ESB-2017.2510 - [Win][Linux][Solaris][AIX] IBM Algo One: Multiple vulnerabilities 2017-10-05

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2510
         Security Bulletin: Vulnerability in Apache Tomcat affects
                            IBM Algo One - Core
                              5 October 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Algo One
Publisher:         IBM
Operating System:  AIX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Provide Misleading Information -- Remote/Unauthenticated
                   Access Confidential Data       -- Remote/Unauthenticated
                   Unauthorised Access            -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-7675 CVE-2017-7674 CVE-2017-5648
                   CVE-2017-5647  

Reference:         ASB-2017.0109
                   ESB-2017.2350
                   ESB-2017.2284
                   ESB-2017.2091
                   ESB-2017.2017

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg22008875
   http://www.ibm.com/support/docview.wss?uid=swg22008830

Comment: This bulletin contains two (2) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Open Source Apache Tomcat Vulnerabilities affect Algo One
- - Core

Security Bulletin

Document information

More support for:
Algo One
Algo Core

Software version:
4.9, 5.0

Operating system(s):
AIX, Linux, Solaris, Windows

Reference #:
2008875

Modified date:
04 October 2017

Summary

Apache Tomcat could allow a remote attacker to obtain sensitive information,
or allow a remote attacker to bypass security restrictions.

Vulnerability Details

CVE-ID: CVE-2017-5647
Description: Apache Tomcat could allow a remote attacker to obtain sensitive
information, caused by an error in the processing of pipelined requests in
send file. An attacker could exploit this vulnerability to obtain sensitive
information from the wrong response.
CVSS Base Score: 5.3
CVSS Temporal Score:
https://exchange.xforce.ibmcloud.com/vulnerabilities/124400
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVE-ID: CVE-2017-5648
Description: Apache Tomcat could allow a remote attacker to bypass security
restrictions, caused by the failure to use the appropriate facade object by
certain application listener calls. An attacker could exploit this
vulnerability to access and modify data on the system.
CVSS Base Score: 5.3
CVSS Temporal Score:
https://exchange.xforce.ibmcloud.com/vulnerabilities/124399
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

IBM Algo One Core 4.9, 5.0

Remediation/Fixes

Product Name    iFix Name    Remediation/First Fix
Algo One Core   490-232      http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.9.0.0-Algo-One-AlgoCore-if0232:0&includeSupersedes=0&source=fc&login=true
Algo One Core   500-378      http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.0.0.0-Algo-One-AlgoCore-if0378:0&includeSupersedes=0&source=fc&login=true

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

============================================================================

Security Bulletin: Vulnerability in Apache Tomcat affects IBM Algo One - Core
(CVE-2017-7674, CVE-2017-7675)

Security Bulletin

Document information

More support for:
Algo One
Algo Core

Software version:
4.9, 5.0

Operating system(s):
AIX, Linux, Solaris, Windows

Reference #:
2008830

Modified date:
04 October 2017

Summary

Apache Tomcat could provide weaker than expected security, caused by the
failure to add an HTTP Vary header (CVE-2017-7674). Apache Tomcat could allow
a remote attacker to bypass security restrictions, caused by a flaw in the
HTTP/2 implementation (CVE-2017-7675).

Vulnerability Details

CVEID: CVE-2017-7674
DESCRIPTION:
Apache Tomcat could provide weaker than expected security, caused by the
failure to add an HTTP Vary header indicating that the response varies
depending on Origin by the CORS Filter. A remote attacker could exploit this
vulnerability to conduct client and server side cache poisoning.
CVSS Base Score: 7.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/130248
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2017-7675
DESCRIPTION:
Apache Tomcat could allow a remote attacker to bypass security restrictions,
caused by a flaw in the HTTP/2 implementation. By using a specially-crafted
URL, an attacker could exploit this vulnerability to bypass security
restraints.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/130247
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Upgrade to Tomcat version 7.0.79 or higher to remediate this vulnerability

Affected Products and Versions

Algo One Core 4.9.0, 5.0.0

Remediation/Fixes

Product Name    iFix Name    Remediation/First Fix
Algo One Core   490-232      http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.9.0.0-Algo-One-AlgoCore-if0232:0&includeSupersedes=0&source=fc&login=true
Algo One Core   500-378      http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.0.0.0-Algo-One-AlgoCore-if0378:0&includeSupersedes=0&source=fc&login=true

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWdWwI4x+lLeg9Ub1AQjt6RAAnc5h+3gw35WCoLWsE6KvFXiGDGxHmIEr
0JkvgqkPvZ3vlgvQYgzuC1305fBQz11mvnx6c1hKFyDAk8wh9ZwQ4sU5fQ6tvV4h
R9a9RlrUXCBCkqviJvr53ISmS7vas8HTdfKAmFLt5Sc7LQPqEsvgghOpolmTsbc0
zDX8jDcZMGDaoGiChlRbKdhEFzerVLUPHLwKm6EUVD1zn69PLsSHjFFwM1KGDe7b
PA4JmZzjK6BYRQDwYgIZqt1EHkwa/IBSxTZo44iwzPgKMONS5Rms2tPO2THpjkkU
0rgkyYrFKpJRv0WOsxsee7PqdbS0drVQAylgz3sTg2qTMEF/j4AXA3klNmf3pVud
XewZoU+1+riJ1bdsRV1obVdKke422qsmG1dqpbhnRU49HEQQuVo5n4TBEJKjCFhW
1X0iqy4sJ5LWPPpvP2qRcHEp7+TnlPbGfu4v0OYalr1xUQJysOJSBduUwTfOcm/P
hIuST+l5PAwcqE4e6Ta1RKYiNTzj5wXRfrmWUa8aWWgkwORpEg+acsUwYPgQJatu
6E1IQGSQaEBHLKeEihT9H90NC45RQy9d8hFTjKQpBHhVeP/YiJ82kOGHmxe1xZMN
BUZhS5Eh2mzjvbxYOdd7G3ABkSyoY+f2ePwWeVB+k/COe+nnnTK36/vqUfafQx4+
hvntXFth9yo=
=N+GH
-----END PGP SIGNATURE-----

« Back to bulletins