ESB-2019.1121 - [Linux][Appliance] IBM API Connect: Multiple vulnerabilities 2019-04-03

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.1121
           IBM Security Bulletin: IBM API Connect is impacted by
              multiple open source software vulnerabilities.
                               3 April 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM API Connect
Publisher:         IBM
Operating System:  Linux variants
                   Network Appliance
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated      
                   Denial of Service              -- Remote/Unauthenticated      
                   Cross-site Scripting           -- Remote with User Interaction
                   Provide Misleading Information -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-11698 CVE-2018-11697 CVE-2018-11696
                   CVE-2018-11695 CVE-2018-11694 CVE-2018-11693
                   CVE-2018-11499 CVE-2018-0210 CVE-2018-0021
                   CVE-2017-0268 CVE-2016-10531 

Reference:         ASB-2017.0073
                   ESB-2018.1183
                   ESB-2018.0581

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10794165
   http://www.ibm.com/support/docview.wss?uid=ibm10878136

Comment: This bulletin contains two (2) advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

IBM API Connect is impacted by multiple open source software vulnerabilities.

Product:             IBM API Connect

Software version:    5.0.8.0 - 5.0.8.4, 2018.1-2018.4.1.2

Operating system(s): Appliance, Linux

Reference #:         0794165

Security Bulletin

Summary

IBM API Connect has addressed the following vulnerabilities.

Vulnerability Details

CVEID: CVE-2017-0268
DESCRIPTION: Microsoft Server Message Block 1.0 (SMBv1) could allow a remote
attacker to obtain sensitive information, caused by improper handling of
incoming requests. By sending specially-crafted packet data to the server, a
remote attacker could exploit this vulnerability to obtain sensitive
information.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
125554 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-0210
DESCRIPTION: Cisco Data Center Network Manager is vulnerable to cross-site
request forgery, caused by improper validation of user-supplied input by the
web-based management interface. By persuading an user to visit a malicious Web
site, a remote attacker could send a malformed HTTP request to perform
unauthorized actions. An attacker could exploit this vulnerability to perform
cross-site scripting attacks, Web cache poisoning, and other malicious
activities.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
139992 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2018-0021
DESCRIPTION: Juniper Networks Junos OS is vulnerable to a man-in-the-middle
attack, caused by an error when configured with short MacSec keys. By using
brute-force techniques, a remote attacker from within the local network could
exploit this vulnerability to obtain the secret passphrases configured for
these keys.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
141516 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2016-10531
DESCRIPTION: Node.js marked module is vulnerable to cross-site scripting,
caused by improper validation of user-supplied input by the link components. A
remote attacker could exploit this vulnerability to inject malicious script
into a Web page which would be executed in a victim''s Web browser within the
security context of the hosting Web site, once the page is viewed. An attacker
could use this vulnerability to steal the victim''s cookie-based authentication
credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
149101 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2018-11698
DESCRIPTION: LibSaas could allow a remote attacker to obtain sensitive
information, caused by an out-of-bounds read of a memory region in the function
Sass::handle_error. By using a specially-crafted file, a remote attacker could
exploit this vulnerability to obtain sensitive information or cause a denial of
service.
CVSS Base Score: 4.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
144297 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L)

CVEID: CVE-2018-11499
DESCRIPTION: LibSass is vulnerable to a denial of service, caused by a
use-after-free in handle_error() in sass_context.cpp. A remote attacker could
exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
143880 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-11693
DESCRIPTION: LibSaas could allow a remote attacker to obtain sensitive
information, caused by an out-of-bounds read of a memory region in the function
Sass::Prelexer::skip_over_scopes. By using a specially-crafted file, a remote
attacker could exploit this vulnerability to obtain sensitive information or
cause a denial of service.
CVSS Base Score: 4.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
144323 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L)

CVEID: CVE-2018-11697
DESCRIPTION: LibSaas could allow a remote attacker to obtain sensitive
information, caused by an out-of-bounds read of a memory region in the function
Sass::Prelexer::exactly(). By using a specially-crafted file, a remote attacker
could exploit this vulnerability to obtain sensitive information or cause a
denial of service.
CVSS Base Score: 4.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
144302 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L)

