copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » Security Bul... » AusCERT Exte... » ESB-2011.0430 - [Win][Netware][Linux][Solaris][AIX] ...
 

ESB-2011.0430 - [Win][Netware][Linux][Solaris][AIX] BlackBerry Enterprise Server: Multiple vulnerabilities
Date: 13 April 2011
References: ESB-2007.0629  ESB-2008.0145  ESB-2009.0093  ESB-2010.0604  ESB-2011.0355  ESB-2012.0261.2  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2011.0430
          Vulnerabilities in Apache Tomcat implementation impact
                  BlackBerry Enterprise Server components
                               13 April 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           BlackBerry Enterprise Server Express
                   BlackBerry Enterprise Server
Publisher:         RIM
Operating System:  Windows
                   Netware
                   Linux variants
                   Solaris
                   AIX
Impact/Access:     Denial of Service        -- Remote with User Interaction
                   Access Confidential Data -- Remote with User Interaction
                   Cross-site Scripting     -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2010-2227 CVE-2009-3555 CVE-2008-5515
                   CVE-2008-1678 CVE-2007-5333 CVE-2007-3385
                   CVE-2007-1858  

Reference:         ESB-2011.0355
                   ESB-2010.0604
                   ESB-2009.0093
                   ESB-2008.0145
                   ESB-2007.0629

Original Bulletin: 
   http://blackberry.com/btsc/KB25966

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerabilities in Apache Tomcat implementation impact BlackBerry Enterprise 
Server components

Products

Affected Software

These issues affect the following software versions:

    * BlackBerry Enterprise Server Express versions 5.0.1 through 5.0.2 MR1 
      for Microsoft Exchange
    * BlackBerry Enterprise Server Express version 5.0.2 for IBM Lotus Domino
    * BlackBerry Enterprise Server versions 4.1.4 through 5.0.2 MR1 for 
      Microsoft Exchange
    * BlackBerry Enterprise Server versions 4.1.4 through 5.0.2 for IBM Lotus 
      Domino
    * BlackBerry Enterprise Server versions 4.1.4 through 5.0.1 for Novell 
      GroupWise

Non Affected Software

    * BlackBerry Device Software
    * BlackBerry Desktop Software
    * BlackBerry Internet Service

Are BlackBerry smartphones and the BlackBerry Device Software affected?

No.

Issue Severity

These vulnerabilities have Common Vulnerability Scoring System (CVSS) scores 
that range from 1.8 to 4.8 (low to moderate severity). See the References 
section below for the CVSS scores of each issue, listed by CVE issue 
identifier. 

Overview

Security issues exist in the versions of the Apache Tomcat web server that 
some BlackBerry Enterprise Server components use to serve administration pages. 
The BlackBerry Administration Service, the BlackBerry Mobile Data System  
Connection Service, and the BlackBerry Monitoring Service use the Apache Tomcat 
web server.

These issues primarily affect the Apache Tomcat web server version that the 
BlackBerry Administration Service uses. Some minor issues impact the BlackBerry 
Mobile Data System  Connection Service and the BlackBerry Monitoring Service. 
These issues do not affect BlackBerry messaging.

Who should read this advisory

BlackBerry Enterprise Server administrators

Who should apply the software fix(es)

BlackBerry Enterprise Server administrators

Recommendation

Complete the resolution actions documented in this advisory.

References

View the linked CVE Identifiers for descriptions of the Apache Tomcat web 
server security issues that this security advisory addresses.

CVE Identifier for issue 	CVSS score
CVE-2007-3385 			2.9
CVE-2007-5333 			3.3
CVE-2008-1678 			3.3
CVE-2008-5515 			3.3
CVE-2007-1858 			1.8
CVE-2009-3555 			4.3
CVE-2010-2227 			4.8

Problem

The BlackBerry Enterprise Server and BlackBerry Enterprise Server Express 
products that use the vulnerable versions of the Apache Tomcat web server 
may be susceptible to the issues referenced above.

Impact

These issues may result in a Denial of Service (DoS) impacting the ability 
of the affected components to serve administration pages. There is a more 
limited potential for these issues to result in information disclosure or 
Cross-Site Scripting (XSS) on the affected components. 

Resolution

RIM has issued the following updates that resolve these vulnerabilities in 
affected versions of the BlackBerry Enterprise Server and the BlackBerry 
Enterprise Server Express. These updates replace the installed Apache Tomcat 
web server components with components that are not affected by the 
vulnerabilities. The updates for BlackBerry Enterprise Server and BlackBerry 
Enterprise Server Express versions 5.0.1 through 5.0.2 MR1 install Apache 
Tomcat web server version 6.0.28 components. The updates for BlackBerry 
Enterprise Server versions 4.1.6 and 4.1.7 install Apache Tomcat web server 
version 5.5.31 components.

For BlackBerry Enterprise Server Express versions 5.0.1 and 5.0.2 for Microsoft 
Exchange 

    * Visit http://www.blackberry.com/go/serverdownloads to obtain Interim 
      Security Software Update for April 12, 2011.

For BlackBerry Enterprise Server Express version 5.0.2 for IBM Lotus Domino

    * Visit http://www.blackberry.com/go/serverdownloads to obtain Interim 
      Security Software Update for April 12, 2011.

For BlackBerry Enterprise Server versions 5.0.2 and 5.0.2 MR1 for Microsoft 
Exchange

    * Visit http://www.blackberry.com/go/serverdownloads to obtain BlackBerry 
      Enterprise Server version 5.0.2 MR5.

For BlackBerry Enterprise Server versions 4.1.6, 4.1.7, and 5.0.1 for 
Microsoft Exchange

    * Visit http://www.blackberry.com/go/serverdownloads to obtain Interim 
      Security Software Update for April 12, 2011.

For BlackBerry Enterprise Server versions 4.1.6, 4.1.7, 5.0.1, and 5.0.2 for 
IBM Lotus Domino

    * Visit http://www.blackberry.com/go/serverdownloads to obtain Interim 
      Security Software Update for April 12, 2011.

For BlackBerry Enterprise Server versions 4.1.6, 4.1.7, and 5.0.1 for Novell 
GroupWise

    * Visit http://www.blackberry.com/go/serverdownloads to obtain Interim
      Security Software Update for April 12, 2011.

If you are using a software version that is not listed above, update to one of 
the listed versions to apply the upgrade.  

Copyright  2010 Research In Motion Limited, unless otherwise noted.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFNpTRy/iFOrG6YcBERAhgBAJ9QMPcxCrKhDOwvcIe68gP3bbmm1QCguEUO
ILZkQa+uy4v2XvbIz4pVTlk=
=pml4
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=1980&it=14252