ESB-2019.0725 - [Win][Linux][AIX] IBM InfoSphere Optim Performance Manager: Multiple vulnerabilities 2019-03-07

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0725
           Security Bulletin: Eclipse OpenJ9 jio_snprintf() and
                    jio_vsnprintf() buffer overflow and
                               7 March 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM InfoSphere Optim Performance Manager
Publisher:         IBM
Operating System:  AIX
                   Linux variants
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-12547 CVE-2018-1890 

Reference:         ESB-2019.0698
                   ESB-2019.0665

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10874706

Comment: At the time of the advisory the title from the original bulletin 
         was truncated at 'and'

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Eclipse OpenJ9 jio_snprintf() and jio_vsnprintf() buffer
overflow and

Document information

More support for: InfoSphere Optim Performance Manager

Software version: 4.1, 4.1.0.1, 4.1.1, 5.1, 5.1.1, 5.1.1.1, 5.2, 5.3, 5.3.1

Operating system(s): AIX, Linux, Windows

Reference #: 0874706

Modified date: 06 March 2019

Summary

In Eclipse OpenJ9, prior to the 0.12.0 release, the jio_snprintf() and
jio_vsnprintf() native methods ignored the length parameter. This affects
existing APIs that called the functions to exceed the allocated buffer. These
functions were not directly callable by non-native user code. And This
candidate has been reserved by an organization or individual that will use it
when announcing a new security problem. When the candidate has been
publicized, the details for this candidate will be provided.

Vulnerability Details

CVEIDC:CVE-2018-12547
DESCRIPTION:  In Eclipse OpenJ9, prior to the 0.12.0 release, the jio_snprintf
() and jio_vsnprintf() native methods ignored the length parameter. This
affects existing APIs that called the functions to exceed the allocated
buffer. This functions were not directly callable by non-native user code.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
157512 for the current score
CVSS Environmental Score*: Undefined
CVSS Attack Vector: Network

CVEID:CVE-2018-1890
DESCRIPTION:  This candidate has been reserved by an organization or
individual that will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVSS Base Score: 5.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
CVE-2018-1890 for the current score
CVSS Environmental Score*: Undefined
CVSS Attack Vector: Undefined

Affected Products and Versions

IBM and Eclipse Foundation OpenJ9 0.8

IBM SDK, Java Technology Edition 6.0,7.0,8.0

Remediation/Fixes

You must replace the IBM(R) Runtime Environment, Java(TM) Technology Edition that
is installed with IBM InfoSphere Optim Performance Manager for DB2 on Linux,
UNIX, and Windows with the latest IBM(R) Runtime Environment, Java(TM) Technology
Edition. Detailed instructions are provided in the tech-note:  " Updating the
IBM Runtime Environment, Java(TM) Technology Edition for InfoSphere Optim
Performance Manager"

Workarounds and Mitigations

N/A


Change History

None

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXIDBhWaOgq3Tt24GAQhOKA/+IpFy3H23t3UjLgGoV6W5d0vTiWsXk4pS
ndOTU7A/6BLxQOhuEMTHweRxI7tfT1mHpI8qIy/ddS8XqbI8HRI1YraZt6N8K6ma
PbBbnKu1zivkiuE09vudtPp6jWFofq+27VIwVrFmCpcL5gxltCjdONUBeSzRQuRc
do64WGpAb7wpFnsKDjjSScktq1Kr9jWGwisdjSn4ywKbWQpHrZ6yHQ0oWoiJB3xM
9zIQriBTHX+QOVyEYh26ALV5JKmkcB/RugKsX7iF+YTOsiouacWGvP5d6BOrMJ1G
vhTeWoB7pr2Ivmt1Wx8T49j4FuEfgIXLlH3f7eZBj9VQE0GYAMPuALUGvJBMjBzU
ocPMtjk4Bmh09W03Hgn6n4/2115rIrSAlCVdn8qw+FP8MFTKBq8t6juo5IPGFj+a
UFLLHxmenICU+d2KPiTxCEq+S8uxU2Sjo5BcKcUfANj+4XPRcyf2oXYO3ZHOVJsi
I9S7moOLZJ7sKNVLt3AX2anYax0RLMTw1bCCCrOwdlNR5RgSJWE1BjErLu7QHK5I
XjD9jXW4yDjDopePeX8ER5zzn7go/jtXaKlq+RLH86Z7o7czhin5wtR6mJVseh3L
9cutms2LQ4LphlZMblc5Dm7bgaB713mg9AZE9498N703ABvwmJV63hqGJO1ZIk8y
bB4d+iA9wbI=
=zkwZ
-----END PGP SIGNATURE-----

« Back to bulletins