Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3174
API Connect V2018 (ova) is impacted by vulnerabilities in
Ubuntu OS (CVE-2019-4504)
20 August 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM API Connect
Publisher: IBM
Operating System: Linux variants
Virtualisation
Impact/Access: Create Arbitrary Files -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-11246 CVE-2019-4504 CVE-2019-4437
Reference: ESB-2019.2781
ESB-2019.2707
ESB-2019.2328
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=ibm10961550
http://www.ibm.com/support/docview.wss?uid=ibm10960606
http://www.ibm.com/support/docview.wss?uid=ibm10960876
http://www.ibm.com/support/docview.wss?uid=ibm10960880
Comment: This bulletin contains four (4) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
IBM API Connect's Developer Portal is impacted by a path traversal
vulnerability.
Product: IBM API Connect
Component: Developer Portal
Software version: 5.0.0.0-5.0.8.6
Operating system(s): Platform Independent
Reference #: 0960880
Security Bulletin
Summary
IBM API Connect has addressed the following vulnerability.
Vulnerability Details
CVEID: Not Applicable
DESCRIPTION: Advanced Forum module for Drupal is vulnerable to cross-site
scripting, caused by improper validation of user-supplied input. A remote
attacker could exploit this vulnerability to inject malicious script into a Web
page which would be executed in a victim's Web browser within the security
context of the hosting Web site, once the page is viewed. An attacker could use
this vulnerability to steal the victim's cookie-based authentication
credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
163056 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
+---------------+----------------+
|IBM API Connect|v5.0.0.0-5.0.8.6|
+---------------+----------------+
Remediation/Fixes
+----------------+-------------+-------+-----------------------------------------------------------------------------------------------------+
|Affected Product|Addressed in |APAR |Remediation/First Fix |
| |VRMF | | |
+----------------+-------------+-------+-----------------------------------------------------------------------------------------------------+
| | | |Addressed in IBM API Connect 5.0.8.7fixpack. |
| | | | |
| | | |Developer Portal is impacted. |
| | | | |
|IBM API Connect |5.0.8.7 | |Follow this link and find the "portal" package suitable for the form factor |
|V5.0.0.0-5.0.8.6|fixpack |LI81013|ofyour installation for 5.0.8.7ora later fixpack. |
| | | | |
| | | | |
| | | |http://www.ibm.com/support/fixcentral/swg/quickorderparent=ibm%7EWebSphere& |
| | | |product=ibm/WebSphere/IBM+API+Connect&release=5.0.8.6&platform=All&function=all |
| | | |&source=fc |
+----------------+-------------+-------+-----------------------------------------------------------------------------------------------------+
Workarounds and Mitigations
None
https://www.drupal.org/sa-contrib-2019-054
Acknowledgement
Drew Webber of the Drupal Security Team
Change History
August 13, 2019: Original bulletin published
Product Alias/Synonym
APIC
API Connect
Developer Portal
- -------------------------------------------------------------------------------
API Connect V2018 is impacted by a information disclosure vulnerability
(CVE-2019-4437)
Product: IBM API Connect
Software version: 2018.1-2018.4.1.6
Operating system(s): Platform Independent
Reference #: 0960876
Security Bulletin
Summary
IBM API Connect has addressed the following vulnerability.
Vulnerability Details
CVEID: CVE-2019-4437
DESCRIPTION: IBM API Connect Developer Portal may inadvertently leak sensitive
details about internal servers and network via API swagger.
CVSS Base Score: 8.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
162947 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)
Affected Products and Versions
+---------------------------+-----------------+
|Affected IBM API Management|Affected Versions|
+---------------------------+-----------------+
|IBM API Connect |2018.1-2018.4.1.6|
+---------------------------+-----------------+
Remediation/Fixes
+------------------+----------+-------+---------------------------------------+
|Affected releases | Fixed in | APAR | Remediation / First Fix |
| | VRMF | | |
+------------------+----------+-------+---------------------------------------+
| | | |Addressed in IBM API Connect |
| | | |v2018.4.1.7fixpack. |
| | | |Management server is impacted. |
| | | | |
| | | |Follow this link and find the |
| | | |"management" package appropriate for |
| | | |form factor for your installationfor |
| | | |2018.4.1.7. |
|IBM API Connect |2018.4.1.7| | |
|V2018.1-2018.4.1.6|fixpack |LI81014|http://www.ibm.com/support/fixcentral/ |
| | | |swg/quickorderparent=ibm%7EWebSphere& |
| | | |product=ibm/WebSphere/IBM+API+Connect& |
| | | |release=2018.4.1.6&platform=All& |
| | | |function=all&source=fc |
| | | | |
| | | |Note: Even though the vulnerability is |
| | | |exposed via Developer Portal, the root |
| | | |cause is fixed in the management |
| | | |server. |
+------------------+----------+-------+---------------------------------------+
Workarounds and Mitigations
None
IBM API Connect Support Lifecycle Policy
Change History
August 14, 2019: Original bulletin published
- -------------------------------------------------------------------------------
API Connect V2018 is impacted by a Kubernetes vulnerability(CVE-2019-11246)
Product: IBM API Connect
Software version: 2018.1-2018.4.1.6
Operating system(s): Platform Independent
Reference #: 0960606
Security Bulletin
Summary
IBM API Connect has addressed the following vulnerability.
