ESB-2018.1282 - [Linux] IBM Security QRadar SIEM: Multiple vulnerabilities 2018-04-26

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1282
     Multiple Vulnerabilities have been identified in IBM QRadar SIEM
                               26 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Security QRadar SIEM
Publisher:         IBM
Operating System:  Linux variants
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Cross-site Scripting            -- Existing Account      
                   Access Confidential Data        -- Remote/Unauthenticated
                   Provide Misleading Information  -- Existing Account      
                   Reduced Security                -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1418 CVE-2017-1724 CVE-2017-1723
                   CVE-2017-1722 CVE-2017-1721 CVE-2016-9878
                   CVE-2016-9749 CVE-2016-5007 CVE-2016-4970
                   CVE-2016-3092 CVE-2015-5262 CVE-2015-0250
                   CVE-2014-3577 CVE-2014-3576 CVE-2014-0193
                   CVE-2014-0050 CVE-2011-4905 CVE-2011-4314
                   CVE-2011-1498  

Reference:         ASB-2018.0089
                   ASB-2018.0087
                   ASB-2018.0083
                   ESB-2012.0409
                   ESB-2012.0335
                   ESB-2012.0268
                   ESB-2011.1224

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg22015807
   http://www.ibm.com/support/docview.wss?uid=swg22015802
   http://www.ibm.com/support/docview.wss?uid=swg22015486
   http://www.ibm.com/support/docview.wss?uid=swg22015797
   http://www.ibm.com/support/docview.wss?uid=swg22015813
   http://www.ibm.com/support/docview.wss?uid=swg22015799
   http://www.ibm.com/support/docview.wss?uid=swg22015804
   http://www.ibm.com/support/docview.wss?uid=swg22015821
   http://www.ibm.com/support/docview.wss?uid=swg22015818
   http://www.ibm.com/support/docview.wss?uid=swg22015823
   http://www.ibm.com/support/docview.wss?uid=swg22015815
   http://www.ibm.com/support/docview.wss?uid=swg22015810
   http://www.ibm.com/support/docview.wss?uid=swg22015814

Comment: This bulletin contains thirteen (13) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: IBM QRadar SIEM is vulnerable to cross-site scripting.
(CVE-2017-1724)

Document information

More support for: IBM Security QRadar SIEM

Software version: 7.2, 7.3

Operating system(s): Linux

Software edition: All Editions

Reference #: 2015807

Modified date: 24 April 2018

Security Bulletin

Summary

The product allows users to embed arbitrary JavaScript code in the Web UI thus
altering the intended functionality and allowing spoofing attacks.

Vulnerability Details

CVEID: CVE-2017-1724
DESCRIPTION: IBM QRadar is vulnerable to cross-site scripting. This
vulnerability allows users to embed arbitrary JavaScript code in the Web UI
thus altering the intended functionality potentially leading to credentials
disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
134814 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

QRadar / QRM / QVM / QRIF / QNI 7.3.0 - 7.3.1 Patch 2

QRadar / QRM / QVM / QRIF / QNI 7.2.0 to 7.2.8 Patch 11

Remediation/Fixes

QRadar / QRM / QVM / QRIF / QNI 7.3.1 Patch 3

QRadar / QRM / QVM / QRIF / QNI 7.2.8 Patch 12

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

The vulnerability was reported to IBM by Henri Salo

Change History

24 April 2018:First Publish

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: IBM QRadar SIEM is vulnerable to SQL Injection.
(CVE-2017-1722)

Document information

More support for: IBM Security QRadar SIEM

Software version: 7.2, 7.3

Operating system(s): Linux

Software edition: All Editions

Reference #: 2015802

Modified date: 24 April 2018

Security Bulletin

Summary

QRadar used an insecure method for generating SQL query and as such was
vulnerable to SQL injection where an attacker injects arbitrary SQL into
database queries in order to retrieve information from the database.