CVEID: CVE-2018-11696
DESCRIPTION: LibSaas is vulnerable to a denial of service, caused by a NULL
pointer dereference in the function Sass::Inspect::operator. By using a
specially-crafted file, a remote attacker could exploit this vulnerability to
cause the application to crash.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
144308 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-11694
DESCRIPTION: LibSaas is vulnerable to a denial of service, caused by a NULL
pointer dereference in the function Sass::Functions::selector_append. By using
a specially-crafted file, a remote attacker could exploit this vulnerability to
cause the application to crash.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
144317 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-11695
DESCRIPTION: LibSaas is vulnerable to a denial of service, caused by a NULL
pointer dereference in the function Sass::Expand::operator. By using a
specially-crafted file, a remote attacker could exploit this vulnerability to
cause the application to crash.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
144311 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM API Connect version 5.0.8.0-5.0.8.4;2018.1-2018.4.1.2

Remediation/Fixes

+------------------------+------------+-------+----------------------------------------------------------------------------------------------+
|Affected Product        |Addressed in|APAR   |Remediation/First Fix                                                                         |
|                        |VRMF        |       |                                                                                              |
+------------------------+------------+-------+----------------------------------------------------------------------------------------------+
|                        |            |       |Addressed in IBM API Connect V5.0.8.5 fix pack.                                               |
|                        |            |       |                                                                                              |
|IBM API Connect         |            |       |Follow this link and find the APIConnect-Portal package.                                      |
|5.0.8.0-5.0.8.4         |5.0.8.5     |LI80724|                                                                                              |
|                        |            |       |http://www.ibm.com/support/fixcentral/swg/quickorderparent=ibm%7EWebSphere&                   |
|                        |            |       |product=ibm/WebSphere/IBM+API+Connect&release=5.0.8.4&platform=All&function=all               |
|                        |            |       |&source=fc                                                                                    |
+------------------------+------------+-------+----------------------------------------------------------------------------------------------+
|                        |            |       |+-----------------------------------------------------------------------------+               |
|                        |            |       ||Addressed in IBM API Connect v2018.4.1.3fixpack.                             |               |
|                        |            |       ||                                                                             |               |
|                        |            |       ||Management server and Analytics components are impacted.                     |               |
|                        |            |       ||                                                                             |               |
|IBM API Connect V2018.1 |2018.4.1.3  |LI80724||Follow this link and find the appropriate form factor for your installation: |               |
|- 2018.4.1.2            |fixpack     |       ||"management" , "analytics" or apicup* or *ICP* for 2018.4.1.3.               |               |
|                        |            |       ||                                                                             |               |
|                        |            |       ||http://www.ibm.com/support/fixcentral/swg/quickorderparent=ibm%7EWebSphere&  |               |
|                        |            |       ||product=ibm/WebSphere/IBM+API+Connect&release=2018.4.1.2&platform=All&       |               |
|                        |            |       ||function=all&source=fc                                                       |               |
|                        |            |       |+-----------------------------------------------------------------------------+               |
+------------------------+------------+-------+----------------------------------------------------------------------------------------------+

Workarounds and Mitigations

None

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

April 1, 2018: Bulletin updated

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- ------------------------------------------------------------------------------

API Connect is impacted by multiple nodeJS vulnerabilities (CVE-2018-12122
CVE-2018-12121 CVE-2018-12123 CVE-2018-12116)

Product:             IBM API Connect

Software version:    5.0.8.0-5.0.8.5, 2018.1-2018.4.1.1

Operating system(s): Platform Independent

Reference #:         0878136

Security Bulletin

Summary

IBM API Connect has addressed the following vulnerability.

Vulnerability Details

CVEID: CVE-2018-12122
DESCRIPTION: Node.js is vulnerable to a denial of service, caused by improper
validation of HTTP headers. By sending headers very slowly keeping HTTP or
HTTPS connections and associated resources alive for a long period of time, a
remote attacker could exploit this vulnerability to cause a denial of service
condition.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
153456 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-12121
DESCRIPTION: Node.js is vulnerable to a denial of service, caused by improper
validation of HTTP headers. By sending specially-crafted HTTP requests with
maximum sized headers, a remote attacker could exploit this vulnerability to
cause a denial of service condition.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
153455 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-12123
DESCRIPTION: Node.js is vulnerable to HTTP request splitting attacks, caused by
improper input validation by the path option of an HTTP request. A remote
attacker could exploit this vulnerability to inject arbitrary HTTP request and
cause the browser to send 2 HTTP requests, once the URL is clicked. This would
allow the attacker to perform further attacks, such as Web cache poisoning or
cross-site scripting.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
153457 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2018-12116
DESCRIPTION: Node.js is vulnerable to HTTP request splitting attacks, caused by
improper input validation by the path option of an HTTP request. A remote
attacker could exploit this vulnerability to inject arbitrary HTTP request and
cause the browser to send 2 HTTP requests, once the URL is clicked. This would
allow the attacker to perform further attacks, such as Web cache poisoning or
cross-site scripting.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
153452 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

