Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.2230
Multiple vulnerabilities have been identified in IBM QRadar SIEM, IBM
QRadar Vulnerability Manager and IBM QRadar Risk Manager
27 November 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM QRadar SIEM
IBM QRadar Vulnerability Manager
IBM QRadar Risk Manager
Publisher: IBM
Operating System: Linux variants
Impact/Access: Root Compromise -- Existing Account
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Cross-site Request Forgery -- Remote with User Interaction
Provide Misleading Information -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-6075 CVE-2014-5119 CVE-2014-4832
CVE-2014-4831 CVE-2014-4829 CVE-2014-4263
CVE-2014-4244 CVE-2014-3568 CVE-2014-3567
CVE-2014-3511 CVE-2014-3508 CVE-2014-0453
Reference: ASB-2014.0077
ASB-2014.0053
ESB-2014.2182
ESB-2014.2162
ESB-2014.2017
ESB-2014.1867
ESB-2014.1777
ESB-2014.1306
ESB-2014.1145
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21691210
http://www-01.ibm.com/support/docview.wss?uid=swg21691211
http://www-01.ibm.com/support/docview.wss?uid=swg21691212
http://www-01.ibm.com/support/docview.wss?uid=swg21691213
Comment: This bulletin contains four (4) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Vulnerabilities in OpenSSL affect IBM QRadar SIEM
(CVE-2014-3567, CVE-2014-3568, CVE-2014-3508, CVE-2014-3511)
Security Bulletin
Document information
More support for:
IBM Security QRadar SIEM
Software version:
7.1, 7.2
Operating system(s):
Linux
Reference #:
1691210
Modified date:
2014-11-25
Summary
OpenSSL vulnerabilities were disclosed on October 15, 2014 by the OpenSSL
Project. OpenSSL is used by IBM QRadar SIEM. IBM QRadar SIEM has addressed
the applicable CVEs.
Vulnerability Details
CVE-ID: CVE-2014-3567
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a memory
leak when handling failed session ticket integrity checks. By sending an
overly large number of invalid session tickets, an attacker could exploit
this vulnerability to exhaust all available memory of an SSL/TLS or DTLS
server.
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97036
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2014-3568
DESCRIPTION: OpenSSL could allow a remote attacker bypass security
restrictions. When configured with "no-ssl3" as a build option, servers could
accept and complete a SSL 3.0 handshake. An attacker could exploit this
vulnerability to perform unauthorized actions.
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97037
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CVE-ID: CVE-2014-3511
DESCRIPTION: OpenSSL could allow a remote attacker to bypass security
restrictions, caused by the negotiation of TLS 1.0 instead of higher protocol
versions by the OpenSSL SSL/TLS server code when handling a badly fragmented
ClientHello message. An attacker could exploit this vulnerability using
man-in-the-middle techniques to force a downgrade to TLS 1.0.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95162
CVSS Environmental Score:*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE-ID: CVE-2014-3508
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive
information, caused by an error in OBJ_obj2txt. If applications echo pretty
printing output, an attacker could exploit this vulnerability to read
information from the stack.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95165
CVSS Environmental Score:*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Products and Versions
IBM QRadar SIEM 7.2.3 Patch 4 and below.
IBM QRadar SIEM 7.1 MR2 Patch 8 and below.
IBM QRadar Vulnerability Manager 7.2.3 Patch 4 and below.
IBM QRadar Risk Manager 7.2.3 Patch 4 and below.
IBM QRadar Risk Manager 7.1 MR2 Patch 8 and below.
Remediation/Fixes
Product Remediation/First Fix
IBM QRadar SIEM 7.2.3 IBM QRadar SIEM 7.2.4 Patch 1
IBM QRadar Vulnerability Manager 7.2.3
IBM QRadar Risk Manager 7.2.3
IBM QRadar SIEM 7.1 MR2 IBM QRadar SIEM 7.1 MR2 Patch 9
IBM QRadar Risk Manager 7.1 MR2
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Segment Product Component Platform Version
Security IBM Security QRadar Risk Manager Linux 7.1, 7.2
Security IBM Security QRadar Vulnerability Manager Linux 7.2
- ----------------------------------------------------------------------
Security Bulletin: Multiple vulnerabilities found in IBM QRadar SIEM and
QRadar Risk Manager (CVE-2014-4832, CVE-2014-4831, CVE-2014-4829,
CVE-2014-4829, CVE-2014-6075)
Security Bulletin
Document information
More support for:
IBM Security QRadar SIEM
Software version:
7.1, 7.2
Operating system(s):
Linux
Reference #:
1691211
Modified date:
2014-11-25
Summary
There are multiple security vulnerabilities in various components used by IBM
QRadar in versions 7.1 MR2 and 7.2.3.
