ESB-2017.2734 - [Win][Linux][AIX] IBM OpenPages GRC Platform: Multiple vulnerabilities 2017-10-30

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2734
      Security Bulletin: IBM OpenPages GRC Platform security updates
                              30 October 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM OpenPages GRC Platform
Publisher:         IBM
Operating System:  AIX
                   Linux variants
                   Windows
Impact/Access:     Cross-site Request Forgery -- Remote with User Interaction
                   Cross-site Scripting       -- Remote with User Interaction
                   Access Confidential Data   -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-1333 CVE-2017-1300 CVE-2017-1290
                   CVE-2017-1148 CVE-2017-1147 CVE-2016-3048

Reference:         ESB-2017.2729
                   ESB-2017.2379
                   ESB-2017.2331
                   ESB-2017.2278

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg22009684
   http://www.ibm.com/support/docview.wss?uid=swg22009717
   http://www.ibm.com/support/docview.wss?uid=swg22009770
   http://www.ibm.com/support/docview.wss?uid=swg21997796
   http://www.ibm.com/support/docview.wss?uid=swg21997685

Comment: This bulletin contains five (5) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: IBM OpenPages GRC Platform has addressed Cross-site
Request Forgery (CVE-2017-1300)

Security Bulletin

Document information

More support for:

OpenPages GRC Platform

Software version:

7.1, 7.2, 7.3

Operating system(s):

AIX, Linux, Windows

Reference #:

2009684

Modified date:

27 October 2017

Summary

IBM OpenPages GRC Platform has addressed potential security exposure due to
Cross-site request forgery.

Vulnerability Details

CVEID: CVE-2017-1300
DESCRIPTION:
IBM OpenPages GRC Platform is vulnerable to cross-site request forgery which
could allow an attacker to execute malicious and unauthorized actions
transmitted from a user that the website trusts.
CVSS Base Score: 4.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/125162
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)

Affected Products and Versions

IBM OpenPages GRC Platform versions 7.1 through 7.3

Remediation/Fixes

A fix has been created for each affected version of the named product.
Download and install the fix as soon as possible. Fixes and installation
instructions are provided at the URLs listed below:

Fix                                               Download URL
For OpenPages GRC Platform 7.3.0                  http://www.ibm.com/support/docview.wss?uid=swg24043595
- - Apply 7.3 Fix Pack 1 (7.3.0.1) or later
For OpenPages GRC Platform 7.2.0 through 7.2.0.4  http://www.ibm.com/support/docview.wss?uid=swg24043802
- - Apply 7.2 Fix Pack 5 (7.2.0.5) or later
For OpenPages GRC Platform 7.1.0 through 7.1.0.3  http://www.ibm.com/support/docview.wss?uid=swg24043897
- - Apply 7.1 Fix Pack 4 (7.1.0.4) or later


Workarounds and Mitigations

None known, apply fixes.

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

None

Change History

16 Oct 2017: Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

============================================================================

Security Bulletin: IBM OpenPages GRC Platform has addressed insecure object
reference (CVE-2017-1148)

Security Bulletin

Document information

More support for:

OpenPages GRC Platform

Software version:

7.2, 7.3

Operating system(s):

AIX, Linux, Windows

Reference #:

2009717

Modified date:

27 October 2017

Summary

IBM OpenPages GRC Platform with OpenPages Loss Event Entry (LEE) application
addressed potential security exposure due to insecure object reference.

Vulnerability Details

CVEID: CVE-2017-1148
DESCRIPTION:
IBM OpenPages GRC Platform with OpenPages Loss Event Entry (LEE) application
could allow a user to obtain sensitive information including private APIs
that could be used in further attacks against the system.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/122201
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM OpenPages GRC Platform versions 7.2 through 7.3

Remediation/Fixes

A fix has been created for each affected version of the named product.
Download and install the fix as soon as possible. Fixes and installation
instructions are provided at the URLs listed below:

Fix                                               Download URL
For OpenPages GRC Platform 7.3.0                  http://www.ibm.com/support/docview.wss?uid=swg24043595
- - Apply 7.3 Fix Pack 1 (7.3.0.1) or later
For OpenPages GRC Platform 7.2.0 through 7.2.0.4  http://www.ibm.com/support/docview.wss?uid=swg24043802
- - Apply 7.2 Fix Pack 5 (7.2.0.5) or later

Workarounds and Mitigations

None known, apply fixes.

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

None

Change History

16 Oct 2017: Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

============================================================================

Security Bulletin: IBM OpenPages GRC Platform has addressed secure HTTP
header improvements (CVE-2017-1290)

Security Bulletin

Document information

More support for:

OpenPages GRC Platform

Software version:

7.1, 7.2, 7.3

Operating system(s):

AIX, Linux, Windows

Reference #:

2009770

Modified date:

27 October 2017

Summary

IBM OpenPages GRC Platform has addressed potential security exposure due to
some missing secure HTTP headers

Vulnerability Details

CVEID: CVE-2017-1290
DESCRIPTION:
IBM OpenPages GRC Platform is vulnerable to cross-site scripting. This
vulnerability allows users to embed arbitrary JavaScript code in the Web UI
thus altering the intended functionality potentially leading to credentials
disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/125151
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

IBM OpenPages versions 7.1 through 7.3

Remediation/Fixes

A fix has been created for each affected version of the named product.
Download and install the fix as soon as possible. Fixes and installation
instructions are provided at the URLs listed below:

Fix                                               Download URL
For OpenPages GRC Platform 7.3.0                  http://www.ibm.com/support/docview.wss?uid=swg24043595
- - Apply 7.3 Fix Pack 1 (7.3.0.1) or later
For OpenPages GRC Platform 7.2.0 through 7.2.0.4  http://www.ibm.com/support/docview.wss?uid=swg24043802
- - Apply 7.2 Fix Pack 5 (7.2.0.5) or later
For OpenPages GRC Platform 7.1.0 through 7.1.0.3  http://www.ibm.com/support/docview.wss?uid=swg24043897
- - Apply 7.1 Fix Pack 4 (7.1.0.4) or later

Workarounds and Mitigations

None known, apply fixes.

