change History Initial version : June 2019 - ---------------------------------------------------------------------------------- IBM Event Streams is affected by Go vulnerabilities Product: WebSphere IBM Event Streams Software version: All Versions Operating system(s): Linux Reference #: 0884414 Security Bulletin Summary IBM Event Streams has addressed the following vulnerabilities in the Go Runtimes shipped. Vulnerability Details CVEID: CVE-2019-9741 DESCRIPTION: Golang GO is vulnerable to HTTP header injection, caused by improper validation of input in the http.NewRequest. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to inject arbitrary HTTP headers, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. CVSS Base Score: 6.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158137 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions IBM Event Streams 2018.3.0 IBM Event Streams 2018.3.1 IBM Event Streams 2019.1.1 Remediation/Fixes Upgrade to IBM Event Streams 2019.1.1 which is available from Passport Advantage . Change History Initial Version: June 2019 - ---------------------------------------------------------------------------------- IBM Event Streams is affected by WebSphere Liberty Profile vulnerability CVE-2019-4046 Product: WebSphere IBM Event Streams Software version: All Versions Operating system(s): Linux Reference #: 0888065 Security Bulletin Summary IBM Event Streams has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-4046 DESCRIPTION: IBM WebSphere Application Server is vulnerable to a denial of service, caused by improper handling of request headers. A remote attacker could exploit this vulnerability to cause the consumption of Memory. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 156242 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) Affected Products and Versions IBM Event Streams 2018.3.0 IBM Event Streams 2018.3.1 IBM Event Streams 2019.1.1 Remediation/Fixes Upgrade to IBM Event Streams 2019.2.1 which is available from Passport Advantage . Change History Initial version June 2019 - ---------------------------------------------------------------------------------- IBM Event Streams is affected by kubectl vulnerabilities Product: WebSphere IBM Event Streams Software version: All Versions Operating system(s): Linux Reference #: 0888071 Security Bulletin Summary IBM Event Streams has addressed the following vulnerabilities in the kubectl versions shipped. Vulnerability Details CVEID: CVE-2019-1002101 DESCRIPTION: Kubernetes could allow a remote attacker to traverse directories on the system, caused by the improper handling of symlinks. By persuading a victim to use the kubectl cp command or the oc cp command with a malicious container, an attacker could replace or delete arbitrary files on the host machine. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158804 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) CVEID: CVE-2019-11244 DESCRIPTION: Kubernetes could allow a remote attacker to bypass security restrictions, caused by an improper directory permission issue with the - --cache-dir option. By sending a specially-crafted request, an attacker could exploit this vulnerability to modify the written files and disrupt the kubectl invocation. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 160042 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) Affected Products and Versions IBM Event Streams 2018.3.0 IBM Event Streams 2018.3.1 IBM Event Streams 2019.1.1 Remediation/Fixes Upgrade to IBM Event Streams 2019.2.1 which is available from Passport Advantage . Change History Initial version June 2019 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIUAwUBXS+8uGaOgq3Tt24GAQi33w/3agCfXvvZRYj6uaOhk2JBVX0z+l/a1qxj WrFI0qTJZG/OgHn+JIdyjch38Wtejqg3aOVNE86zHDqEdaCG+hD1SjFNxM55+XOa M7x28odWHpKINtHYmyxGfwl+BOOgo3wjBc45gukS8qYlHzh0AWXwwbxBoSFJs+RD CCKNSPkdgtgFXBQ6fyH5vrt/2WTuOCp1fT41fcNYiw1Hf84yqX9lFLj7PYom8XXE 7spe9GpLE4MhR8d/rBcYOGC8xrqHslgtsMArKBO8jBvy0/YoggfsZEfA69qCDK3G mSiCxjGwo8Ht1RGbqv0Wepv/01DZj9vQM7Mrq80P1wJqGelfUq1R4MOvKzknbz3y /h88ulaOJc8qvdy/wG9XiwlueZmdP9H9fAbZktxcYwZ1CJtgtfN9V6GYSDfRYU3o KczMQDGHRwehWv2P04jUN1QqQuXJZKjQFfjAKaui0nhx+PDhWA2SarWiGhPVfLvl CGWfXqhDFjO9v3sXr+fw9KqeQD7GnaU8vWvBa6xq10L4eMwHztXo0QA6lqAwKH2A VUQItp+SckMaBZIujMW2r/6CgS+SAFwJ+uizduZqjfpVSZIbqwqiuE0bH1GZMBw9 Uiu/7SEW94NEI3iaAvz7Ea1ot6O/Q2YTp602YHYlYSG49JPXg0TQv1wQL5JD3E8D yS+Nj7D3Qg== =rsI0 -----END PGP SIGNATURE-----