ESB-2018.0592 - [Win][UNIX/Linux][IBM i] IBM WebSphere Portal: Denial of service - Remote/unauthenticated 2018-03-01

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0592
        Security Bulletin: Vulnerabilities in Apache POI Affect IBM
             WebSphere Portal (CVE-2017-5644, CVE-2017-12626)
                               1 March 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM WebSphere Portal
Publisher:         IBM
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
                   IBM i
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-12626 CVE-2017-5644 

Reference:         ESB-2018.0395
                   ESB-2018.0338
                   ESB-2017.2886
                   ESB-2017.2669

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg22008072

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Vulnerabilities in Apache POI Affect IBM WebSphere Portal
(CVE-2017-5644, CVE-2017-12626)

Document information

More support for: WebSphere Portal

Software version: 7.0, 8.0

Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS

Reference #: 2008072

Modified date: 28 February 2018

Security Bulletin

Summary

A fix is available for vulnerabilities in Apache POI that affect IBM
WebSphere Portal (CVE-2017-5644, CVE-2017-12626).

Vulnerability Details


CVEID: CVE-2017-5644
DESCRIPTION: Apache POI is vulnerable to a denial of service, cause by
an XML External Entity Injection (XXE) error when processing XML data. By
using a specially-crafted OOXML file, a remote attacker could exploit this
vulnerability to consume all available CPU resources.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/123699 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)


CVEID: CVE-2017-12626
DESCRIPTION: Apache POI is vulnerable to a denial of service, caused by an
error while parsing malicious WMF, EMF, MSG and macros and specially crafted
DOC, PPT and XLS. By persuading a victim to open a specially crafted file,
a remote attacker could exploit this vulnerability to cause the application
to enter into an infinite loop or an out of memory exception.
CVSS Base Score: 5.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/138361 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product

Affected Versions

IBM WebSphere Portal	8.0.0.0 - 8.0.0.1 CF22
IBM WebSphere Portal	7.0.0.0 - 7.0.0.2 CF30


For unsupported versions IBM recommends upgrading to a fixed, supported
version of the product.

Remediation/Fixes

Product			VRMF			APARs		Fix
IBM WebSphere Portal	8.0.0 through 8.0.0.1	PI86843		Upgrade to Fix Pack 8.0.0.1 with 
								Cumulative Fix 22 (CF22) and then 
								apply the Interim Fix PI86843.
								(Combined Cumulative Fixes for WebSphere Portal 8.0.0.1)
IBM WebSphere Portal	7.0.0 through 7.0.0.2	PI86843		Upgrade to Fix Pack 7.0.0.2 with 
								Cumulative Fix 30 (CF30) and then 
								apply the Interim Fix PI86843.
								(Combined Cumulative fixes for WebSphere Portal 7.0.0.2)

Workarounds and Mitigations

None

Important note

IBM strongly suggests that all System z customers be subscribed to the
System z Security Portal to receive the latest critical System z security
and integrity service. If you are not subscribed, see the instructions
on the System z Security web site. Security and integrity APARs and
associated fixes will be posted to this portal. IBM suggests reviewing
the CVSS scores and applying all security or integrity fixes as soon as
possible to minimize any potential risk.

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

7 February 2018: Original version published
8 February 2018: Updated all APAR references to PI86843
28 February 2018: Added CVE-2017-12626

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWpeMUIx+lLeg9Ub1AQj3IRAAkudk1X5x4AYM0GfPy6zKsFi6BV5uFQ75
tkVgWdTbIg+GBFh3f1nBas/FfqWalk584e8kjtlzsdJHxjMiNVFI2BhVjOlyypNY
v8H8NhgsjHYHCM6eoKQIFu67d4GfgP7afWTCVkXAa/ZM7Y1YoRJpLiSR3RKvYL9n
67nmX4InvB7Q7cc0nZ+nsUF2cC08x8i5kuqADmavs4kdUve1Zex3jF6JbUE9gKKJ
+MYqcoiR4NqFbXEVaySJ+fuvGHpyxeoG8I+9MebKFxmnIACT8vnTeLx/x5Yphj8y
kuqFDP+D3U9ryxlR5MOjhtsh3PYeYBokmuFTqgULswQ+jXGiWipHXxapBDYn7Vuo
6YUqEkcffwvGhEpUExHcmPaV5DwXTbII3MqLcDG5kR7j5+6zNqmosksonZuzOic1
F54azoe4DrodrfKKeJOut8bfhshlQywqeEDjVS3BxDlAHMESY98hX3PBB2UTIYg8
DupCx490mP+WZpoR+IqZJfKK28uvwvm+HZThLztpyyTSamCaHDvH2ztbbMQwDAJO
igQggQk6NjG758vvreGf+R2rranUTmBSrt9RgehrmyFl59l4shmjdosjKbONk8Eq
aRnideV55D5V0DW7exfCqNmpC8iAvASE+yC4dmlksPARZy0IvuJb7u7C+OTub393
6Uz1Zn1ZN0o=
=+X54
-----END PGP SIGNATURE-----

« Back to bulletins