ESB-2018.0321 - [Win][Linux][Solaris][AIX] IBM Content Collector for SAP Applications: Multiple vulnerabilities 2018-02-01

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0321
        Security Bulletin: Multiple vulnerabilities in IBM Java SDK
               affect Content Collector for SAP Applications
                              1 February 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Content Collector for SAP Applications
Publisher:         IBM
Operating System:  AIX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote/Unauthenticated      
                   Access Confidential Data        -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-10388 CVE-2017-10357 CVE-2017-10356
                   CVE-2017-10350 CVE-2017-10349 CVE-2017-10348
                   CVE-2017-10347 CVE-2017-10281 

Reference:         ESB-2017.3011

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg22012740

- --------------------------BEGIN INCLUDED TEXT--------------------

Document information

More support for: Content Collector for SAP Applications

Software version: 3.0.0, 4.0.0

Operating system(s): AIX, Linux, Solaris, Windows

Reference #: 2012740

Modified date: 31 January 2018


Summary

There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version
7 and IBM Runtime Environment Java Version 7 used by Content Collector for SAP
Applications. These issues were disclosed as part of the IBM Java SDK updates in
October 2017.


Vulnerability Details

CVEID: CVE-2017-10357

    DESCRIPTION: An unspecified vulnerability related to the Java SE
    Serialization component could allow an unauthenticated attacker to cause a
    denial of service resulting in a low availability impact using unknown
    attack vectors.

    CVSS Base Score: 5.3

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133786 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-10348

    DESCRIPTION: An unspecified vulnerability related to the Java SE Libraries
    component could allow an unauthenticated attacker to cause a denial of
    service resulting in a low availability impact using unknown attack vectors.

    CVSS Base Score: 5.3

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133777 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-10349

    DESCRIPTION: An unspecified vulnerability related to the Java SE JAXP
    component could allow an unauthenticated attacker to cause a denial of
    service resulting in a low availability impact using unknown attack vectors.

    CVSS Base Score: 5.3

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133778 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-10347

    DESCRIPTION: An unspecified vulnerability related to the Java SE,
    Serialization component could allow an unauthenticated attacker to cause a
    denial of service resulting in a low availability impact using unknown
    attack vectors.

    CVSS Base Score: 5.3

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133776 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-10350

    DESCRIPTION: An unspecified vulnerability related to the Java SE JAX-WS
    component could allow an unauthenticated attacker to cause a denial of
    service resulting in a low availability impact using unknown attack vectors.

    CVSS Base Score: 5.3

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133779 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)


CVEID: CVE-2017-10281

    DESCRIPTION: An unspecified vulnerability related to the Java SE
    Serialization component could allow an unauthenticated attacker to cause a
    denial of service resulting in a low availability impact using unknown
    attack vectors.

    CVSS Base Score: 5.3

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133720 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-10388

    DESCRIPTION: An unspecified vulnerability related to the Java SE Libraries
    component could allow an unauthenticated attacker to take control of the
    system.

    CVSS Base Score: 7.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133813 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID: CVE-2017-10356

    DESCRIPTION: An unspecified vulnerability related to the Java SE Security
    component could allow an unauthenticated attacker to obtain sensitive
    information resulting in a high confidentiality impact using unknown attack
    vectors.

    CVSS Base Score: 6.2

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133785 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)


Affected Products and Versions

IBM Content Collector for SAP Applications v3.0

IBM Content Collector for SAP Applications v4.0


Remediation/Fixes

+---------------------------+------+-------------------------------+
|Product                    |VRM   |Remediation                    |
+---------------------------+------+-------------------------------+
|IBM Content Collector for  |3.0   |Use IBM Content Collector for  |
|SAP Applications           |      |SAP Applications Interim Fix   |
+---------------------------+------+-------------------------------+
|IBM Content Collector for  |4.0   |Use IBM Content Collector for  |
|SAP Applications           |      |SAP Applications Interim Fix   |
+---------------------------+------+-------------------------------+


Workarounds and Mitigations

None


Change History

January 31, 2018 Original Version Published

*The CVSS Environment Score is customer environment specific and will ultimately
impact the Overall CVSS Score. Customers can evaluate the impact of this
vulnerability in their environments by accessing the links in the Reference
section of this Security Bulletin.
Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWnKSpIx+lLeg9Ub1AQh04w//ZJTYBapGnJGVaYGR8wnWVG5MZAPb8Bsf
zW/lYfMSFmQEy5+I+9sRPBenz9wcXm6vuV+x/C2R1DPGIOgeEWNcKryVGusM9nXH
Y91eMregngzAXN9fYPX0quOyXQz60XhouTRo3LDI31KYCv8s8b8LZKCJ79TV20QP
XkCnskdhXx7b+6Sg0qgKicIKE+TuJk7oMYXenu45k4P6EForD2+DtGPJTpoRrFP1
AuIrL715VnivBysUObkCi8wQpJIipSaqt5T4/9gmHkaHAh1zPrO2UwO6jBbUYlfv
vyk//blOV244ktrCjp2P+XHD/7BXM6ID40sg6VT6OVg7r+E55Ewj8pq/jKkiy92o
AWJLoqNuvslpnT1OxbnWici3FHYpnBgvxgKEZxvpWFNs4QJys+6z3KJLZ6+u+IGh
s0FotCS7v15Su9Ux4dBO8P89sqdDacA/l+CEdrtRpT9ed1/XBF57ZNnH9p6MfO7R
7QusU3no8RCFD+61RWxro6ufKzsrfw3Rv7vKHlR9tO7LrKoFlCcjXAjKiabuJTfd
KqL9skwzN+3N39/X8Y8FKWLbE6WG7nnDQWpKfcvdG41m0OJbWHraRwGaZmb1WsgA
VOOUJVlzcONhDiZkaIxr+oNwAQwgapPiC8vsVq5LXVEjwexXoVKj+DyWqaNAlc8m
EpdCTwjnzHA=
=TsWU
-----END PGP SIGNATURE-----

« Back to bulletins