Vulnerability Details

CVEID: CVE-2017-1722
DESCRIPTION: IBM QRadar is vulnerable to SQL injection. A remote attacker could
send specially-crafted SQL statements, which could allow the attacker to view,
add, modify or delete information in the back-end database.
CVSS Base Score: 6.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
134811 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

IBM QRadar SIEM 7.3.0 - 7.3.0 Patch 7

IBM QRadar 7.2.0 to 7.2.8 Patch 11

Remediation/Fixes

QRadar / QRM / QVM / QRIF / QNI 7.3.1 Patch 3

QRadar / QRM / QVM / QRIF / QNI 7.2.8 Patch 12

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

The vulnerability was reported to IBM by Henri Salo

Change History

24 April 2018:First Publish

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: IBM Contact Optimization is Impacted by a Lack of Input
Validation (CVE-2016-9749)

CVE-2016-9749 ; input validation

Document information

More support for: IBM Contact Optimization

Software version: 8.6, 9.0, 9.1, 9.1.1, 9.1.2, 10.0

Operating system(s): AIX, Linux, Solaris, Windows

Software edition: Enterprise

Reference #: 2015486

Modified date: 24 April 2018

Security Bulletin

Summary

IBM Contact Optimization could allow an authenticated user with access to the
local network to bypass security due to a lack of input validation .

Vulnerability Details

CVEID: CVE-2016-9749
DESCRIPTION: IBM Contact Optimization could allow an authenticated user with
access to the local network to bypass security due to lack of input validation.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
120206 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

IBM Contact Optimization 8.6, 9.0, 9.1.0, 9.1.1, 9.1.2, 10.0

Remediation/Fixes

+-------------------------------+------------+-----------------------------------------------------------+
|Product                        |VRMF        |Remediation/Fix                                            |
+-------------------------------+------------+-----------------------------------------------------------+
|                               |            |https://www-945.ibm.com/support/fixcentral/swg/selectFixes?|
|                               |            |parent=Enterprise%20Marketing%20Management&product=ibm/    |
|                               |            |Other+software/Unica+Optimize&release=9.1.0.13&platform=All|
|IBM Contact Optimization       |9.1.0.13    |&function=all                                              |
+-------------------------------+------------+-----------------------------------------------------------+
|                               |            |https://www-945.ibm.com/support/fixcentral/swg/selectFixes?|
|                               |            |parent=Enterprise%20Marketing%20Management&product=ibm/    |
|                               |            |Other+software/Unica+Optimize&release=9.1.2.5&platform=All&|
|IBM Contact Optimization       |9.1.2.5     |function=all                                               |
+-------------------------------+------------+-----------------------------------------------------------+
|IBM Contact Optimization       |10.1.0.1    |https://www-945.ibm.com/support/fixcentral/swg/selectFixes?|
|                               |            |parent=Enterprise%20Marketing%20Management&product=ibm/    |
|                               |            |Other+software/Unica+Optimize&release=10.1.0.1&platform=All|
|                               |            |&function=all                                              |
+-------------------------------+------------+-----------------------------------------------------------+
IBM Contact Optimization 8.6 is announced end of support, so no security fixes
will be available on 8.6 version. As per support policy no fixes will be
provided on version 9.0, 9.1.1 and 10.0. It is recommended that customers
migrate to supported versions to get security fixes.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Product Alias/Synonym

Contact Optimization

- --------------------------------------------------------------------------------

Security Bulletin: IBM QRadar Incident Forensics, as found in IBM QRadar SIEM,
is vulnerable to an authentication bypass leading to remote command injection.
(CVE-2018-1418)

Security Bulletin

Summary

An authentication bypass leading to remote command injection has been found in
IBM QRadar Incident Forensics.

