ESB-2017.2704 - [Win][Linux][Solaris][AIX] IBM Rational License Key Server & Administration Tool: Multiple vulnerabilities 2017-10-26

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2704
   Security Bulletin: Multiple Security Vulnerabilities in Apache Tomcat
              affect IBM Rational License Key Server and IBM
                     Administration and Reporting Tool
                              26 October 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Rational License Key Server
                   IBM RLKS Administration and Reporting Tool
Publisher:         IBM
Operating System:  AIX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Modify Arbitrary Files          -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-12617 CVE-2017-12615 CVE-2017-5651
                   CVE-2017-5648 CVE-2017-5647 

Reference:         ASB-2017.0109
                   ESB-2017.2510
                   ESB-2017.2091
                   ESB-2017.1186
                   ESB-2017.1102
                   ESB-2017.1101

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg22008294
   http://www.ibm.com/support/docview.wss?uid=swg22009870

Comment: This bulletin contains two (2) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Multiple Security Vulnerabilities in Apache Tomcat affect
IBM Rational License Key Server Administration and Reporting Tool

IBM Rational License Key Server & Administration Tool

Document information

More support for: Rational License Key Server
RLKS Administration and Reporting Tool

Software version: 8.1.4, 8.1.4.1, 8.1.4.2, 8.1.4.3, 8.1.4.4, 8.1.4.5, 8.1.4.6,
8.1.4.7, 8.1.4.8, 8.1.4.9

Operating system(s): AIX, Linux, Solaris, Windows

Reference #: 2008294

Modified date: 24 October 2017

Security Bulletin

Summary

Apache Tomcat is shipped as a component of RLKS Administration and Reporting
Tool (RLKS ART) which contains multiple security vulnerabilities that could
potentially impact ART.

Vulnerability Details

CVEID: CVE-2017-5647
DESCRIPTION: Apache Tomcat could allow a remote attacker to obtain sensitive
information, caused by an error in the processing of pipelined requests in send
file. An attacker could exploit this vulnerability to obtain sensitive
information from the wrong response.
CVSS Base Score: 5.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/
124400 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2017-5648
DESCRIPTION: Apache Tomcat could allow a remote attacker to bypass security
restrictions, caused by the failure to use the appropriate facade object by
certain application listener calls. An attacker could exploit this
vulnerability to access and modify data on the system.
CVSS Base Score: 5.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/
124399 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2017-5651
DESCRIPTION: Apache Tomcat could allow a remote attacker to obtain sensitive
information, caused by an error in the send file processing that adds the
invoked Processor to the cache twice. An attacker could exploit this
vulnerability to obtain sensitive information from the wrong response.
CVSS Base Score: 5.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/
124397 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2017-12615
DESCRIPTION: Apache Tomcat could allow a remote attacker to execute arbitrary
code on the system, caused by an error when running on Windows with HTTP PUTs
enabled. By sending a specially crafted request, an attacker could exploit this
vulnerability to upload a JSP file and execute arbitrary code on the system.
CVSS Base Score: 8.1
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/
132277 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2017-12617
DESCRIPTION: Apache Tomcat could allow a remote attacker to execute arbitrary
code on the system, caused by an incomplete fix related to an error when
running on Windows with HTTP PUTs enabled. By sending a specially crafted
request, an attacker could exploit this vulnerability to upload a JSP file and
execute arbitrary code on the system.
CVSS Base Score: 8.1
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/
132484 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

These vulnerabilities affect the following versions of the IBM RLKS
Administration and Reporting Tool.

  o RLKS Administration and Reporting Tool version 8.1.4
  o RLKS Administration and Reporting Tool version 8.1.4.1
  o RLKS Administration and Reporting Tool version 8.1.4.2
  o RLKS Administration and Reporting Tool version 8.1.4.3
  o RLKS Administration and Reporting Tool version 8.1.4.4
  o RLKS Administration and Reporting Tool version 8.1.4.5
  o RLKS Administration and Reporting Tool version 8.1.4.6
  o RLKS Administration and Reporting Tool version 8.1.4.7
  o RLKS Administration and Reporting Tool version 8.1.4.8
  o RLKS Administration and Reporting Tool version 8.1.4.9

Remediation/Fixes

Follow the instructions in How to manually update Apache Tomcat? to upgrade to
Apache Tomcat, version 7.0.82 or later, where these vulnerabilities have been
fixed.

