Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.0322
IBM security Access Manager for Web is affected by multiple vulnerabilities
9 February 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Security Access Manager for Web
Publisher: IBM
Operating System: Network Appliance
VMware ESX Server
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2015-8531 CVE-2015-7421 CVE-2015-7420
CVE-2015-7183 CVE-2015-7182 CVE-2015-7181
CVE-2015-5621 CVE-2015-3405 CVE-2015-3238
CVE-2015-2730 CVE-2015-1819 CVE-2015-1799
CVE-2015-1798 CVE-2014-9298 CVE-2014-9297
CVE-2014-8121 CVE-2014-3565
Reference: ASB-2016.0004
ASB-2015.0105
ASB-2015.0066
ESB-2015.0288.2
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=swg21974648
http://www.ibm.com/support/docview.wss?uid=swg21974737
http://www.ibm.com/support/docview.wss?uid=swg21974644
http://www.ibm.com/support/docview.wss?uid=swg21974657
http://www.ibm.com/support/docview.wss?uid=swg21974750
http://www.ibm.com/support/docview.wss?uid=swg21974652
http://www.ibm.com/support/docview.wss?uid=swg21974651
http://www.ibm.com/support/docview.wss?uid=swg21974653
http://www.ibm.com/support/docview.wss?uid=swg21974738
Comment: This bulletin contains nine (9) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: IBM Security Access Manager for Web is affected by Network
Security Services (NSS) vulnerabilities (CVE-2015-7181, CVE-2015-7182,
CVE-2015-7183)
Security Bulletin
Document information
More support for:
IBM Security Access Manager for Web
Software version:
7.0, 8.0, 8.0.0.2, 8.0.0.4, 8.0.0.5, 8.0.1, 8.0.1.2, 8.0.1.3, 9.0
Operating system(s):
Appliance
Reference #:
1974648
Modified date:
2016-02-07
Summary
Network Security Services (NSS) is a set of libraries designed to support
cross-platform development of security-enabled client and server
applications. Netscape Portable Runtime (NSPR) provides platform independence
for non-GUI operating system facilities.
IBM Security Access Manager for Web is affected by vulnerabilities in nss,
nss-util and nspr packages.
Vulnerability Details
CVEID:
CVE-2015-7181
DESCRIPTION:
Mozilla Firefox could allow a remote attacker to execute arbitrary code on
the system, caused by a use-after-poison in the sec_asn1d_parse_leaf()
function. By persuading a victim to visit a specially-crafted Web site, a
remote attacker could exploit this vulnerability using unknown attack vectors
to execute arbitrary code on the vulnerable system or cause a denial of
service.
CVSS Base Score: 8.8
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107814
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID:
CVE-2015-7182
DESCRIPTION:
Mozilla Firefox is vulnerable to a heap-based buffer overflow, caused by
improper bounds checking when decoding constructed OCTET STRING. By
persuading a victim to visit a specially-crafted Web site, a remote attacker
could overflow a buffer and execute arbitrary code on the system or cause the
application to crash.
CVSS Base Score: 8.8
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107815
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID:
CVE-2015-7183
DESCRIPTION:
Mozilla Firefox is vulnerable to a denial of service, caused by an integer
overflow in the Netscape Portable Runtime (NSPR) in PL_ARENA_ALLOCATE. By
persuading a victim to visit a specially-crafted Web site, a remote attacker
could exploit this vulnerability using unknown attack vectors to cause the
application to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107816
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Affected Products and Versions
IBM Security Access Manager for Web 7.0 appliances, all firmware versions
IBM Security Access Manager for Web 8.0 appliances, all firmware versions
IBM Security Access Manager 9.0 appliances
Remediation/Fixes
The table below provides links to patches for all affected versions. Follow
the installation instructions in the README file included with the patch.