Vulnerability Details

CVEID: CVE-2018-1418
DESCRIPTION: IBM QRadar Incident Forensics could allow a user to bypass
authentication which could lead to code execution.
CVSS Base Score: 5.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
138824 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

IBM QRadar SIEM 7.3.0 to 7.3.1 Patch 2

IBM QRadar SIEM 7.2.0 to 7.2.8 Patch 11

Remediation/Fixes

QRadar / QRM / QVM / QRIF / QNI 7.3.1 Patch 3

QRadar / QRM / QVM / QRIF / QNI 7.2.8 Patch 12

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

An independent security researcher, Pedro Ribeiro (pedrib_at_gmail.com), has
reported this vulnerability to Beyond Security SecuriTeam Secure Disclosure
program.

Change History

24 April 2018:First Publish

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


- --------------------------------------------------------------------------------

None of the above, continue with my search

Security Bulletin: IBM QRadar SIEM contains vulnerable components and
libraries. (CVE-2016-5007, CVE-2016-9878)

PSIRT

Document information

More support for: IBM Security QRadar SIEM

Software version: 7.2, 7.3

Operating system(s): Linux

Software edition: All Editions

Reference #: 2015797

Modified date: 24 April 2018

Security Bulletin

Summary

The product includes vulnerable components (e.g., framework libraries) that may
be identified and exploited with automated tools.

Vulnerability Details

CVEID: CVE-2016-5007
DESCRIPTION: Pivotal Spring Security and Spring Framework could provide weaker
than expected security, caused by the difference in the strictness of the
pattern matching mechanisms. An attacker could exploit this vulnerability to
launch further attacks on the system.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
126679 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID: CVE-2016-9878
DESCRIPTION: Pivotal Spring Framework could allow a remote attacker to traverse
directories on the system , caused by improper validation of user-supplied
paths. An attacker could send a specially-crafted request to the
ResourceServlet containing "dot dot" sequences (/../) to view arbitrary files
on the system.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
120241 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM QRadar 7.3.0 to 7.3.1 Patch 2

IBM QRadar 7.2.0 to 7.2.8 Patch 11

Remediation/Fixes

QRadar / QRM / QVM / QRIF / QNI 7.3.1 Patch 3

QRadar / QRM / QVM / QRIF / QNI 7.2.8 Patch 12

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3


Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

IBM X-Force Ethical Hacking Team: Ron Craig, Warren Moynihan, Jonathan
Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza

Change History

24 April 2018: First Publish

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: IBM QRadar Incident Forensics, as found in IBM QRadar SIEM,
is vulnerable to remote code execution. (CVE-2017-1721)

PSIRT

Document information

More support for: IBM Security QRadar SIEM

Software version: 7.2, 7.3

Operating system(s): Linux

Software edition: All Editions

Reference #: 2015799

Modified date: 24 April 2018

Security Bulletin

Summary

IBM QRadar Incident Forensics uses insecure functions such as eval that execute
code from a string and as such is vulnerable to remote code execution attacks.

Vulnerability Details

CVEID: CVE-2017-1721
DESCRIPTION: IBM QRadar could allow an unauthenticated user to execute code
remotely with lower level privileges under unusual circumstances.
CVSS Base Score: 5.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
134810 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 7

IBM QRadar SIEM 7.2.8 to 7.2.8 Patch 11

Remediation/Fixes

QRadar / QRM / QVM / QRIF / QNI 7.3.1 Patch 3

QRadar / QRM / QVM / QRIF / QNI 7.2.8 Patch 12

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

The vulnerability was reported to IBM by Henri Salo

Change History

24 April 2018:First Publish

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: IBM QRadar Incident Forensics, as used in IBM QRadar SIEM,
is vulnerable to authenticated path traversal. (CVE-2017-1723)

Document information

More support for: IBM Security QRadar SIEM

Software version: 7.2, 7.3

Operating system(s): Linux

Software edition: All Editions

Reference #: 2015804

Modified date: 24 April 2018

PSIRT

Security Bulletin

Summary

QRadar uses raw string concatenation to build paths from user input and as such
is vulnerable to path traversal attacks where an attacker arbitrarily alters
the path.