Vulnerability Details
CVEID: CVE-2019-11246
DESCRIPTION: Kubernetes could allow a remote attacker to traverse directories
on the system. By persuading a victim to use the kubectl cp command with a
malicious container, an attacker could replace or create arbitrary files on a
users workstation.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
162892 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N)
Affected Products and Versions
+---------------------------+-----------------+
|Affected IBM API Management|Affected Versions|
+---------------------------+-----------------+
|IBM API Connect |2018.1-2018.4.1.6|
+---------------------------+-----------------+
Remediation/Fixes
+------------------+----------+-------+---------------------------------------+
|Affected releases | Fixed in | APAR | Remediation / First Fix |
| | VRMF | | |
+------------------+----------+-------+---------------------------------------+
| | | |Addressed in IBM API Connect |
| | | |v2018.4.1.7fixpack. |
| | | |All components areimpacted. |
| | | | |
| | | |Follow this link and find thepackage |
|IBM API Connect |2018.4.1.7| |appropriate for form factor for your |
|V2018.1-2018.4.1.6|fixpack |LI81017|installationfor 2018.4.1.7. |
| | | | |
| | | |http://www.ibm.com/support/fixcentral/ |
| | | |swg/quickorderparent=ibm%7EWebSphere& |
| | | |product=ibm/WebSphere/IBM+API+Connect& |
| | | |release=2018.4.1.6&platform=All& |
| | | |function=all&source=fc |
+------------------+----------+-------+---------------------------------------+
Workarounds and Mitigations
None
IBM API Connect Support Lifecycle Policy
Change History
August 14, 2019: Original bulletin published
- ------------------------------------------------------------------------------
API Connect V2018 (ova) is impacted by vulnerabilities in Ubuntu OS
(CVE-2019-4504)
Product: IBM API Connect
Software version: 2018.1-2018.4.1.6
Operating system(s): VM
Reference #: 0961550
Security Bulletin
Summary
IBM API Connect has addressed the following vulnerability.
Vulnerability Details
CVEID: CVE-2019-4504
DESCRIPTION: A vulnerability in API Connect could inadvertently remove some
security patches which could open the machine up to additional attacks.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
164363 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Affected Products and Versions
+---------------------------+-----------------+
|Affected IBM API Management|Affected Versions|
+---------------------------+-----------------+
|IBM API Connect |2018.1-2018.4.1.6|
+---------------------------+-----------------+
Remediation/Fixes
+------------------+----------+-------+---------------------------------------+
|Affected releases | Fixed in | APAR | Remediation / First Fix |
| | VRMF | | |
+------------------+----------+-------+---------------------------------------+
| | | |Addressed in IBM API Connect |
| | | |v2018.4.1.7fixpack. |
| | | |All components are impacted. |
| | | | |
| | | |Follow this link and find the.OVA |
|IBM API Connect |2018.4.1.7| |packages for your installationfor |
|V2018.1-2018.4.1.6|fixpack |LI81011|2018.4.1.7. |
| | | | |
| | | |http://www.ibm.com/support/fixcentral/ |
| | | |swg/quickorderparent=ibm%7EWebSphere& |
| | | |product=ibm/WebSphere/IBM+API+Connect& |
| | | |release=2018.4.1.6&platform=All& |
| | | |function=all&source=fc |
+------------------+----------+-------+---------------------------------------+
Workarounds and Mitigations
None
IBM API Connect Support Lifecycle Policy
Change History
August 13, 2019: Original bulletin published
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXVsw7WaOgq3Tt24GAQgvzxAAlhw38/hUksLoTnoTDASzsdNlCufjayQM
2cjp/JyUSa0P/SlIFHMgnHhzBtdzuLerML3wiiqjc6UB8Q8SEvdkq9H2vQmxqRAZ
R/qDO73EaXTYjTNwD8mFISGdbuq/zCtWMZ8ivNByiKbjoHD7tdyektuKY9uqNlKf
Hf1YmwftHwDhotMuX7wwTjoFFE85g3gWcAfNwk3nkJ1gS7YzOFdvVxyyHQBfkYmZ
leuDvuMRIWh4EFNFBnsSzlpdC6Teo5zAvnOZlwGKlt0YkBj3oKjo3IHg06pX05ke
X3wLp0FPQRYCukcF78LoqE+MJyOsVzk6cwxJgpbe7B+uL/beqY0JFyKrp8RxWK0J
wJbQo6cxZz6XQrWofBB1F+4vlpmVmImFYVuCjVVK2A32majYrZNm/svkxF6g6X8i
K1DJO5VRINljiporudwkrVN/8tigrmef3hfmmAQXi0AkmAZhF4EAZJEFK2FbPibs
6fMHGPR9EJoMrVwtW3MNCr4RwThpJrSknVgr4cvBp39kniAx1Gi7joS8KQDpnlZB
myyd+fGJZn5mW9FqJ6CEQOOycEGCdNCc2Rgv3N+orhLDGDvzIb8YqSRpx9kUud1u
zqWdfRiVqoiut4wg63R7ip7FyApXyKvacSRkv667wYn30qtiqOYfyQph8YgLp3Po
R6iDeCPQ5is=
=TH/b
-----END PGP SIGNATURE-----