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

24 October 2017 : Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Product Alias/Synonym

IBM Rational License Key Server & Administration Tool

- -------------------------------------------------------------------------------

Security Bulletin: Security vulnerabilities in IBM Java Runtime affect IBM RLKS
Administration and Reporting Tool Admin

Document information

More support for: Rational License Key Server
RLKS Administration and Reporting Tool

Software version: 8.1.4.9, 8.1.5, 8.1.5.1, 8.1.5.2

Operating system(s): AIX, Linux, Solaris, Windows

Reference #: 2009870

Modified date: 25 October 2017

IBM RLKS Administration and Reporting Tool

Security Bulletin

Summary

There are multiple vulnerabilities related to IBM(R) Runtime Environment Java(TM)
Technology Edition which is used and shipped by different versions of IBM
Rational License Key Server Administration and Reporting Tool Admin (ART).

Vulnerability Details

CVEID: CVE-2017-10115
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated
attacker to obtain sensitive information resulting in a high confidentiality
impact using unknown attack vectors.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
128876 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2017-10116
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Security component could allow an unauthenticated
attacker to take control of the system.
CVSS Base Score: 8.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
128877 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

Affected Products and Versions

These vulnerabilities impact the following components and their releases:

  o RLKS Administration and Reporting Tool version 8.1.4.9
  o RLKS Administration and Reporting Tool version 8.1.5
  o RLKS Administration and Reporting Tool version 8.1.5.1
  o RLKS Administration and Reporting Tool version 8.1.5.2

Remediation/Fixes

For IBM RLKS Administration and Reporting Tool v. 8.1.5.x
Replace the JRE used in IBM RLKS Administration and Reporting Tool.

Steps to replace the JRE

1. Go to Fix Central.

2. Download the Java 8 runtime package that is applicable for your target
platform.

3. Additionally, download the files US_export_policy.jar and local_policy.jar.

4. Shutdown RLKS Administration and Reporting Tool.

5. Go to the installation location of RLKS Administration and Reporting Tool.

6. Rename <install location>/jre folder to <install location>/jre_back. This
step backs up the existing JRE.

7. Extract the downloaded JRE into <install location> folder.

8. Copy the downloaded US_export_policy.jar and local_policy.jar files to
<install location>/jre/lib/security.

9. Startup RLKS Administration and Reporting Tool.

10. Login to the tool using rcladmin user and verify that you see the
configured license servers under 'Server' tab.


For IBM RLKS Administration and Reporting Tool v. 8.1.4.9 or earlier

Upgrade to the latest version of 8.1.5.x. Then, update the JRE using the
instructions mentioned above.

Workarounds and Mitigations

None

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog


Change History

25 October 2017 : Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Product Alias/Synonym

IBM RLKS Administration and Reporting Tool

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWfFpAIx+lLeg9Ub1AQj0/A//QFmWEHtTCL5o+37QIOSWZA4EtBFlU7Nw
RqE9B8DVOBIvixIZeE6KgBYIraCqMecFwX3KVXvGYTuevz/ZPFTdbwHP7AJ3zhGM
zsFWRz0sPw2HXnuEp4OUp46DiHK6zsYuCglOLh9G7i2b8K3I5U4TVJXfAaQLD7/3
CFLGfojVvVLxw43r7BYEfZro4pyX4u1nophwu+r98tAQYTMml02lqWuYWvWZhrIF
vIUMmpLCcA5dcCp9u5cj+gH2JRlohn6DW3tSx9Ih8LeZr6eo5GPNbfWB+UT3nzBL
CA2qWCfFA+AhLEOaGO40hm6v2mzGTMCPtR0uIG+ehxd6ZurQxNljK5nvv1XXkVDr
e3BxknIV8FVphSNCe4BxlWbhjn6HiJqU6jQ3r7zDOH2tA5tf0ODi0Rh+Zt13LpCt
rwU8sRPBGdrHGUaJnfTi3P8qQ5U7nWDHoWkCnyolnZXnjkE+ZKAoYhNy2XYxnP2V
JRlbzFGS6ACUZJU62siy1nSjG6Z/P0xycj26FszmX9RvCIPgu1xRbL8gC30mMZay
xrR7v8NP+VaXlsVrTeyUWNc5hCHORY4eMDddZzgjARfbeOJ6jJhG1x7TA5j8QEXV
iN841p//05iA9XnWYUtdzPDt+tdnxES4kTavnvd9qi8+ATl6ARJtmJG81K+QDiKh
dfNmJ+5Lv/k=
=LcUI
-----END PGP SIGNATURE-----

« Back to bulletins