ESB-2019.0433 - [Linux][RedHat] IBM Application Integration and Connectivity: Multiple vulnerabilities 2019-02-12

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0433
       IBM MQ Advanced Cloud Paks are vulnerable to multiple issues
                        with in the Systemd package
                             12 February 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Application Integration and Connectivity
Publisher:         IBM
Operating System:  Linux variants
                   Red Hat
Impact/Access:     Root Compromise                 -- Remote/Unauthenticated
                   Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-16866 CVE-2018-16865 CVE-2018-16864

Reference:         ESB-2019.0125
                   ESB-2019.0126.2
                   ESB-2018.3569.3

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10870480

- --------------------------BEGIN INCLUDED TEXT--------------------

IBM MQ Advanced Cloud Paks are vulnerable to multiple issues with in the
Systemd package (CVE-2018-16866 CVE-2018-16864 CVE-2018-16865)

Product:             Application Integration and Connectivity

Component:           all

Software version:    1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 2.0.0,
                     2.0.1, 2.0.2, 2.1.0, 2.2.0, 2.2.1

Operating system(s): Linux, RedHat OpenShift

Reference #:         0870480

Security Bulletin

Summary

Multiple vulnerabilities were identified with the Systemd package that is
included in all versions of the IBM MQ CloudPak.

Vulnerability Details

CVEID: CVE-2018-16866
DESCRIPTION: systemd could allow a local attacker to obtain sensitive
information, caused by an out-of-bounds read in journald. By sending
specially-crafted command arguments, an attacker could exploit this
vulnerability to obtain sensitive information.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
155360 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-16865
DESCRIPTION: systemd is vulnerable to a denial of service, caused by a memory
corruption flaw when calling the alloca function. By sending specially-crafted
command arguments, a local attacker could exploit this vulnerability to cause a
denial of service.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
155359 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-16864
DESCRIPTION: systemd is vulnerable to a denial of service, caused by a memory
corruption flaw when calling the syslog function. By sending specially-crafted
command arguments, a local attacker could exploit this vulnerability to cause a
denial of service.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
155358 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)


Affected Products and Versions

IBM MQ Advanced Cloud Pak (IBM Cloud Private, all platforms) Continuous
Delivery

v2.0.0 - v 2.2.1

IBM MQ Advanced Cloud Pak (IBM Cloud Private on RedHat OpenShift) Continuous
Delivery

v2.1.0 - v 2.2.0


Remediation/Fixes

IBM MQ Advanced Cloud Pak (IBM Cloud Private, all platforms) Continuous
Delivery

Apply Fix IBM-MQ-Adv-Cloud-Pak-2.2.2 to upgrade to version v2.2.2

IBM MQ Advanced Cloud Pak (IBM Cloud Private on RedHat OpenShift) Continuous
Delivery

Apply Fix IBM-MQ-Adv-Cloud-Pak-2.2.1-RHOS to upgrade to version v2.2.1


Workarounds and Mitigations

None


Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Support for IBM MQ CloudPak versions
The support lifecycle for IBM MQ CloudPaks is tied directly to the support
lifecycle of the IBM MQ version that runs within the CloudPak. When the
underlying MQ version goes out of support then the CloudPak will automatically
go out of support. IBM MQ CloudPaks are only available with Continous Delivery
versions of IBM MQ and so follow the IBM MQ Continuous Delivery support
lifecycle .
The version number for the CloudPak provides an indication to customers on what
kind of change has been made between different versions. The versioning system
used in CloudPaks is the semver versioning system and does not correlate
directly to the V.R.M.F version used by IBM MQ.
For reference the table below shows which versions of IBM MQ are available with
which version of CloudPak, this can be used to determine whether the version of
CloudPak you are using is still in support:
                      IBM MQ CloudPak and IBM MQ versions
+---------+---------------------------+---------------------------------------+
| IBM MQ  |  IBM MQ CloudPak for IBM  | IBM MQ CloudPak for IBM Cloud Private |
| Version |   Cloud Private Version   |      on RedHat OpenShift Version      |
+---------+---------------------------+---------------------------------------+
|9.1.1    |2.2.0 and later            |2.2.0 and later                        |
+---------+---------------------------+---------------------------------------+
|9.1.0    |2.0.0 -2.1.0               |2.1.0                                  |
+---------+---------------------------+---------------------------------------+
|9.0.5    |1.3.0                      |N/A                                    |
+---------+---------------------------+---------------------------------------+
|9.0.4    |1.2.0 - 1.2.2              |N/A                                    |
+---------+---------------------------+---------------------------------------+
|9.0.3    |1.0.0 - 1.1.0              |N/A                                    |
+---------+---------------------------+---------------------------------------+

Change History

8 February 2019: Original Version published


Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXGItRmaOgq3Tt24GAQgaURAAxydPf82B76lETQsvv4FUUQB/LZLyjePg
l1VJtzLKZXeAuMs3Yayk58ng86TZUMrsxggRGREWg0o/ziAiIl8cfsa+CZBbL0xP
DXx/gM8iEpO7uaWYbaa+QNBa2+m5QQk9ccEcqzVFwefp23hDgecx71pAB9k3sRs0
eg+Rj9uYR+XD8bOdwYGSP3bAftx393dM9cmjfO9rn1Jzpce9NS5ppDKxzuAvLzXT
ZqzDeq4tSTjKZOHq28rYOrW7hGMG23hLCnwguNsiSsL/YSxpdqZxNqWd4AUUUG6d
SCHbW5IIlZG0Rqe5xow/kclMXBdceuDLEoCSdToN8nINduge7edtcxvva6usRNme
uxfnxGej1F6FB5wCYQbdOpJ8FomUVCsJrvn+4fOBM2NJQhWsjQbUlv1+SkqlVW86
b8Ww2sdE7vEv4zbPNoGpurObZfgajEFsH2sgQ98lCfgnlS8xzxxmw0TaFX04aWOA
FtWXEaJ0DmR0wPxmFP5pa4v4F08YSkmsm2MiQgYurvt5k1PJ3NzE6h4M1HYwWrDQ
ClPCkjXOLFSJwQk4Fd3oNVxsUDuIYbAcMEnoWwk8XrySN3qUxuP3DqNW/Nl/g1kV
JZsalIeb6R18O8EPxCtJmG+iHMY2JeGKZF96CFQs0q+2SFC6p5WHv5H64RZ2GSqY
F34WOxPI62c=
=Agzy
-----END PGP SIGNATURE-----

« Back to bulletins