ESB-2018.1775 - [Win][Linux][HP-UX][Solaris][AIX] IBM InfoSphere Information Server: Multiple vulnerabilities 2018-06-15

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1775
       Security Bulletin: Vulnerabilities in GSKit and GSKit-Crypto
                 affect IBM InfoSphere Information Server
                               15 June 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM InfoSphere Information Server
Publisher:         IBM
Operating System:  AIX
                   Solaris
                   HP-UX
                   Linux variants
                   Windows
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
                   Denial of Service      -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1447 CVE-2018-1428 CVE-2017-3736
                   CVE-2017-3732 CVE-2016-0705 

Reference:         ASB-2018.0093
                   ASB-2018.0092
                   ASB-2018.0088
                   ESB-2016.0547
                   ESB-2016.0544
                   ESB-2016.0543.2

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg22015468

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Vulnerabilities in GSKit and GSKit-Crypto affect IBM
InfoSphere Information Server

More support for: InfoSphere Information Server

Software version: 9.1, 11.3, 11.5, 11.7

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Reference #: 2015468

Modified date: 14 June 2018

Security Bulletin

Summary

Vulnerabilities in GSKit and GSKit-Crypto were addressed by IBM InfoSphere
Information Server.

Vulnerability Details

CVEID: CVE-2016-0705
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a
double-free error when parsing DSA private keys. An attacker could exploit this
vulnerability to corrupt memory and cause a denial of service.
CVSS Base Score: 3.7
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/111140 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-3732
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive
information, caused by a carry propagating bug in the x86_64 Montgomery
squaring procedure. An attacker could exploit this vulnerability to obtain
information about the private key.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/121313 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2017-3736
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive
information, caused by a carry propagation flaw in the x86_64 Montgomery
squaring function bn_sqrx8x_internal(). An attacker with online access to an
unpatched system could exploit this vulnerability to obtain information about
the private key.
CVSS Base Score: 5.9
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/134397 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-1428
DESCRIPTION: IBM GSKit uses weaker than expected cryptographic algorithms that
could allow an attacker to decrypt highly sensitive information.
CVSS Base Score: 6.2
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/139073 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-1447
DESCRIPTION: The GSKit CMS KDB logic fails to salt the hash function resulting
in weaker than expected protection of passwords. A weak password may be
recovered.
Consider changing your passwords to ensure that the new passwords are stored
more securely.
CVSS Base Score: 5.1
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/139972 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

The following products, running on all supported platforms, are affected:
IBM InfoSphere Information Server: versions 9.1, 11.3, 11.5, and 11.7
IBM InfoSphere Information Server on Cloud: versions 11.5, and 11.7

Remediation/Fixes

+-----------+---------+---------+-----------------------------------------------+
|Product    |VRMF     |APAR     |Remediation/First Fix                          |
+-----------+---------+---------+-----------------------------------------------+
|InfoSphere |11.7     |JR59097  |--New installations of IBM InfoSphere          |
|Information|         |         |Information Server version 11.7.0.1 (and later)|
|Server,    |         |         |are not vulnerable                             |
|Information|         |         |--If IBM InfoSphere Information Server version |
|Server on  |         |         |11.7.0.0 or earlier was installed, apply       |
|Cloud      |         |         |Information Server Framework Security patch    |
|           |         |         |--Consider changing your passwords to ensure   |
|           |         |         |that the new passwords are stored more         |
|           |         |         |securely.                                      |
+-----------+---------+---------+-----------------------------------------------+
|InfoSphere |11.5     |JR59097  |--Apply IBM InfoSphere Information Server      |
|Information|         |         |version 11.5.0.2                               |
|Server,    |         |         |--Apply Information Server Framework Security  |
|Information|         |         |patch                                          |
|Server on  |         |         |--Consider changing your passwords to ensure   |
|Cloud      |         |         |that the new passwords are stored more         |
|           |         |         |securely.                                      |
+-----------+---------+---------+-----------------------------------------------+
|InfoSphere |11.3     |JR59097  |--Apply IBM InfoSphere Information Server      |
|Information|         |         |version 11.3.1.2                               |
|Server     |         |         |--Apply Information Server Framework Security  |
|           |         |         |patch                                          |
|           |         |         |--Consider changing your passwords to ensure   |
|           |         |         |that the new passwords are stored more         |
|           |         |         |securely.                                      |
+-----------+---------+---------+-----------------------------------------------+
|InfoSphere |9.1      |JR59097  |--Upgrade to a new release                     |
|Information|         |         |                                               |
|Server     |         |         |                                               |
+-----------+---------+---------+-----------------------------------------------+

For IBM InfoSphere Information Server version 9.1, IBM recommends upgrading to
a fixed, supported version/release/platform of the product.

Contact Technical Support:

In the United States and Canada dial 1-800-IBM-SERV
View the support contacts for other countries outside of the United States.
Electronically open a Service Request with Information Server Technical
Support.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

None

Change History

14 June 2018: Original Version Published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

                          Cross reference information
  Segment        Product      Component      Platform         Version   Edition
Information  InfoSphere                 AIX, HP-UX, Linux,  9.1, 11.5,
 Management  Information                Solaris, Windows    11.3, 11.7
             Server

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWyMcdGaOgq3Tt24GAQjXuA/9EfuPqd/K4P2vf5GlJ/ZsdQmKRBCbG2D4
cieXvuhg4xc1N51RPzrZNeYEMGQpNzhLvmDBUDY7b/Ff49Yjmt5JqpbGNPwsdOKv
zRky1UDcYPvMYGcLkqvcfu6wafnVEB+HJBxlUPgWIwccHlGS8sJmYYHQnXRvesUM
7X3yDymL3v2mJwrcQvpyCJ/sjvit7kosnQhGNZuvX7JY2i7YM+BJdzSUL2VJmC+R
AyF/qjuap9FRfQPyln0dx4vFzVQZq5bCCFJJyndyz99uqcvcd7u1IM4d9jvZDSCi
PPdSBsOHEyWU116ja+BSuUC06PjKwW80jKZw9UCSg5isFgNZpNN7kH/8pqV8sc+9
QFT6tEZJKJtuNW7SrTF/T72HwovmptZohxIw3AblkxoKvjde8n9Nmg23OcPyj948
s6ZhMkHuUSp07xGB17ERz9oId7WAn492UJ2hAmuKv5BEPUGWwDBHvSBPOmLfo+52
GIGHYAlRTtlFF65bTgxP6qOFPhIUiLGSn0CXcETmy/pydtHv6ZwSR7dOSZEiNIi3
CQR1b1ekrrAG2GanPrB6we34ECYC5HtwyU+QW41cSWx4sZwfIEgXNljEn7R76mHV
ehV1YaG9r43DGwXNLLnuX53a2xEfT0d5ido6c1vzDhgr3GC0SSW7xGy1RktAWOiF
4yyFJhjlnjM=
=SPjn
-----END PGP SIGNATURE-----

« Back to bulletins