Product VRMF APAR Remediation
IBM Security Access Manager for Web 7.0 - 7.0.0.20 (appliances) IV80753 1. Apply Interim Fix 21:
7.0.0-ISS-WGA-IF0021
IBM Security Access Manager for Web 8.0 - 8.0.1.3 IV80752 1. For 8.0-8.0.1.2 environments, upgrade to 8.0.1.3:
8.0.1-ISS-WGA-FP0003
2. Apply 8.0.1.3 Interim Fix 4:8.0.1.3-ISS-WGA-IF0004
IBM Security Access Manager 9.0 IV80752 1. Upgrade to 9.0.0.1:
9.0.0-ISS-ISAM-FP0001
2. Apply 9.0.0.1 Interim Fix 1:
9.0.0.1-ISS-ISAM-IF0001
Get Notified about Future Security Bulletins
Subscribe to
My Notifications
to be notified of important product support alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
February 1, 2016: Original version published.
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ---
Security Bulletin: A libxml vulnerability affects IBM Security Access Manager
for Web (CVE-2015-1819)
Security Bulletin
Document information
More support for:
IBM Security Access Manager for Web
Software version:
7.0, 8.0, 8.0.0.2, 8.0.0.4, 8.0.0.5, 8.0.1, 8.0.1.2, 8.0.1.3, 9.0
Operating system(s):
Appliance
Reference #:
1974737
Modified date:
2016-02-07
Summary
IBM Security Access Manager for Web is affected by a denial of service
vulnerability in libxml2.
Vulnerability Details
CVEID:
CVE-2015-1819
DESCRIPTION:
Libxml is vulnerable to a denial of service, caused by an XML External Entity
Injection (XXE) error in the xmlreader when processing XML data. A remote
attacker could exploit this vulnerability to consume all available memory
resources.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107272
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
IBM Security Access Manager for Web 7.0 appliances, all firmware versions
IBM Security Access Manager for Web 8.0 appliances, all firmware versions
IBM Security Access Manager 9.0 appliances, all firmware versions
Remediation/Fixes
The table below provides links to patches for all affected versions. Follow
the installation instructions in the README file included with the patch.
Product VRMF APAR Remediation
IBM Security Access Manager for Web 7.0 - 7.0.0.20 (appliances) IV80986 1. Apply Interim Fix 21:
7.0.0-ISS-WGA-IF0021
IBM Security Access Manager for Web 8.0 - 8.0.1.3 IV80971 1. For 8.0-8.0.1.2 environments, upgrade to 8.0.1.3:
8.0.1-ISS-WGA-FP0003
2. Apply 8.0.1.3 Interim Fix 4:8.0.1.3-ISS-WGA-IF0004
IBM Security Access Manager 9.0 - 9.0.0.1 IV80971 1. For 9.0 environments, upgrade to 9.0.0.1:
9.0.0-ISS-ISAM-FP0001
2. Apply 9.0.0.1 Interim Fix 1:
9.0.0.1-ISS-ISAM-IF0001
Get Notified about Future Security Bulletins
Subscribe to
My Notifications
to be notified of important product support alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
February 1, 2016: Original version published.
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ---
Security Bulletin: Vulnerabilities in Net-SNMP affect IBM Security Access
Manager for Web (CVE-2014-3565, CVE-2015-5621)
Security Bulletin
Document information
More support for:
IBM Security Access Manager for Web
Software version:
7.0, 8.0, 8.0.0.2, 8.0.0.4, 8.0.0.5, 8.0.1, 8.0.1.2, 9.0
Operating system(s):
Appliance
Reference #:
1974644
Modified date:
2016-02-07
Summary
IBM Security Access Manager for Web is affected by denial of service
vulnerabilities in Net-SNMP.
Vulnerability Details
CVEID:
CVE-2014-3565
DESCRIPTION:
Net-SNMP is vulnerable to a denial of service, caused by the improper
handling of SNMP traps when started with the "-OQ" option. By sending an SNMP
trap message containing a variable with a NULL type, a remote attacker could
exploit this vulnerability to cause snmptrapd to crash.