Vulnerability Details

CVEID: CVE-2017-1723
DESCRIPTION: IBM QRadar could allow a remote attacker to traverse directories
on the system. An attacker could send a specially-crafted URL request
containing "dot dot" sequences (/../) to view arbitrary files on the system.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
134812 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

QRadar / QRIF / QNI 7.3.0 to 7.3.0 Patch 7

QRadar / QRIF / QNI 7.2.0 to 7.2.8 Patch 11

Remediation/Fixes

QRadar / QRM / QVM / QRIF / QNI 7.3.1 Patch 3

QRadar / QRM / QVM / QRIF / QNI 7.2.8 Patch 12

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

The vulnerability was reported to IBM by Henri Salo

Change History

24 April 2018: First Publish

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: IBM QRadar SIEM contains vulnerable components and
libraries. (CVE-2011-4314)

PSIRT

Document information

More support for: IBM Security QRadar SIEM

Software version: 7.2, 7.3

Operating system(s): Linux

Software edition: All Editions

Reference #: 2015821

Modified date: 24 April 2018

Security Bulletin

Summary

The product includes vulnerable components (e.g., framework libraries) that may
be identified and exploited with automated tools.

Vulnerability Details

CVEID: CVE-2011-4314
DESCRIPTION: OpenID4Java could allow a remote attacker to bypass security
restrictions, caused by the improper verification of the Attribute Exchange
(AX) signature. A remote attacker could exploit this vulnerability to
manipulate AX information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
67361 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Affected Products and Versions

QRadar / QRM / QVM / QRIF / QNI 7.3.0 to 7.3.1 Patch 2

QRadar / QRM / QVM / QRIF / QNI 7.2.0 to 7.2.8 Patch 11

Remediation/Fixes

QRadar / QRM / QVM / QRIF / QNI 7.3.1 Patch 3

QRadar / QRM / QVM / QRIF / QNI 7.2.8 Patch 12

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

IBM X-Force Ethical Hacking Team: Ron Craig, Warren Moynihan, Jonathan
Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza

Change History

24 April 2018:First Publish

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: IBM QRadar SIEM contains vulnerable components and
libraries. (CVE-2014-0193, CVE-2016-4970)

Document information

More support for: IBM Security QRadar SIEM

Software version: 7.2, 7.3

Operating system(s): Linux

Software edition: All Editions

Reference #: 2015818

Modified date: 24 April 2018

PSIRT

Security Bulletin

Summary

The product includes vulnerable components (e.g., framework libraries) that may
be identified and exploited with automated tools.

Vulnerability Details

CVEID: CVE-2014-0193
DESCRIPTION: Netty is vulnerable to a denial of service, caused by an error in
the WebSocket08FrameDecoder implementation. A remote attacker could exploit
this vulnerability to exhaust all available memory resources.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
93006 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2016-4970
DESCRIPTION: Netty is vulnerable to a denial of service, caused by the improper
handling of renegotiation by the OpenSslEngine. If renegotiation is enabled, a
remote attacker could exploit this vulnerability to cause the application to
enter into an infinite loop.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
122029 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

QRadar / QRM / QVM / QRIF / QNI 7.3.0 to 7.3.1 Patch 2

QRadar / QRM / QVM / QRIF / QNI 7.2.0 to 7.2.8 Patch 11

Remediation/Fixes

QRadar / QRM / QVM / QRIF / QNI 7.3.1 Patch 3

QRadar / QRM / QVM / QRIF / QNI 7.2.8 Patch 12

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2
Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

IBM X-Force Ethical Hacking Team: Ron Craig, Warren Moynihan, Jonathan
Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza

Change History

24 April 2018:First Publish

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: IBM QRadar SIEM contains vulnerable components and
libraries. (CVE-2011-4905, CVE-2014-3576)

PSIRT

Document information

More support for: IBM Security QRadar SIEM

Software version: 7.2, 7.3

Operating system(s): Linux

Software edition: All Editions

Reference #: 2015823

Modified date: 24 April 2018

Security Bulletin

Summary

The product includes vulnerable components (e.g., framework libraries) that may
be identified and exploited with automated tools.

