ESB-2019.0573 - [Linux] IBM Guardium Sniffer: Denial of service - Existing account 2019-02-26

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0573
       i-series IBM iSTAP can cause the Guardium Sniffer v10.0p4042
                           to frequently restart
                             26 February 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Guardium Sniffer
Publisher:         IBM
Operating System:  Linux variants
Impact/Access:     Denial of Service -- Existing Account
Resolution:        Patch/Upgrade

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10872672

- --------------------------BEGIN INCLUDED TEXT--------------------

i-series IBM iSTAP can cause the Guardium Sniffer v10.0p4042 to frequently 
restart

Document information

More support for: IBM Security Guardium

Software version: All Versions

Operating system(s): IBM i

Reference #: 0872672

Modified date: 25 February 2019

Flashes (Alerts)

Content The problem was noted on a v10.6 Collector with Sniffer patch p4042 
installed. The STAP noted was iSTAP(TAP_VERSION=Guardium_DB2 for i 
S-TAP_2_10.0.0_r79963_trunk_1)

The following can be seen in the syslog (messages) file for example

<datetime> <hostname> GuardiumSniffer[4217]: Guardium Sniffer license 
verified.

<datetime> <hostname> GuardiumSniffer[4217]: Starting UTAP_SERVER

<datetime> <hostname> GuardiumSniffer[4217]: Starting WTAP_SERVER

<datetime> <hostname> kernel: TapServerThread[4325]: segfault at 38 ip 
000000000059df87 sp 00007f6e89a192a0 error 6 in snif[400000+51eb000]

<datetime> <hostname> init: guard-snif main process (4217) killed by SEGV 
signal

<datetime> <hostname> init: guard-snif main process ended, respawning

<datetime> <hostname> snif: Guardium Sniffer Started

<datetime> <hostname> GuardiumSniffer[4472]: Guardium Sniffer license 
verified.

<datetime> <hostname> GuardiumSniffer[4472]: Starting WTAP_SERVER

<datetime> <hostname> GuardiumSniffer[4472]: Starting UTAP_SERVER

<datetime> <hostname> kernel: TapServerThread[4545]: segfault at 38 ip 
000000000059df87 sp 00007f407250a2a0 error 6 in snif[400000+51eb000]

<datetime> <hostname> init: guard-snif main process (4472) killed by SEGV 
signal

<datetime> <hostname> init: guard-snif main process ended, respawning

<datetime> <hostname> snif: Guardium Sniffer Started

<datetime> <hostname> GuardiumSniffer[4694]: Guardium Sniffer license 
verified.

<datetime> <hostname> GuardiumSniffer[4694]: Starting WTAP_SERVER

<datetime> <hostname> GuardiumSniffer[4694]: Starting UTAP_SERVER

<datetime> <hostname> kernel: TapServerThread[4766]: segfault at 38 ip 
000000000059df87 sp 00007fe5b8afc2a0 error 6 in snif[400000+51eb000]

<datetime> <hostname> init: guard-snif main process (4694) killed by SEGV 
signal

<datetime> <hostname> init: guard-snif main process ended, respawning

<datetime> <hostname> snif: Guardium Sniffer Started

Remediation

A coded fix has been identified which will be included in an ad-hoc patch 
later than Sniffer version v10.0p4042.

Customers planning to upgrade to Sniffer patch p4042 should contact IBM for an
ad-hoc patch which will contain the p4042 fixes plus the fix for this i-series
problem.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXHSIEGaOgq3Tt24GAQhWMg//UqiClRUHy7aA8LtrWga1YwrJxyBtf8/6
ckL0vQ64p8SSO/7mqVFU0OdiPRC610K7sEUcVX9pfXTha6Okm52HgJ5VO7Y1t9ha
yd0oGXz7ks5gY0PnpmPANSjNqgvcGV8MBN/rAmRhRHHxboRs7GLnX4o8Sq16d8no
2mbojOvRs/mN4NwcGerySmJ9CE9W+JLSO/s2soeG3+uSxJzHm95W4TcS6cdbwhac
f0PXp8RcoLzpuT8mq9ROqDEzVdBLPMT21VuY9L3cL/yEcinDzvP3QnyaxrVZBLvF
5Jl5Uzgb5v5Om1jqaYQDwlv2MHQkxuZfkD5CCOog8Rq/B+qEqJkDh8NJUwn6YaqM
gAZD6NBg+CiSmX/xf3KYN1deC3wsycI+6Oa3AdMEkYW1Ya4FhIJRSQnuu9KSL3t0
+O62rO0OTtcpoAePkLVVsBMMH1dxsEdyBe/avyuGat2cpvW9Diq5medO7uchDHvF
BkF2TlqMs4RExhZbpXwTL/R3Aj7BNCgqahQKA6TMz4oRR/yAFAMTY+D3/GZB7gMK
l/07K28hcw0N9lCVxwdJksITRZhyBeRQNp/ddMjYPuLnvim/tOkVND0+GjdRI6ZA
HaYHD5SQh4sldxyRFFW2tqeUP6RH0Um3QAKKjcIaoVKUIwkRGpepl8S7NingFinY
Xcfh09zytMI=
=Cc5U
-----END PGP SIGNATURE-----

« Back to bulletins