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

The vulnerability was reported to IBM by Akik Rahman

Change History

16 October 2017 : Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

============================================================================

Security Bulletin: IBM OpenPages GRC Platform is affected by an information
disclosure issue (CVE-2017-1333)

Security Bulletin

Document information

More support for:

OpenPages GRC Platform

Software version:

7.1, 7.2, 7.3

Operating system(s):

Windows

Reference #:

1997796

Modified date:

27 October 2017

Summary

IBM OpenPages GRC Platform has a potential information disclosure issue, due
to Windows Internet Information Server (IIS) default configuration.

Vulnerability Details

CVEID: CVE-2017-1333
DESCRIPTION:
IBM OpenPages GRC Platform could allow an unauthenticated user to obtain
sensitive information about the server that could be used in future attacks
against the system.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/126241
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM OpenPages versions 7.1 through 7.3

Remediation/Fixes

For OpenPages GRC Platform version 7.1.0.x through 7.3.0.x customers, if 
you are using Windows Internet Information Server (IIS) as IBM Cognos web 
server. Remediation instructions are provided at the URL listed below:

    http://www.ibm.com/support/docview.wss?uid=swg22006922

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

The vulnerability was reported to IBM by Akik Rahman

Change History

30 June 2017: Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

============================================================================

Security Bulletin: IBM OpenPages GRC Platform is affected by multiple XSS
reflection vulnerabilities (CVE-2017-1147, CVE-2016-3048)

Security Bulletin

Document information

More support for:

OpenPages GRC Platform

Software version:

7.1, 7.2, 7.3

Operating system(s):

AIX, Linux, Windows

Reference #:

1997685

Modified date:

27 October 2017

Summary

IBM OpenPages GRC Platform has addressed potential security exposure due to
multiple XSS reflection vulnerabilities.

Vulnerability Details

CVEID: CVE-2017-1147
DESCRIPTION:
IBM OpenPages GRC Platform is vulnerable to cross-site scripting. This
vulnerability allows users to embed arbitrary JavaScript code in the Web UI
thus altering the intended functionality potentially leading to credentials
disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/122200
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2016-3048
DESCRIPTION:
IBM OpenPages GRC Platform is vulnerable to cross-site scripting. This
vulnerability allows users to embed arbitrary JavaScript code in the Web UI
thus altering the intended functionality potentially leading to credentials
disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/114711
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

IBM OpenPages versions 7.1 through 7.3

Remediation/Fixes

A fix has been created for each affected version of the named product.
Download and install the fix as soon as possible. Fixes and installation
instructions are provided at the URLs listed below:

Fix                                      Download URL
For OpenPages GRC Platform 7.3           http://www.ibm.com/support/docview.wss?uid=swg24043595
- - Apply 7.3 Fix Pack 1 (7.3.0.1) or later
For OpenPages GRC Platform 7.2           http://www.ibm.com/support/docview.wss?uid=swg24043802
- - Apply 7.2 Fix Pack 5 (7.2.0.5) or later
For OpenPages GRC Platform 7.1           http://www.ibm.com/support/docview.wss?uid=swg24043897
- - Apply 7.1 Fix Pack 4 (7.1.0.4) or later

Workarounds and Mitigations

None known, apply fixes.

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

The vulnerability was reported to IBM by InteliSecure

Change History

3 October 2017 : Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWfagrYx+lLeg9Ub1AQgyKw//YO1f7t+3+dEoTcMtk1xb4sX9VaZB9We+
xVsJLRfChfNpaw3yf7NFQAaB2ywNGDQO59WlLIsrcVnloGtdOE+xbscdRZf+6G9y
d2WxEB5OCt+YhB+8BT+0KPv7fsPA7cDXDuW5gyDBUry5kvS++ZPUg6FRIaYuyY/K
LsiQDHmo5Rs3c6mA0Y4F2Bf+m/JyMUu/7QdkWlticKxcILdkVGz/RHIX6dSq6qFB
jBHPl8eJRdPN09Pk1twDpFr6XJm2zkgbEktQZE9y8S1irFjrUJMrXMS7ALqEfe9Q
dyBEwCUZ0r9aYh0/NITnF8O3ANHmN2mXsuiceQe1Uv5hrMAONJiX0dWSewmqbbFU
dRhOm6ZeZUD1x+nUXurB3M9r4ohemet3z685mQGOXIeEoQXEmqURFr+CEYoYc1uf
YU0I5jtGg+nP0KiqvHcTFHHJFj191fgKedxQG/8LX+5a5/Q2tCWoCZTQV9DLquM0
mZM60+PpDvsx3YeWcoj96WVM0Q2S9/7anrA7IrjBe7NrspFJuPcc7SfYqSs0bb4d
JJ5/O9S5NSLNs+B1MqZ+PaQsn224ClZGGFVmiGED/VxXtsh0iLMNdeQ2mWStOkrf
XOGVNJBjYHjzYbHsXx0f9i1UOEPTTLqvt6gF3o2T5y0TsvWZpmM8jgyChEU8lQ08
7HOe2aYwn/M=
=nlkn
-----END PGP SIGNATURE-----

« Back to bulletins