ESB-2018.2962 - [Win][Linux][IBM i][HP-UX][Solaris][AIX] IBM WebSphere Application Server: Multiple vulnerabilities 2018-10-02

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2962
         Multiple security vulnerabilities have been identified in
                     IBM WebSphere Application Server
                              2 October 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM WebSphere Application Server
Publisher:         IBM
Operating System:  AIX
                   HP-UX
                   IBM i
                   Linux variants
                   Solaris
                   Windows
                   z/OS
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated      
                   Provide Misleading Information -- Remote/Unauthenticated      
                   Cross-site Scripting           -- Remote with User Interaction
                   Reduced Security               -- Remote/Unauthenticated      
                   Denial of Service              -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-8039 CVE-2018-1794 CVE-2018-1793
                   CVE-2018-1447 CVE-2018-1427 CVE-2018-1426
                   CVE-2017-3736 CVE-2017-3732 CVE-2016-0705
                   CVE-2016-0702  

Reference:         ASB-2018.0170
                   ASB-2018.0093
                   ASB-2018.0092
                   ASB-2018.0088
                   ESB-2016.0560
                   ESB-2016.0547
                   ESB-2016.0544
                   ESB-2016.0543.2

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10733243
   http://www.ibm.com/support/docview.wss?uid=ibm10729571
   http://www.ibm.com/support/docview.wss?uid=ibm10729563
   http://www.ibm.com/support/docview.wss?uid=ibm10732391

Comment: This bulletin contains four (4) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: A Security Vulnerability has been Identified in Websphere
Application Server Shipped with Predictive Customer Intelligence
(CVE-2018-8039)

Security Bulletin

Document information

More support for: Predictive Customer Intelligence

Software version: 1.1.2

Operating system(s): Linux, Windows

Reference #: 0733243

Modified date: 01 October 2018

Summary

Websphere Application Server is shipped with Predictive Customer Intelligence.
Information about a security vulnerability affecting Websphere Application
Server has been published in a security bulletin.

Vulnerability Details

Please consult the security bulletin Security Bulletin: Potential MITM attack
in Apache CXF used by WebSphere Application Server (CVE-2018-8039) for
vulnerability details and information about fixes.

Affected Products and Versions

Predictive Customer Intelligence versions 1.1.2

Remediation/Fixes

Refer to the following security bulletins for vulnerability details and
information about fixes addressed by Websphere Application Server which is/are
shipped with Predictive Customer Intelligence.

+---------------------------+---------------------------+-----------------------+
|Principal Product and      |Affected Supporting Product|Affected Supporting    |
|Version(s)                 |and Version                |Product Security       |
|                           |                           |Bulletin               |
+---------------------------+---------------------------+-----------------------+
|Predictive Customer        |Websphere Application      |Security Bulletin:     |
|Intelligence 1.1.2         |Server 9.0.0.4             |Potential MITM attack  |
|                           |                           |in Apache CXF used by  |
|                           |                           |WebSphere Application  |
|                           |                           |Server (CVE-2018-8039) |
+---------------------------+---------------------------+-----------------------+

Workarounds and Mitigations

none

Change History

27 September 2018: Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: Cross-site scripting vulnerability in OAuth ear in WebSphere
Application Server (CVE-2018-1794)

Security Bulletin

Document information

More support for: WebSphere Application Server

Software version: 7.0, 8.0, 8.5, 9.0

Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS

Software edition: Advanced, Base, Developer, Enterprise, Express, Network
Deployment, Single Server

Reference #: 0729571

Modified date: 01 October 2018


Summary

There is a potential cross-site scripting vulnerability in the OAuth ear in
WebSphere Application Server.

Vulnerability Details

CVEID: CVE-2018-1794
DESCRIPTION: IBM WebSphere Application Server using OAuth ear is vulnerable to
cross-site scripting. This vulnerability allows users to embed arbitrary
JavaScript code in the Web UI thus altering the intended functionality
potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
148949 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

This vulnerability affects the following versions and releases of IBM WebSphere
Application Server:

  o Version 9.0
  o Version 8.5
  o Version 8.0
  o Version 7.0

Remediation/Fixes

The recommended solution is to apply the interim fix, Fix Pack or PTF
containing the APARs for each named product as soon as practical.

Note: After the interim fix for this APAR is installed, the fix will not be
active until the installed OAuth 2.0 client application,
WebSphereOauth20SP.ear, is updated from the (WAS_HOME)/installableApps
directory.  

WebSphereOauth20SP.ear may have initially been installed with the
installOAuth2Service.py script in the (WAS_HOME)/bin directory.

For WebSphere Application Server traditional and WebSphere Application Server
Hypervisor Edition:

For V9.0.0.0 through 9.0.0.9:
. Upgrade to minimal fix pack levels as required by interim fix and then apply
Interim Fix PH01753
- --OR--
. Apply Fix Pack 9.0.0.10 or later (targeted availability 4Q 2018).

