ESB-2018.0007 - [Win][Linux][Solaris][AIX] IBM InfoSphere Master Data Management: Multiple vulnerabilities 2018-01-02

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0007
           Multiple vulnerabilities have been identified in IBM
                     InfoSphere Master Data Management
                              2 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM InfoSphere Master Data Management
Publisher:         IBM
Operating System:  AIX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Cross-site Scripting            -- Remote with User Interaction
                   Provide Misleading Information  -- Remote/Unauthenticated      
                   Access Confidential Data        -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-5656 CVE-2017-5653 CVE-2017-3156
                   CVE-2016-1000031 CVE-2016-8739 CVE-2016-6812

Reference:         ESB-2017.1991
                   ESB-2017.0877

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg22011984
   http://www.ibm.com/support/docview.wss?uid=swg22011981

Comment: This bulletin contains two (2) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Mulitiple security vulnerabilities in Apache CXF affects IBM
InfoSphere Master Data Management (CVE-2016-6812 CVE-2016-8739 CVE-2017-5653
CVE-2017-5656 CVE-2017-3156)

Document information

More support for: Initiate Master Data Service

Software version: 10.1.0, 11.0.0, 11.3.0, 11.4.0, 11.5

Operating system(s): AIX, Linux, Platform Independent, Solaris, Windows

Reference #: 2011984

Modified date: 22 December 2017

Security Bulletin

Summary

IBM Initiate Master Data Service is vulnerable to multiple Apache CSX issues
and could allow remote attackers to steal a victim's cookie-based
authentication credentials and read arbitrary files on the system.

Vulnerability Details

CVEID: CVE-2016-6812
DESCRIPTION: Apache CXF is vulnerable to cross-site scripting, caused by
improper validation of user-supplied input by the FormattedServiceListWriter()
function. A remote attacker could exploit this vulnerability using the 'matrix
' parameter in a specially-crafted URL to execute script in a victim's Web
browser within the security context of the hosting Web site, once the URL is
clicked. An attacker could use this vulnerability to steal the victim's
cookie-based authentication credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
120409 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2016-8739
DESCRIPTION: Apache CXF could allow a remote attacker to obtain sensitive
information, caused by XML External Entity (XXE) vulnerability in JAX-RS
implementation. By using a specially-crafted XML data, an attacker could
exploit this vulnerability to read arbitrary files on the system.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
120408 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVE-ID: CVE-2017-5653
DESCRIPTION: Apache CXF could allow a remote attacker to conduct spoofing
attacks, caused by the improper validation of service response in JAX-RS XML
Security streaming clients. An attacker could exploit this vulnerability to
spoof the servers.
CVSS Base Score: 5.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/
125087 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVE-ID: CVE-2017-5656
DESCRIPTION: Apache CXF could allow a remote attacker to bypass security
restrictions, caused by a flaw in the STSClient. By sending a specially-crafted
token, an attacker could exploit this vulnerability to bypass security
restrictions.
CVSS Base Score: 5.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/
125216 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVE-ID: CVE-2017-3156
DESCRIPTION: Apache CXF could provide weaker than expected security, caused by
the failure to use the OAuth2 Hawk and JOSE MAC Validation code. A remote
attacker could exploit this vulnerability using timing attacks to obtain
sensitive information.
CVSS Base Score: 5.9
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/
130249 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

This vulnerability is known to affect the following offerings:


+-------------------------------------------+-----------------+
| Affected IBM Initiate Master Data Service |Affected Versions|
+-------------------------------------------+-----------------+
|IBM Initiate Master Data Service           |10.1             |
+-------------------------------------------+-----------------+
|IBM InfoSphere Master Data Management      |11.0             |
+-------------------------------------------+-----------------+
|IBM InfoSphere Master Data Management      |11.3             |
+-------------------------------------------+-----------------+
|IBM InfoSphere Master Data Management      |11.4             |
+-------------------------------------------+-----------------+
|IBM InfoSphere Master Data Management      |11.5             |
+-------------------------------------------+-----------------+
|IBM InfoSphere Master Data Management      |11.6             |
+-------------------------------------------+-----------------+

Remediation/Fixes

+-------------------------+--------+-------+-------------------------------------------------------+
|Product                  |VRMF    |APAR   |Remediation/First Fix                                  |
+-------------------------+--------+-------+-------------------------------------------------------+
|IBM InfoSphere Master    |  11.0  |None   |11.0.0.7-MDM-SAE-FP07IF000                             |
|Data Management Standard/|        |       |                                                       |
|Advanced Edition         |        |       |                                                       |
+-------------------------+--------+-------+-------------------------------------------------------+
|IBM InfoSphere Master    |  11.3  |None   |11.3.0.7-MDM-SE-AE-FP07IF000                           |
|Data Management Standard/|        |       |                                                       |
|Advanced Edition         |        |       |                                                       |
+-------------------------+--------+-------+-------------------------------------------------------+
|IBM InfoSphere Master    |  11.4  |None   |11.4.0.8-MDM-SAE-FP08IF000                             |
|Data Management Standard/|        |       |                                                       |
|Advanced Edition         |        |       |                                                       |
+-------------------------+--------+-------+-------------------------------------------------------+
|IBM InfoSphere Master    |  11.6  |None   |11.6.0.4-MDM-SE-AE                                     |
|Data Management Standard/|        |       |                                                       |
|Advanced Edition         |        |       |                                                       |
+-------------------------+--------+-------+-------------------------------------------------------+

