ESB-2019.0662 - [Linux] IBM Cloud Private: Multiple vulnerabilities 2019-03-04

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0662
 IBM Security Bulletin: Security vulnerabilities affects IBM Cloud Private
                               4 March 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Cloud Private
Publisher:         IBM
Operating System:  Linux variants
Impact/Access:     Provide Misleading Information -- Remote with User Interaction
                   Access Confidential Data       -- Remote with User Interaction
                   Access Privileged Data         -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1939 CVE-2018-1938 CVE-2018-1937

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10871652
   http://www.ibm.com/support/docview.wss?uid=ibm10871770
   http://www.ibm.com/support/docview.wss?uid=ibm10871766

- --------------------------BEGIN INCLUDED TEXT--------------------

IBM Cloud Private middleware is vulnerable to attack from redirect calls

Product:             IBM Cloud Private

Software version:    All Versions

Operating system(s): Linux

Software edition:    3.1.1

Reference #:         0871652

Security Bulletin

Summary

IBM Cloud Private middleware is vulnerable to attack from redirect calls

Vulnerability Details

CVEID: CVE-2018-1939
DESCRIPTION: IBM Cloud Private could allow a remote attacker to conduct
phishing attacks, using an open redirect attack. By persuading a victim to
visit a specially-crafted Web site, a remote attacker could exploit this
vulnerability to spoof the URL displayed to redirect a user to a malicious Web
site that would appear to be trusted. This could allow the attacker to obtain
highly sensitive information or conduct further attacks against the victim.
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
153319 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N)

Affected Products and Versions

IBM Cloud Private 3.1.1

Remediation/Fixes

For IBM Cloud Private 3.1.1, apply this patch

  o IBM Cloud Private 3.1.1 Patch - Platform-ui

Workarounds and Mitigations

None

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

02 March 2019 - original document published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

===============================================================================

A Security Vulnerability affects IBM Cloud Private - CVE-2018-1938

Product:             IBM Cloud Private

Software version:    3.1.1

Operating system(s): Linux

Reference #:         0871770

Security Bulletin

Summary

Intra-service communications to IBM Cloud Private Identity and Access
Management (IAM) pdp service uses http

Vulnerability Details

CVEID: CVE-2018-1938
DESCRIPTION: IBM Cloud Private could alllow a local user with administrator
privileges to intercept highly sensitive unencrypted data.
CVSS Base Score: 4.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
153318 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM Cloud Private 3.1.1

Remediation/Fixes

For IBM Cloud Private 3.1.1:
Encrypt cluster data network traffic with IPsec as described in the IBM Cloud
Private Knowledge Center. This will create encrypted channels between all nodes
and the services running on those nodes
or
Upgrade to version 3.1.2 which can be obtained from IBM Passport Advantage

Workarounds and Mitigations

See Remediation/Fixes

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

02 March 2019 - original document published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

===============================================================================

A Security Vulnerability affects IBM Cloud Private - CVE-2018-1937

Product:             IBM Cloud Private

Software version:    3.1.1

Operating system(s): Linux

Reference #:         0871766

Security Bulletin

Summary

Intra-service communications between IBM Cloud Private Identity and Access
Management (IAM) service and Openshift uses http

Vulnerability Details

CVEID: CVE-2018-1937
DESCRIPTION: IBM Cloud Private could allow a local user with administrator
privileges to intercept highly sensitive unencrypted data.
CVSS Base Score: 4.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
153317 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM Cloud Private 3.1.1

Remediation/Fixes

For IBM Cloud Private 3.1.1:
- -Encrypt cluster data network traffic with IPsec as described in the IBM Cloud
Private Knowledge Center. This will create encrypted channels between all nodes
and the services running on those nodes
or
- - Upgrade to version 3.1.2 which can be obtained from IBM Passport Advantage


Workarounds and Mitigations

See Remediation/Fixes

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

02 March 2019 - original document published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXHy/yGaOgq3Tt24GAQhO+BAAwHyHv8ShPc7Xr4U3B5e0Rp8aNd8JWlTC
QPEazT1kr6ikq1NhCD5P0Ij77UD4HkpI8Za3LQ+VVjJ16DFYUwjIYeMqFPcGJCqH
1NKw2Jt/bePC7vZq0jpoyt3y8LDKu/9+uBrd39TdzEja9GDHXkcKhd+/4oOUaikm
+kkIqBLO1PRhvgxurDAXKrlieu1d1hBc+IXQ7SKpwY733XXSg873urYzwrY2a3WV
vINb8ryO20ovATClCzVnqMm5z51KrtPuuE00S72rqihCCuLf1edNtA8gY9Nmbf5b
F/hS9FXqJZ5MYlxi/FXe9b4Ybc+F2Kps3J4oDztGvXeifdvveZhiboPL190u8yz2
GgjiAVXvjPu8vupwx48D5u018/MciV9uPM8S8mVpyJathnZXQYUfUSRMePUx9Q5x
NTHcZYoAJfrScTpKUM8co60T+tVhwrRzPHaYWOfBnW9YLiCC773g4RZBL27NoEK3
5uF9WvrfGA5lsFfbcsw6+j6TcHXCy9elrHP53VQReLm+kmWiN9sJ2y7g9p4NMqvI
GmV+ekTodF1nMbPW+1XBciucgHL+qW4HdCxDVfCpp2k1PUUP+sLo2Ab5nQPpY4ld
ja2uPgtFuXiS1vi1meUig7Nz6RLvyB2tb5tsYgzt9qfBoeolkk+vBmJKyCxI0P/e
qJu5t/aoAY0=
=SiKy
-----END PGP SIGNATURE-----

« Back to bulletins