For V8.5.0.0 through 8.5.5.14:
. Upgrade to minimal fix pack levels as required by interim fix and then apply
Interim Fix PH01753
- --OR--
. Apply Fix Pack 8.5.5.15 or later (targeted availability 1Q 2019).

For V8.0.0.0 through 8.0.0.15:
. Upgrade to a minimal fix pack levels as required by interim fix and then
apply Interim Fix PH01753

For V7.0.0.0 through 7.0.0.45:
. Upgrade to a minimal fix pack levels as required by interim fix and then
apply Interim Fix PH01753

WebSphere Application Server V7 and V8 are no longer in full support; IBM
recommends upgrading to a fixed, supported version/release/platform of the
product.

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z
Security Portal to receive the latest critical System z security and integrity
service. If you are not subscribed, see the instructions on the System z
Security web site. Security and integrity APARs and associated fixes will be
posted to this portal. IBM suggests reviewing the CVSS scores and applying all
security or integrity fixes as soon as possible to minimize any potential risk.

Acknowledgement

The vulnerability was reported to IBM by Benoit Ct-Jodoin

Change History

01 October 2018: original document published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: Cross-site scripting vulnerability in SAML ear in WebSphere
Application Server (CVE-2018-1793)

Security Bulletin

Document information

More support for: WebSphere Application Server

Software version: 7.0, 8.0, 8.5, 9.0

Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS

Software edition: AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS

Reference #: 0729563

Modified date: 01 October 2018

Summary

There is a potential cross-site scripting vulnerability in SAML ear in
WebSphere Application Server.

Vulnerability Details

CVEID: CVE-2018-1793
DESCRIPTION: IBM WebSphere Application Server using SAML ear is vulnerable to
cross-site scripting. This vulnerability allows users to embed arbitrary
JavaScript code in the Web UI thus altering the intended functionality
potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
148948 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

This vulnerability affects the following versions and releases of IBM WebSphere
Application Server:

  o Version 9.0
  o Version 8.5
  o Version 8.0
  o Version 7.0

Remediation/Fixes

The recommended solution is to apply the interim fix, Fix Pack or PTF
containing the APARs for each named product as soon as practical. 

NOTE: After the interim fix is installed, the interim fix will not be active
until the installed SAML ACS application, WebSphereSamlSP.ear, is updated from
the (WAS_HOME)/installableApps directory.

For WebSphere Application Server traditional and WebSphere Application Server
Hypervisor Edition:

For V9.0.0.0 through 9.0.0.9:
. Upgrade to minimal fix pack levels as required by interim fix and then apply
Interim Fix PH01752
- --OR--
. Apply Fix Pack 9.0.0.10 or later (targeted availability 4Q 2018).

For V8.5.0.0 through 8.5.5.14:
. Upgrade to minimal fix pack levels as required by interim fix and then apply
Interim Fix PH01752
- --OR--
. Apply Fix Pack 8.5.5.15 or later (targeted availability 1Q 2019).

For V8.0.0.0 through 8.0.0.15:
. Upgrade to a minimal fix pack levels as required by interim fix and then
apply Interim Fix PH01752

For V7.0.0.0 through 7.0.0.45:
. Upgrade to a minimal fix pack levels as required by interim fix and then
apply Interim Fix PH01752

WebSphere Application Server V7 and V8 are no longer in full support; IBM
recommends upgrading to a fixed, supported version/release/platform of the
product.

Acknowledgement

The vulnerability was reported to IBM by Benoit Ct-Jodoin

Change History

01 October 2018: original document published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: Multiple security vulnerabilities in GSKit used by Edge
Caching proxy of WebSphere Application Server

Security Bulletin

Document information

More support for: WebSphere Application Server

Software version: 8.0, 8.5, 9.0

Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS

Reference #: 0732391

Modified date: 01 October 2018

Summary

There are multiple security vulnerabilities in the GSKit used by Edge Caching
proxy of WebSphere Application Server.
This is a separate install from WebSphere Application Server. You only need to
apply this if you use the Edge Caching Proxy.