+---------------------------+-----------------+
|Affected IBM API Management|Affected Versions|
+---------------------------+-----------------+
|IBM API Connect            |2018.1-2018.4.1.1|
+---------------------------+-----------------+
|IBM API Connect            |5.0.8.0-5.0.8.5  |
+---------------------------+-----------------+

Remediation/Fixes

+----------------+----------+-------+-----------------------------------------+
|    Affected    | Fixed in | APAR  |         Remediation / First Fix         |
|    releases    |   VRMF   |       |                                         |
+----------------+----------+-------+-----------------------------------------+
|                |          |       |Addressed in IBM API Connect             |
|                |          |       |v2018.4.1.2fixpack.                      |
|                |          |       |                                         |
|                |          |       |Developer Portal is impacted.            |
|                |          |       |                                         |
|IBM API Connect |2018.4.1.2|       |Follow this link and find the appropriate|
|V2018.1-2018.4.1|fixpack   |LI80736|form factor for your installation:       |
|                |          |       |                                         |
|                |          |       |http://www.ibm.com/support/fixcentral/swg|
|                |          |       |/quickorderparent=ibm%7EWebSphere&       |
|                |          |       |product=ibm/WebSphere/IBM+API+Connect&   |
|                |          |       |release=2018.4.1&platform=All&function=  |
|                |          |       |all&source=fc                            |
+----------------+----------+-------+-----------------------------------------+
|                |          |       |Addressed in 5.0.8.6 fixpack.            |
|                |          |       |                                         |
|                |          |       |Management server andDeveloper Portal are|
|                |          |       |impacted.                                |
|                |          |       |                                         |
|                |          |       |Follow this link and find the            |
|IBM API Connect |5.0.8.6   |       |APIConnect_Management and                |
|V5.0.8.0-5.0.8.5|fixpack   |LI80736|APIConnect-Portal package.               |
|                |          |       |                                         |
|                |          |       |                                         |
|                |          |       |http://www.ibm.com/support/fixcentral/swg|
|                |          |       |/quickorderparent=ibm%7EWebSphere&       |
|                |          |       |product=ibm/WebSphere/IBM+API+Connect&   |
|                |          |       |release=5.0.8.5&platform=All&function=all|
|                |          |       |&source=fc                               |
+----------------+----------+-------+-----------------------------------------+

Workarounds and Mitigations

None

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

IBM API Connect Support Lifecycle Policy (v2018)

Change History

March 27, 2019: Original bulletin published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXKQJ8maOgq3Tt24GAQixQg/9F/4KPR70oYz6Va61tdJAbniH8CXKObAT
OZqLkcuF8ZwDeP9DpUm+nwygV2K+FEePYU8B5bCcsjVn8b+Ng9i1wK2DGljTvwnu
NMpgTEMHi4xv0scuiULYJS6Z6v6kk4M80A844FPQRJUdMaobmppta+tM9oeZFKNL
8yZFTZwwn2idx8Cx7JIC/MmjJE0kpzh8UwgBHQG2YgHldJhakdPHLHJST7Fxb32n
Dv+HJn5qPZ7R+8pDNZp+nsJg2H4BRm2GGq2GbW7HQ5l/GuSCkYpjmIlYUwSmYUqa
3i96igkRckvgI5Ik2c6rGwU4h+8tptFlOjC5BdYuha0uNWoOHuhD0TKw0cQ6pFXi
gREMA2GxK0GbQzWGyCpyr3/Vu2ik2G+ztw5VIFk2zey8oQnhncWGBIfpleHMZmvK
TbL78LhE5UEU7L4hIbc0ynggTm8T3NPTyVIopAmXqo4Bg8SDz2m1WF1kDMPNcRbc
sYUTZITVo52Dk/T3u8Bd/uMfjTL1lqRRpZevp1A1Jky8mMoqtHT33eFLc/bVXxkp
AQ3r4JTdwv16clIJCokMDS+0f6MQd0yTKn7A5RzyHVb0M60pIyg4aRSLS/OfKldY
40O3Q2pcxqtfgKR9UWOUxRB+7xV0ppPIIkNuHlFbbznNPYGrW5i+CNkVgFiU+xS6
JNt7DRIs6+4=
=3QA7
-----END PGP SIGNATURE-----

« Back to bulletins