Vulnerability Details
CVEID: CVE-2014-4832
Description: A vulnerability in the IBM QRadar Risk Manager application could
allow a remote attacker to obtain sensitive information. If the application
is accessed via a network with HTTP, an attacker using man-in-the-middle
techniques could recover packets for non-encrypted cookies that could
potentially contain sensitive session information or credentials.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95582
CVSS Environmental Score:*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVEID: CVE-2014-4831
Description: IBM QRadar Risk Manager could allow a remote attacker to hijack
a valid user's session, caused by improper validation. A remote attacker
could exploit this vulnerability to hijack another user's account and gain
the victim's privileges.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95581
CVSS Environmental Score:*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2014-4829
Description: IBM QRadar is vulnerable to cross-site request forgery, caused
by improper validation of user-supplied input. By persuading an authenticated
user to visit a malicious Web site, a remote attacker could send a malformed
HTTP. An attacker could exploit this vulnerability to perform cross-site
scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95579
CVSS Environmental Score:*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2014-6075
Description: IBM Qradar Risk Manager generates URLs with exposed user
credentials in cleartext. A malicious user could obtain the exposed
credentials in browser history and log files.
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95727
CVSS Environmental Score:*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)
Affected Products and Versions
IBM QRadar SIEM 7.2.3 Patch 4 and below.
IBM QRadar SIEM 7.1 MR2 Patch 8 and below.
IBM QRadar Vulnerability Manager 7.2.3 Patch 4 and below.
IBM QRadar Risk Manager 7.2.3 Patch 4 and below.
IBM QRadar Risk Manager 7.1 MR2 Patch 8 and below.
Remediation/Fixes
Product Remediation/First Fix
IBM QRadar SIEM 7.2.3 IBM QRadar SIEM 7.2.4 Patch 1
IBM QRadar Vulnerability Manager 7.2.3
IBM QRadar Risk Manager 7.2.3
IBM QRadar SIEM 7.1 MR2 IBM QRadar SIEM 7.1 MR2 Patch 9
IBM QRadar Risk Manager 7.1 MR2
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
IBM Security Systems Ethical Hacking Team: Paul Ionescu, Brennan Brazeau,
John Zuccato, Jonathan Fitz-Gerald, Warren Moynihan
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Segment Product Component Platform Version
Security IBM Security QRadar Risk Manager Linux 7.1, 7.2
Security IBM Security QRadar Vulnerability Manager Linux 7.2
- ----------------------------------------------------------------------
Security Bulletin: IBM QRadar SIEM is affected by a GNU C Library (glibc)
vulnerability (CVE-2014-5119)
Security Bulletin
Document information
More support for:
IBM Security QRadar SIEM
Software version:
7.1, 7.2
Operating system(s):
Linux
Reference #:
1691212
Modified date:
2014-11-25
Summary
A security vulnerability have been discovered in GNU C Library (glibc)
component bundled with IBM QRadar SIEM.
Vulnerability Details
CVE-ID: CVE-2014-5119
DESCRIPTION: The GNU C Library (glibc) is vulnerable to a heap-based buffer
overflow, caused by an off-by-one error in the __gconv_translit_find()
function. By setting the CHARSET environment variable to a malicious value, a
local attacker could exploit this vulnerability to overflow a buffer and
execute arbitrary code on the system with root privileges.
CVSS Base Score: 7.2
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95044
CVSS Environmental Score:*: Undefined
CVSS Vector: CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Affected Products and Versions
IBM QRadar SIEM 7.2.3 Patch 4 and below.
IBM QRadar SIEM 7.1 MR2 Patch 8 and below.
IBM QRadar Vulnerability Manager 7.2.3 Patch 4 and below.
IBM QRadar Risk Manager 7.2.3 Patch 4 and below.
IBM QRadar Risk Manager 7.1 MR2 Patch 8 and below.
Remediation/Fixes
The recommended solution is to apply the fix for each named product as soon
as practical. Please see below for information about the fixes available.