Vulnerability Details

CVEID: CVE-2018-1447
DESCRIPTION: The GSKit (IBM Spectrum Protect 7.1 and 7.2) and (IBM Spectrum
Protect Snapshot 4.1.3, 4.1.4, and 4.1.6) CMS KDB logic fails to salt the hash
function resulting in weaker than expected protection of passwords. A weak
password may be recovered. Note: After update the customer should change
password to ensure the new password is stored more securely. Products should
encourage customers to take this step as a high priority action. IBM X-Force
ID: 139972.
CVSS Base Score: 5.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
139972 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

 

CVEID: CVE-2018-1427
DESCRIPTION: IBM GSKit (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5,
and 11.1) contains several enviornment variables that a local attacker could
overflow and cause a denial of service. IBM X-Force ID: 139072.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
139072 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

 

CVEID: CVE-2018-1426
DESCRIPTION: IBM GSKit (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5,
and 11.1) duplicates the PRNG state across fork() system calls when multiple
ICC instances are loaded which could result in duplicate Session IDs and a risk
of duplicate key material. IBM X-Force ID: 139071.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
139071 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

 

CVEID: CVE-2017-3736
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive
information, caused by a carry propagation flaw in the x86_64 Montgomery
squaring function bn_sqrx8x_internal(). An attacker with online access to an
unpatched system could exploit this vulnerability to obtain information about
the private key.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
134397 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

 

CVEID: CVE-2017-3732
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive
information, caused by a carry propagating bug in the x86_64 Montgomery
squaring procedure. An attacker could exploit this vulnerability to obtain
information about the private key.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
121313 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

 

CVEID: CVE-2016-0705
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a
double-free error when parsing DSA private keys. An attacker could exploit this
vulnerability to corrupt memory and cause a denial of service.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
111140 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

 

CVEID: CVE-2016-0702
DESCRIPTION: OpenSSL could allow a local attacker to obtain sensitive
information, caused by a side-channel attack against a system based on the
Intel Sandy-Bridge microarchitecture. An attacker could exploit this
vulnerability to recover RSA keys.
CVSS Base Score: 2.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
111144 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

These vulnerabilities affect the Edge Caching Proxy (separate install) shipped
with the following versions and releases of IBM WebSphere Application Server:

  o Version 9.0
  o Version 8.5
  o Version 8.0

Remediation/Fixes

The recommended solution is to apply the Fix Pack or PTF for each named product
as soon as practical.

Fix:
Apply an Interim Fix, Fix Pack or PTF containing APAR PH00635  if you use the
Edge Caching Proxy component (separate install from WebSphere Application
Server) as noted below:

For IBM WebSphere Application Server
For V9.0.0.0 through 9.0.0.8:

  o Upgrade to 9.0.0.7 or 9.0.0.8 fix pack level then apply Interim Fix
    9.0.8-WS-EDGECP-FP00000081.zip

- -- OR

  o Apply Fix Pack 9 (9.0.0.9), or later.

 
For V8.5.0.0 through 8.5.5.14:

  o Upgrade to 8.5.5.13 or 8.5.5.14 fix pack level and then apply Interim Fix
    8.5.5-WS-EDGECP-FP000000141.zip

- -- OR

  o Apply Fix Pack 15 (8.5.5.15), or later (targeted availability 1Q2019).

 
For V8.0.0.0 through 8.0.0.1 5:

  o Upgrade to 8.0.0.15 fix pack level and then apply Interim Fix
    8.0.0-WS-EDGECP-FP000000151.zip

WebSphere Application Server  V8 is no longer in full support; IBM recommends
upgrading to a fixed, supported version/release/platform of the product.


Change History

01 October 2018: original document published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW7LqZmaOgq3Tt24GAQiOShAAiWE/oA5hIBSOwm0dH5+j0+a2645QJvZ/
pcOyeiuufcXFMohKY7vgOqz0wFfERl1/YevznVSUg8GmKaQizj7YOLwzri6ZvJj9
y++IbmZUg4jxIROR0URgILnUka6lKk08CqnDvvhPi8eRRda9dZ2Ma4OALpmX027m
jHC6UprQFG3IDB4rGdVn1sSyC3+aULG3Ppg70HQdAcrjTjuY3+M+fygzZvZYUmCm
MFdPf+mC5MRk9YW4MI1pdkekEwqnDdWBW8tlrmzn4W/CNUovxGofb9P7THlFgHia
Rlbw7CL8qXqnnCDCP/HRFsI5i9IYw/2zuulrSzy31R8GwgzUJK6leUkya77ns205
MW3hZGI081bkF0nH0CiQSKZhJauJ6Yo4+Qg1abqyCt+w+q8FuRhxeqMJedpXv6zD
LxMOQqEEwnPUmqJWyBIi2rHZDShebrRBF2Bvd7tC2fgncPCN2In4CZqgfYuqBj7C
F3DeXf22NDXcGaU46K5YnLL2xk6qWelamq66DEh17uEpJob8g6p6awcJMkzW+xX8
qu7QZJDNye8LWb6ma4Rll4QG1Wp+9ZtA/YHevVj5kR3SOSz7GGCDQ4PQAkO1m5Jf
ZE3nXmvY6gY4dCkTfY+n+p2crjGhAmD6yg2LlkIlKp40Dj65SgUg7COlbm4Gdz7O
3OXO2G8KvlE=
=fY2/
-----END PGP SIGNATURE-----

« Back to bulletins