ESB-2019.0595 - [Linux][RedHat] IBM MQ Advanced CloudPaks: Denial of service - Existing account 2019-02-27

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0595
IBM Security Bulletin: IBM MQ Advanced CloudPaks are vulnerable to a denial
       of service attack within the Systemd package (CVE-2019-6454)
                             27 February 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM MQ Advanced CloudPaks
Publisher:         IBM
Operating System:  Red Hat
                   Linux variants
Impact/Access:     Denial of Service -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-6454  

Reference:         ESB-2019.0554
                   ESB-2019.0510.2
                   ESB-2019.0503.2

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10872870

- --------------------------BEGIN INCLUDED TEXT--------------------

IBM MQ Advanced CloudPaks are vulnerable to a denial of service attack within
the Systemd package (CVE-2019-6454)

Product:             Application Integration and Connectivity

Component:           all

Software version:    1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 2.0.0,
                     2.0.1, 2.0.2, 2.1.0, 2.2.0, 2.2.1, 2.2.2

Operating system(s): Linux, RedHat OpenShift

Software edition:    all

Reference #:         0872870

Security Bulletin

Summary

A denial of service attack was discovered in Systemd which is included with IBM
MQ CloudPaks.

Vulnerability Details

CVEID: CVE-2019-6454
DESCRIPTION: systemd is vulnerable to a denial of service, caused by a flaw in
the bus_process_object function in bus-objects.c. By sending a
specially-crafted DBUS message, a local authenticated attacker could exploit
this vulnerability to crash PID 1 and result in a subsequent kernel panic.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
157193 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM MQ Advanced CloudPak (IBM Cloud Private, all platforms) Continuous Delivery

v2.0.0 - v2.2.2

IBM MQ Advanced CloudPak (IBM Cloud Private on RedHat OpenShift) Continuous
Delivery

v2.1.0 - v2.2.1

Remediation/Fixes

IBM MQ Advanced CloudPak (IBM Cloud Private, all platforms) Continuous Delivery

Apply Fix IBM-MQ-Adv-Cloud-Pak-2.2.3 to upgrade to version v2.2.3

IBM MQ Advanced CloudPak (IBM Cloud Private on RedHat OpenShift) Continuous
Delivery

Apply Fix IBM-MQ-Adv-Cloud-Pak-2.2.2-RHOS to upgrade to version v2.2.2

Workarounds and Mitigations

None

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Support for IBM MQ CloudPak versions
The support lifecycle for IBM MQ CloudPaks is tied directly to the support
lifecycle of the IBM MQ version that runs within the CloudPak. When the
underlying MQ version goes out of support then the CloudPak will automatically
go out of support. IBM MQ CloudPaks are only available with Continous Delivery
versions of IBM MQ and so follow the IBM MQ Continuous Delivery support
lifecycle .
The version number for the CloudPak provides an indication to customers on what
kind of change has been made between different versions. The versioning system
used in CloudPaks is the semver versioning system and does not correlate
directly to the V.R.M.F version used by IBM MQ.
For reference the table below shows which versions of IBM MQ are available with
which version of CloudPak, this can be used to determine whether the version of
CloudPak you are using is still in support:
                      IBM MQ CloudPak and IBM MQ versions
+---------+---------------------------+---------------------------------------+
| IBM MQ  |  IBM MQ CloudPak for IBM  | IBM MQ CloudPak for IBM Cloud Private |
| Version |   Cloud Private Version   |      on RedHat OpenShift Version      |
+---------+---------------------------+---------------------------------------+
|9.1.1    |2.2.0 and later            |2.2.0 and later                        |
+---------+---------------------------+---------------------------------------+
|9.1.0    |2.0.0 -2.1.0               |2.1.0                                  |
+---------+---------------------------+---------------------------------------+
|9.0.5    |1.3.0                      |N/A                                    |
+---------+---------------------------+---------------------------------------+
|9.0.4    |1.2.0 - 1.2.2              |N/A                                    |
+---------+---------------------------+---------------------------------------+
|9.0.3    |1.0.0 - 1.1.0              |N/A                                    |
+---------+---------------------------+---------------------------------------+

Change History

25 February 2019: Original Version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXHX3kWaOgq3Tt24GAQgWXBAAhKL4iQrBhilrygckW7+nUui1MifciuAy
EMv7tVVxNvpjA/wW7sz8ko4KKMqi5HYLhT26F4l9ptL4i47KZjPMV0T1Vw5MnQXR
+Wf9EMhmd4CLp2KSrOJfMMwglnPLGnEdR26YnzZy/EG3f0O/Mv3yAji3BVSK2saC
morFNo+EMdslq8u1nr9NnRd+o2UsCnNXy8jgMGo5u8SOjh/beJjRLi/G/Fzz21C6
3F0RE8UeFoIG9RuNwjM2alpRuYzGTfcf2gOQCC/rg5C+TST1SFdjrP+J8qjlJIIW
w3076FR05tKN5GKpTiJ4q1hSlZtsMwwK2b0nrSUjn9yJHnTbJWNjTDhE7io1UP2g
CDZ0Vwxmt1Glnn0QNCtJwLC3oG/RMn7k3rv/D3qDSSO0CVePd/4CZ8tg8jLV0uIO
N6gV/lWf6c4e7Wsx2R2pz0qKVg25Q0ZXYI2segp9EhMidWiVV3mWnn6GY8fHcJoA
XfDE/alBW2pWu04drJzmREFZi6qbRAgXiehpav6WHW3XbXzDRxAA2UIDGdVt8Lvg
r8tl8yvTSHONC7lqGqCvnZecT/+IoANUguA0vjXvrKjKKtzsjZFcp/Rb8w3m99C3
v8kWmZX+62/th+Kso2c5RQyPHuDGx08/AV8uGEIsJQDQec8CS7XMwi3+s3LtOatR
M4lU4K7f54Y=
=IOc+
-----END PGP SIGNATURE-----

« Back to bulletins