ESB-2018.3739.2 - UPDATE [Win] IBM Rational Asset Analyzer: Multiple vulnerabilities 2018-12-05

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.3739.2
             Rational Asset Analyzer receives security update
                              5 December 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Rational Asset Analyzer
Publisher:         IBM
Operating System:  Windows
                   z/OS
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated      
                   Modify Arbitrary Files -- Remote/Unauthenticated      
                   Delete Arbitrary Files -- Remote/Unauthenticated      
                   Cross-site Scripting   -- Remote with User Interaction
                   Unauthorised Access    -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-3180 CVE-2018-1767 CVE-2018-1683
                   CVE-2017-3736 CVE-2017-3732 CVE-2014-7810

Reference:         ESB-2015.1827
                   ESB-2015.1822

Original Bulletin: 
   https://www.ibm.com/support/docview.wss?uid=ibm10743113
   https://www.ibm.com/support/docview.wss?uid=ibm10743071
   https://www.ibm.com/support/docview.wss?uid=ibm10743097
   https://www.ibm.com/support/docview.wss?uid=ibm10743133
   https://www.ibm.com/support/docview.wss?uid=ibm10743105

Comment: This bulletin contains five (5) IBM security advisories.

Revision History:  December 5 2018: Added four new advisories
                   December 3 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Rational Asset Analyzer

Document information
Software version: All Versions
Operating system(s): Windows, z/OS
Reference #: 0743113
Modified date: 30 November 2018

Summary

Rational Asset Analyzer (RAA) has addressed the following vulnerability: Apache
Tomcat (used by WAS liberty) could allow a remote attacker to bypass security
restrictions, caused by the use of expression language. An attacker could
exploit this vulnerability to bypass the protections of a Security Manager.

Vulnerability Details

CVEID: CVE-2014-7810
DESCRIPTION: Apache Tomcat could allow a remote attacker to bypass security
restrictions, caused by the use of expression language. An attacker could
exploit this vulnerability to bypass the protections of a Security Manager.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
103155 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Affected Products and Versions

                        Product                           Affected Versions

Rational Asset Analyzer                                   6.1.0.0 - 6.1.0.18


Remediation/Fixes

Product                  VRMF       APAR    Remediation / First Fix

Rational Asset Analyzer  6.1.0.19      -     RAA 6.1 Fix Pack 19


Workarounds and Mitigations

None

- --------------------------------------------------------------------------------

Security Bulletin: A vulnerability in IBM Java Runtime affect Rational Asset
Analyzer (RAA).

Document information
Software version:    All Versions
Operating system(s): Windows, z/OS
Reference #:         0743071
Modified date:       04 December 2018

Summary

A vulnerability in IBM Runtime Environment Java Version 8.5.15 used by
Rational Asset Analyzer. Rational Asset Analyzer has addressed the applicable
CVE.

Vulnerability Details

CVEID: CVE-2018-3180
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit JSSE component could allow an unauthenticated
attacker to cause low confidentiality impact, low integrity impact, and low
availability impact.
CVSS Base Score: 5.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151497 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

                        Product                         Affected Versions

Rational Asset Analyzer                                 6.1.0.0 - 6.1.0.18

Remediation/Fixes

Product                 VRMF     APAR Remediation / First Fix

Rational Asset Analyzer 6.1.0.19 -    RAA 6.1 Fix Pack 19

Workarounds and Mitigations

None

- -------------------------------------------------------------------------------

Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational
Asset Analyzer (RAA).

Security Bulletin

Document information
Software version:    All Versions
Operating system(s): Windows, z/OS
Reference #:         0743097
Modified date:       04 December 2018

Summary

There are multiple vulnerabilities in IBM Runtime Environment Java Version
8.5.15 used by Rational Asset Analyzer. Rational Asset Analyzer has addressed
the applicable CVEs.

Vulnerability Details

CVEID: CVE-2017-3736
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive
information, caused by a carry propagation flaw in the x86_64 Montgomery
squaring function bn_sqrx8x_internal(). An attacker with online access to an
unpatched system could exploit this vulnerability to obtain information about
the private key.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
134397 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2017-3732
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive
information, caused by a carry propagating bug in the x86_64 Montgomery
squaring procedure. An attacker could exploit this vulnerability to obtain
information about the private key.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
121313 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

                        Product                         Affected Versions

Rational Asset Analyzer                                 6.1.0.0 - 6.1.0.18

Remediation/Fixes

Product                 VRMF         APAR     Remediation / First Fix

Rational Asset Analyzer 6.1.0.19         -    RAA 6.1 Fix Pack 19

Workarounds and Mitigations

None

- -------------------------------------------------------------------------------

Security Bulletin: Rational Asset Analyzer (RAA) is affected by a WAS Liberty
vulnerability.