Vulnerability Details

CVEID: CVE-2011-4905
DESCRIPTION: Apache ActiveMQ is vulnerable to a denial of service, caused by an
error in the failover mechanism when handling an openwire connection request.
By sending a specially-crafted request, a remote attacker could exploit this
vulnerability to cause the broker service to crash.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
71620 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2014-3576
DESCRIPTION: Apache ActiveMQ is vulnerable to a denial of service, caused by an
error in the processControlCommand function in broker/TransportConnection.java.
A remote attacker could use the shutdown command to shutdown the service.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
107290 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

QRadar / QRM / QVM / QRIF / QNI 7.3.0 to 7.3.1 Patch 2

QRadar / QRM / QVM / QRIF / QNI 7.2.0 to 7.2.8 Patch 11

Remediation/Fixes

QRadar / QRM / QVM / QRIF / QNI 7.3.1 Patch 3

QRadar / QRM / QVM / QRIF / QNI 7.2.8 Patch 12

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2
Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

IBM X-Force Ethical Hacking Team: Ron Craig, Warren Moynihan, Jonathan
Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza

Change History

24 April 2018:First Publish

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: IBM QRadar SIEM contains vulnerable components and
libraries. (CVE-2011-1498, CVE-2014-3577, CVE-2015-5262)

PSIRT

Security Bulletin

Document information

More support for: IBM Security QRadar SIEM

Software version: 7.2, 7.3

Operating system(s): Linux

Software edition: All Editions

Reference #: 2015815

Modified date: 24 April 2018

Summary

The product includes vulnerable components (e.g., framework libraries) that may
be identified and exploited with automated tools.

Vulnerability Details

CVEID: CVE-2011-1498
DESCRIPTION: Apache HttpComponents could allow a remote attacker to obtain
sensitive information, caused by an unspecified error in HttpClient. An
attacker could exploit this vulnerability to send the Proxy-Authorization
header to the host and disclose the user''s password.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
66241 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2014-3577
DESCRIPTION: Apache HttpComponents could allow a remote attacker to conduct
spoofing attacks, caused by the failure to verify that the server hostname
matches a domain name in the Subject''s Common Name (CN) or SubjectAltName
field of certificates. By persuading a victim to visit a Web site containing a
specially-crafted certificate, an attacker could exploit this vulnerability
using man-in-the-middle techniques to spoof an SSL server.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
95327 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-5262
DESCRIPTION: Apache Commons is vulnerable to a denial of service, caused by the
failure to apply a configured connection during the initial handshake of an
HTTPS connection by the HttpClient component. An attacker could exploit this
vulnerability to accumulate multiple connections and exhaust all available
resources.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
106932 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

QRadar / QRM / QVM / QRIF / QNI 7.3.0 to 7.3.1 Patch 2

QRadar / QRM / QVM / QRIF / QNI 7.2.0 to 7.2.8 Patch 11

Remediation/Fixes

QRadar / QRM / QVM / QRIF / QNI 7.3.1 Patch 3

QRadar / QRM / QVM / QRIF / QNI 7.2.8 Patch 12

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2
Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

IBM X-Force Ethical Hacking Team: Ron Craig, Warren Moynihan, Jonathan
Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza

Change History

24 April 2018: First Publish

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: IBM QRadar SIEM contains vulnerable components.
(CVE-2015-0250)

PSIRT

Document information

More support for: IBM Security QRadar SIEM

Software version: 7.2, 7.3

Operating system(s): Linux

Software edition: All Editions

Reference #: 2015810

Modified date: 24 April 2018

Security Bulletin

Summary

The product includes vulnerable components (e.g., framework libraries) that may
be identified and exploited with automated tools.

