ESB-2018.1715 - [Linux] IBM QRadar SIEM: Multiple vulnerabilities 2018-06-08

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1715
     Security vulnerabilities have been identified in IBM QRadar SIEM
                                8 June 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM QRadar SIEM
Publisher:         IBM
Operating System:  Linux variants
Impact/Access:     Access Privileged Data   -- Existing Account      
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1612 CVE-2017-5754 CVE-2017-5753
                   CVE-2017-5715  

Reference:         ASB-2018.0116
                   ASB-2018.0101
                   ASB-2018.0002.4
                   ESB-2018.0044
                   ESB-2018.0042.2

Original Bulletin: 
   https://www-01.ibm.com/support/docview.wss?uid=swg22017062
   https://www-01.ibm.com/support/docview.wss?uid=swg22016636

Comment: This bulletin contains two (2) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: IBM QRadar Incident Forensics is vulnerable to
authentication bypass. (CVE-2018-1612)

More support for: IBM QRadar SIEM
Software version: 7.2, 7.3
Operating system(s): Linux
Software edition: All Editions
Reference #: 2017062
Modified date: 06 June 2018

Security Bulletin

Summary

IBM QRadar Incident Forensics could allow a remote attacker to bypass
authentication.

Vulnerability Details

CVEID: CVE-2018-1612
DESCRIPTION: IBM QRadar Incident Forensics could allow a remote attacker to
bypass authentication and obtain sensitive information.
CVSS Base Score: 5.8
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/144164 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)

Affected Products and Versions

IBM QRadar SIEM 7.2.0 - 7.2.8 Patch 11

IBM QRadar SIEM 7.3.0 - 7.3.1 Patch 4

Remediation/Fixes

QRadar / QRM / QVM / QRIF / QNI 7.2.8 Patch 12
QRadar / QRM / QVM / QRIF / QNI 7.3.1 Patch 4 Interim Fix 1

Workarounds and Mitigations

The following technical note provides a mitigation for this vulnerability.
http://www-01.ibm.com/support/docview.wss?uid=swg22016816

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

An independent security researcher, Pedro Ribeiro (pedrib_at_gmail.com), has
reported this vulnerability to Beyond Security SecuriTeam Secure Disclosure
program.

Change History

06 June, 2018: First Publish

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- -------------------------------------------------------------------------------

Security Bulletin: IBM QRadar SIEM has released 7.3.1 Patch 4, and 7.2.8 Patch
13 in response to the vulnerabilities known as Spectre and Meltdown.

More support for: IBM QRadar SIEM
                  PSIRT
Software version: 7.3
Operating system(s): Linux
Software edition: All Editions
Reference #: 2016636
Modified date: 06 June 2018

Security Bulletin

Summary

IBM has released the following 7.3.1 Patch 4, and 7.2.8 Patch 13 for IBM QRadar
SIEM in response to CVE-2017-5753, CVE-2017-5715 and CVE-2017-5754

Vulnerability Details

CVEID: CVE-2017-5753

CVEID: CVE-2017-5715

CVEID: CVE-2017-5754

Affected Products and Versions

IBM QRadar SIEM 7.3.0 - 7.3.1 Patch 3
IBM QRadar Risk Manager 7.3.0 - 7.3.1 Patch 3
IBM QRadar Vulnerability Manager 7.3.0 - 7.3.1 Patch 3
IBM QRadar Incident Forensics 7.3.0 - 7.3.1 Patch 3
IBM QRadar SIEM 7.2.0 - 7.2.8 Patch 12
IBM QRadar Risk Manager 7.2.0 - 7.2.8 Patch 12
IBM QRadar Vulnerability Manager 7.2.0 - 7.2.8 Patch 12
IBM QRadar Incident Forensics 7.2.0 - 7.2.8 Patch 12

Remediation/Fixes

QRadar/QRM/QVM/QRIF/QNI 7.3.1 Patch 4
QRadar/QRM/QVM/QRIF/QNI 7.2.8 Patch 13

For IBM QRadar SIEM 7.1 IBM recommends upgrading to a fixed, supported version/
release/platform of the product.

Workarounds and Mitigations

Please note in order to mitigate CVE-2017-5715 Spectre Variant #2, microcode
will need to be updated on all appliances along with the Kernel update that is
included in the QRadar Patch. Please see the links below for available
microcode updates.

For Lenovo Appliance M5 Firmware using ISO/IMM, see:
Lenovo x3550 M5 and Lenovo x3650 M5

For Lenovo Appliance M4 Firmware using USB Key Installs
1U USB: Qradar_1U_M4_MT7914_Qflow_15xxEC_2100_Firmware_Update_5_0_0
2U USB: Qradar_2U_M4_MT5466_xx05_xx28_QIF_PCAP_Firmware_Update_5_0_0

For Lenovo Appliance M4 Firmware using ISO/IMM Installs
1U ISO: Qradar_ISO_1U_M4_MT7914_Qflow_15xxEC_2100_Firmware_Update_5_0_0
2U ISO: Qradar_ISO_2U_M4_MT5466_xx05_xx28_QIF_PCAP_Firmware_Update_5_0_0

For Dell Appliances, see:
For Dell R630 and R730 appliances select your Operating System and Download
Version 2.7.1 BIOS

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

06 June, 2018:Bulletin Updates

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWxnd4maOgq3Tt24GAQjIig//aGwcZxzhSx8KKbmxo30PjtQd3Ie198mj
0kDhagfSJGA5ALhiDnnu9VNOMV5zMu7YeUASgZWTpGlVznbJseIlmPIO1vxwf5NK
FrYudvE44v4WPOdnkh6LktjHLTdc2hNey6YmlqCdr1XVjaEw0Pud5F/KcL7SKAIO
ikfnwWm7LxaebeTih314BsLc9PIdK8lKezslXSLRfe4TWIUVNwUM9peWiIH4ACpE
j2HTgh+F43t+Qkezv5Vjn3Aqb3MBNJA11Dc7oBPviYcjkiFcuRc+5qjg/rnhjaHQ
Y9my6tRKqtQGumIXrIsRCvalXtlzucGPGfQ2eejgq/3/Y24LTgm41BwWVeyjLdM7
Ul1yx7XHUaVVvBXuVp7hvY0pcAaVtRwxgdA/rf9T7jAWNkMNN2cs83l0wXj5qN9a
g+jehlXndGUlhX9JpHGx9HQ3Pp11ZFUZb3XzjWd5sv1SF4uPdCe5tv4ISnXNnCVZ
Gw5Yta+nz8ihAEUFZnjDbcwl7aWpCWEeeVqLQ336sW10ZGjRTI33NiQ9f7hA1KHD
sMW8EVMdMVQKPIBm8ltDKUvr42jsP0ofk+YNI5yZ93AK5CUmXn+DHbR5vi+1ltZH
nC81+6httIU9M3mmG6qQJLR1Cc0y7r/+NPRMHZI0ptHIsSSjjXYXMRrwCLL6MfMS
ugMzfKoZXUU=
=xPyp
-----END PGP SIGNATURE-----

« Back to bulletins