Security Bulletin

Document information
Software version: All Versions
Operating system(s): Windows, z/OS
Reference #: 0743133
Modified date: 04 December 2018

Summary

Rational Asset Analyzer has addressed the following vulnerability. IBM
WebSphere Application Server Liberty could allow a remote attacker to obtain
sensitive information, caused by the failure to encrypt ORB communication.

Vulnerability Details

CVEID: CVE-2018-1683
DESCRIPTION: IBM WebSphere Application Server Liberty could allow a remote
attacker to obtain sensitive information, caused by the failure to encrypt ORB
communication.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
145455 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

                        Product                             Affected Versions

Rational Asset Analyzer                                     6.1.0.0 - 6.1.0.18

Remediation/Fixes

Product                  VRMF       APAR    Remediation / First Fix

Rational Asset Analyzer  6.1.0.19      -     RAA 6.1 Fix Pack 19

Workarounds and Mitigations

None

- -------------------------------------------------------------------------------

Security Bulletin: Rational Asset Analyzer (RAA) is affected by a XSS
vulnerability.

Document information
Software version: All Versions
Operating system(s): Windows, z/OS
Reference #: 0743105
Modified date: 04 December 2018

Summary

Rational Asset Analyzer (RAA) has addressed the following vulnerability. IBM
WebSphere Application Server Cachemonitor is vulnerable to cross-site
scripting. This vulnerability allows users to embed arbitrary JavaScript code
in the Web UI thus altering the intended functionality potentially leading to
credentials disclosure within a trusted session.

Vulnerability Details

CVEID: CVE-2018-1767
DESCRIPTION: IBM WebSphere Application Server Cachemonitor is vulnerable to
cross-site scripting. This vulnerability allows users to embed arbitrary
JavaScript code in the Web UI thus altering the intended functionality
potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
148621 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

      Affected Versions
Rational Asset Analyzer            6.1.0.0 - 6.1.0.18

Remediation/Fixes

Product                 VRMF         APAR     Remediation / First Fix

Rational Asset Analyzer 6.1.0.19         -    RAA 6.1 Fix Pack 19

Workarounds and Mitigations

None.

Acknowledgement

The vulnerability was reported to IBM by vah13.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXAdOMGaOgq3Tt24GAQgedQ//d8i+Tq4GpUk1g4tQN2XXtTizU8aGWHGK
0YcN+lEccmQd+rx9ammRB4qawm9TbXkwiQ+XAjK7R/tjGtECu0ezrHcBGLH4iHd+
pgZnnbMfiRiwDg8ldHPxAr+ABJjXQXC8xNE+74cLerE+uPz9K/r2nt/HVgdys9E2
7LZZRqKYJ3MqWZWVagHoASbaLXhaDK0xh43VbMS0SthANxXKOsqSb4uOpqUPfNP5
gzi72oQpNFEnG49PApaGLgJfohbjq6EHHnMSZbFnx0v5PdTdm2ryw3/8pt7gW4kv
rhrxeuhHeJ8kjHW7xmolkwzfJGjSQ34gPHZFbe4nJDvPkjwoUAo3GU07+YAvoig4
DindF2fbkR5xC/KFENqix47jsLXuYRWvsfnVwlgPR1MY8LtlkP4ZmQO8XdPbysta
FbC7YD5Ae5bBnAM4Tnd4i/4ZFqZaDyS6TPcBNPvhwBPDRLxEwtvAgDSlA1cYLIfN
W+7jL1/eCPYUEdVkAcsk1Ergq3FJjJRaI1cZDpZG7V71j5mrQVfAErG4COkSfzjG
42gVEsBsWE3zNol8iqOr3swhl7Nu6cYf+m/VV/MnqCU7zPE9u8SZIC4CHfxZrQtN
3HeLbP74NFvbbBLt97k+fUtP7KTeZXBDQfb9hbV8DvDACMZg5P81H0jK3QHfgMCE
cPjDCAQdhig=
=wMgP
-----END PGP SIGNATURE-----

« Back to bulletins