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

18 December 2017: Orginal version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- -------------------------------------------------------------------------------
Security Bulletin: Security vulnerability in Apache affects IBM InfoSphere
Master Data Management (CVE-2016-1000031)

Document information

More support for: Initiate Master Data Service

Software version: 10.1.0, 11.0.0, 11.3.0, 11.4.0, 11.5

Operating system(s): AIX, HP-UX, Linux, Platform Independent, Solaris, Windows

Reference #: 2011981

Modified date: 22 December 2017

Security Bulletin

Summary

IBM Initiate Master Data Service is vulnerable to a Novell NetIQ Sentinel issue
and could allow a remote attacker to execute arbitrary code on the system.

Vulnerability Details

CVE-ID: CVE-2016-1000031
DESCRIPTION: Novell NetIQ Sentinel could allow a remote attacker to execute
arbitrary code on the system, caused by deserialization of untrusted data in
DiskFileItem class of FileUpload library. A attacker could exploit this
vulnerability to execute arbitrary code under the context of the current
process.
CVSS Base Score: 7.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/
117957 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

This vulnerability is known to affect the following offerings:


+-------------------------------------------+-----------------+
| Affected IBM Initiate Master Data Service |Affected Versions|
+-------------------------------------------+-----------------+
|IBM Initiate Master Data Service           |10.1             |
+-------------------------------------------+-----------------+
|IBM InfoSphere Master Data Management      |11.0             |
+-------------------------------------------+-----------------+
|IBM InfoSphere Master Data Management      |11.3             |
+-------------------------------------------+-----------------+
|IBM InfoSphere Master Data Management      |11.4             |
+-------------------------------------------+-----------------+
|IBM InfoSphere Master Data Management      |11.5             |
+-------------------------------------------+-----------------+
|IBM InfoSphere Master Data Management      |11.6             |
+-------------------------------------------+-----------------+

Remediation/Fixes

+-------------------------+--------+-------+-----------------------------------------------------+
|Product                  |VRMF    |APAR   |Remediation/First Fix                                |
+-------------------------+--------+-------+-----------------------------------------------------+
|IBM InfoSphere Master    |  11.0  |None   |11.0.0.7-MDM-SAE-FP07IF000                           |
|Data Management Standard/|        |       |                                                     |
|Advanced Edition         |        |       |                                                     |
+-------------------------+--------+-------+-----------------------------------------------------+
|IBM InfoSphere Master    |  11.3  |None   |11.3.0.7-MDM-SE-AE-FP07IF000                         |
|Data Management Standard/|        |       |                                                     |
|Advanced Edition         |        |       |                                                     |
+-------------------------+--------+-------+-----------------------------------------------------+
|IBM InfoSphere Master    |  11.4  |None   |11.4.0.8-MDM-SAE-FP08IF000                           |
|Data Management Standard/|        |       |                                                     |
|Advanced Edition         |        |       |                                                     |
+-------------------------+--------+-------+-----------------------------------------------------+
|IBM InfoSphere Master    |  11.6  |None   |11.6.0.4-MDM-SE-AE                                   |
|Data Management Standard/|        |       |                                                     |
|Advanced Edition         |        |       |                                                     |
+-------------------------+--------+-------+-----------------------------------------------------+

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

18 December 2017: Orginal version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWkrOlIx+lLeg9Ub1AQgfTA//SlE8AH2H3AWFCgyVdN7M1bj+t9Q7SJPQ
R53oTWp9IN0q14xIyD4COqRg13hSBraCzVxqL2+TIYJ/Bc3JsicRR8CVgT+I/k2j
k3b+fT5YB8G6VE32W7HTko0BQScVthU7ViXHLbj/XRA/lLbmi59Sz85q/vL1/dM3
vqh+NSTDdMgei1JfILQFfMz6tqkI3bjOSnM+CzENXyTWuKgAUBMJkSEgq56yzfPA
ReYRFsmhnPALe7m+TSrjaNKjgOCDSWP4+fyCzxjbjZ0a6tNYPse0PQndKz+J3kC6
vQrzn5BNkeyxioYSDhc8oUviJLRI/VB1VZ+DHaurvelzo4v82ndKoM5NqgdbLU2p
0tv+/41x9r4rJCXzHL+XE1Pu9qH4n+nLANRLXV7wg9Ato+OSE7FYEB5hUPw+lnZc
PoD4EDMfhbZtPfzU2hg1kzAWzbWJWzR2teJJm3atvoNCPKZxljibWOLRsRUVxmz0
S5zEIZAGb0atJi2ejfsuNC1XMz27J5qxc7S1ZjrP62Xm2n0DfcB6Rar1cMOHumgp
xYp4rWeQuo1YAFaTyA6XyC9Go/kh2X7dRawk+tciAgWU6l2VDKpX++qs+53SLEB+
NGrOnnZkF83AX1ozlrK6hnG6sxAKvU1MSUY/7IA2UwvYo5xbrNUhzjqAJoDHDUXj
c5n91b4kA0A=
=//hN
-----END PGP SIGNATURE-----

« Back to bulletins