Product Remediation/First Fix
IBM QRadar SIEM 7.2.3 IBM QRadar SIEM 7.2.4 Patch 1
IBM QRadar Vulnerability Manager 7.2.3
IBM QRadar Risk Manager 7.2.3
IBM QRadar SIEM 7.1 MR2 IBM QRadar SIEM 7.1 MR2 Patch 9
IBM QRadar Risk Manager 7.1 MR2
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Segment Product Component Platform Version
Security IBM Security QRadar Risk Manager Linux 7.1, 7.2
Security IBM Security QRadar Vulnerability Manager Linux 7.2
- ----------------------------------------------------------------------
Security Bulletin: IBM QRadar SIEM can be affected by several vulnerabilities
in the IBM Java Runtime Environment (CVE-2014-0453, CVE-2014-4263,
CVE-2014-4244)
Security Bulletin
Document information
More support for:
IBM Security QRadar SIEM
Software version:
7.1, 7.2
Operating system(s):
Linux
Reference #:
1691213
Modified date:
2014-11-25
Summary
Previous releases of IBM QRadar Security Information and Event Manager, IBM
QRadar Vulnerability Manager and IBM QRadar Risk Manager are affected by
multiple vulnerabilities reported in the IBM SDK Java Technology Edition
Version 6 and 7.
Vulnerability Details
CVEID: CVE-2014-0453
DESCRIPTION: An unspecified vulnerability related to the Security component
has partial confidentiality impact, partial integrity impact, and no
availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92490
CVSS Environmental Score:*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVEID: CVE-2014-4263
DESCRIPTION: An unspecified vulnerability related to the Security component
has partial confidentiality impact, partial integrity impact, and no
availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94606
CVSS Environmental Score:*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVEID: CVE-2014-4244
DESCRIPTION: An unspecified vulnerability related to the Security component
has partial confidentiality impact, partial integrity impact, and no
availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94605
CVSS Environmental Score:*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
Affected Products and Versions
IBM QRadar SIEM 7.2.3 Patch 4 and below.
IBM QRadar SIEM 7.1 MR2 Patch 8 and below.
IBM QRadar Vulnerability Manager 7.2.3 Patch 4 and below.
IBM QRadar Risk Manager 7.2.3 Patch 4 and below.
IBM QRadar Risk Manager 7.1 MR2 Patch 8 and below.
Remediation/Fixes
The recommended solution is to apply the fix for each named product as soon
as practical. Please see below for information about the fixes available.
Product Remediation/First Fix
IBM QRadar SIEM 7.2.3 IBM QRadar SIEM 7.2.4 Patch 1
IBM QRadar Vulnerability Manager 7.2.3
IBM QRadar Risk Manager 7.2.3
IBM QRadar SIEM 7.1 MR2 IBM QRadar SIEM 7.1 MR2 Patch 9
IBM QRadar Risk Manager 7.1 MR2
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Segment Product Component Platform Version
Security IBM Security QRadar Risk Manager Linux 7.1, 7.2
Security IBM Security QRadar Vulnerability Manager Linux 7.2
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVHZzTxLndAQH1ShLAQLv8hAAsMI3YNWGullRTfWFVQb6WvUc7RrCDRr7
1k08YcNNn25SdrfwIrndh1bXSG13PiiTuLcAUpUwvpow8y+RHru7esEHbcjM7vTt
5w5kuJHCeyJerdU77dUuARSbib4utf54Oq+YShnxQ9l/izl0XeWEMCNBUMhvrqEl
7AV9hNpnQdFGCiUWagcszM+ErkXSP8BYywZkZeyvtlo5+uETdUymonrVm+FdB9qH
nVa5KdbTIqzDi4baq24laKkzsCwYB2lkzEmyU8A1oZaisbTc7PYaAJ+RA5bNOGJU
mF5VDDda9pkvBGZeMNyPS+2M8F88YRXpK4R11TMhcFaAWZFHzd49mEK6wHFiIrJs
pMasrdxHVcf6Ylr6s18vKmEpu+yuT5TJYe04y5mVEaJg3EIm3vRhbcNbN9jCnn/d
bhvYM2uoQEARRtBhGqgdlZJdCpOCH4B50Q+uUfJNxyhKBTi1rfQCQs1aGJ89vmfj
/igbs6klWa6/YMBc7hCiiDNzPzEALcvwMaeyWrydTYLzXGPtRhV/iHGTc7AkZFj9
aZ/SdNqH75M3EEq+BjsVJRIQmKmOJtG0PojbUJkL7D7F5UwE/+W1SWCtVf460Dtj
lI0oK11iO4H5V0z6wODXUSCx21FIoL5VLFPYdRDUw4Yhb7drj4slELuTdPF1KtA4
Lz8DxclQ7JQ=
=4M1m
-----END PGP SIGNATURE-----