Vulnerability Details

CVEID: CVE-2015-0250
DESCRIPTION: Apache Batik could allow a remote attacker to obtain sensitive
information. By persuading a victim to open a specially-crafted SVG file, an
attacker could exploit this vulnerability to reveal files and obtain sensitive
information.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
101614 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM QRadar 7.3.0 to 7.3.1 Patch 2

IBM QRadar 7.2.0 to 7.2.8 Patch 11

Remediation/Fixes

QRadar / QRM / QVM / QRIF / QNI 7.3.1 Patch 3

QRadar / QRM / QVM / QRIF / QNI 7.2.8 Patch 12

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

IBM X-Force Ethical Hacking Team: Ron Craig, Warren Moynihan, Jonathan
Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza

Change History

24 April 2018:First Publish

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: QRadar SIEM contains vulnerable components and libraries.
(CVE-2014-0050, CVE-2016-3092)

PSIRT

Document information

More support for: IBM Security QRadar SIEM

Software version: 7.2, 7.3

Operating system(s): Linux

Software edition: All Editions

Reference #: 2015814

Modified date: 24 April 2018

Security Bulletin

Summary

The product includes vulnerable components (e.g., framework libraries) that may
be identified and exploited with automated tools.

Vulnerability Details

CVEID: CVE-2014-0050
DESCRIPTION: Apache Commons FileUpload, as used in Apache Tomcat, Solr, and
other products is vulnerable to a denial of service, caused by the improper
handling of Content-Type HTTP header for multipart requests by
MultipartStream.java. An attacker could exploit this vulnerability using a
specially crafted Content-Type header to cause the application to enter into an
infinite loop.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
90987 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2016-3092
DESCRIPTION: Apache Tomcat is vulnerable to a denial of service, caused by an
error in the Apache Commons FileUpload component. By sending file upload
requests, an attacker could exploit this vulnerability to cause the server to
become unresponsive.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
114336 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

QRadar / QRM / QVM / QRIF / QNI 7.3.0 to 7.3.1 Patch 2

QRadar / QRM / QVM / QRIF / QNI 7.2.0 to 7.2.8 Patch 11

Remediation/Fixes

QRadar / QRM / QVM / QRIF / QNI 7.3.1 Patch 3

QRadar / QRM / QVM / QRIF / QNI 7.2.8 Patch 12

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2
Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

IBM X-Force Ethical Hacking Team: Ron Craig, Warren Moynihan, Jonathan
Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza

Change History

24 April 2018:First Publish

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWuFbaIx+lLeg9Ub1AQjcDA//WPXIvnJ9c4d9Pgu4KD4l7b60WpYh9OV6
AoE8OSGRZviNcgyLtzrurPJcMx/9hhTkF5OhoFO1x4cTsY+iA89xY6aotbjEmqMq
+zdgPRtF3SfK+0O68JONRamY23vMhURNvAuDA79LVvRICWvikoVIQwILxhFeNoHJ
0KaHaLptfT7Oa2arxybD0gRO+O5bKhp/RuohWpJr/bHaz3pvERdZSxTZ0kg1JnsX
suE0MOGKXGIzqeL+eOXlYUhQFUSc/jH8Mm8Igwd8MdJOvoo12c2xzJXqY+9k6Ezy
O/KcMPTfdgjSrS0vkSWO6Oh7+5GjYJIN/52MYkTDLKWhpRyX2sI1YStqE78xScdJ
uh7yC7VQR3Hq+VdC38hKbG+/IL4tGWocGqIsx3hGEAPcxAa5hB2yeFapx1yVfEsC
yQlKlhCs3HJuMuEwp620Y7BQKqO8nPzncMixo3yPbj/eZkorGZNibYLtp8UwT4is
lIB8l4comOHBiSeiUiX0rfzsOYoNk8iJBecgHE6J9PEZcSpZ1CZCUOXLcpHzLldF
fUqZ19Qy+z/lR6x58owW1N7ZfH3PyUMaf7g9zqqG8LcZWsuWkbT4Z+qaC80AJKsS
kQVNkX5u1j3VfWwiLzZkIwFNOSvFaHFeCtSvCF1Syz9TteDtqJWEiGmEgaz3y6Zm
5u0+5n6nXlw=
=40Ze
-----END PGP SIGNATURE-----

« Back to bulletins