CVSS Base Score: 5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/95638
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID:
CVE-2015-5621
DESCRIPTION:
Net-SNMP is vulnerable to a denial of service, caused by incompletely parsed
varBind variables being left in the list of variables by the snmp_pdu_parse()
function. A remote attacker could exploit this vulnerability to cause the
application to crash or possibly execute arbitrary code on the system.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/105232
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
BM Security Access Manager for Web 7.0 appliances, all firmware versions
IBM Security Access Manager for Web 8.0 appliances, all firmware versions
IBM Security Access Manager 9.0 appliances, all firmware versions
Remediation/Fixes
The table below provides links to patches for all affected versions. Follow
the installation instructions in the README file included with the patch.
Product VRMF APAR Remediation
IBM Security Access Manager for Web 7.0 - 7.0.0.20 (appliances) IV80685 1. Apply Interim Fix 21:
IV80984 7.0.0-ISS-WGA-IF0021
IBM Security Access Manager for Web 8.0 - 8.0.1.3 IV80684 1. For 8.0-8.0.1.2 environments, upgrade to 8.0.1.3:
IV80945 8.0.1-ISS-WGA-FP0003
2. Apply 8.0.1.3 Interim Fix 4:8.0.1.3-ISS-WGA-IF0004
IBM Security Access Manager 9.0 - 9.0.0.1 IV80684 1. For 9.0 environments, upgrade to 9.0.0.1:
IV80945 9.0.0-ISS-ISAM-FP0001
2. Apply 9.0.0.1 Interim Fix 1:
9.0.0.1-ISS-ISAM-IF0001
Get Notified about Future Security Bulletins
Subscribe to
My Notifications
to be notified of important product support alerts like this.
References
Complete CVSS v2 Guide
On-line Calculator v2
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
February 1, 2016: Original version published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ---
Security Bulletin: A vulnerability in nss-softokn affects IBM Security Access
Manager for Web (CVE-2015-2730)
Security Bulletin
Document information
More support for:
IBM Security Access Manager for Web
Software version:
7.0, 8.0, 8.0.0.2, 8.0.0.4, 8.0.0.5, 8.0.1, 8.0.1.2, 8.0.1.3, 9.0
Operating system(s):
Appliance
Reference #:
1974657
Modified date:
2016-02-07
Summary
Network Security Services (NSS) is a set of libraries designed to support
cross-platform development of security-enabled client and server
applications.
IBM Security Access Manager for Web is affected by a vulnerability in the
nss-softokn package.
Vulnerability Details
CVEID:
CVE-2015-2730
DESCRIPTION:
Mozilla Firefox could allow a remote attacker to bypass security
restrictions, caused by the failure to properly handle certain exceptional
cases by the Elliptical Curve Cryptography (ECC) multiplication for Elliptic
Curve Digital Signature Algorithm (ECDSA) signature validation in Network
Security Services (NSS). By persuading a victim to visit a specially-crafted
Web site, a remote attacker could exploit this vulnerability to forge
signatures.
CVSS Base Score: 4.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/#/vulnerabilities/104386
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
Affected Products and Versions
IBM Security Access Manager for Web 7.0 appliances, all firmware versions
IBM Security Access Manager for Web 8.0 appliances, all firmware versions
IBM Security Access Manager 9.0 appliances, all firmware versions
Remediation/Fixes
The table below provides links to patches for all affected versions. Follow
the installation instructions in the README file included with the patch.
Product VRMF APAR Remediation
IBM Security Access Manager for Web 7.0 - 7.0.0.20 (appliances) IV80985 1. Apply Interim Fix 21:
7.0.0-ISS-WGA-IF0021
IBM Security Access Manager for Web 8.0 - 8.0.1.3 IV80965 1. For 8.0-8.0.1.2 environments, upgrade to 8.0.1.3:
8.0.1-ISS-WGA-FP0003
2. Apply 8.0.1.3 Interim Fix 4:8.0.1.3-ISS-WGA-IF0004
IBM Security Access Manager 9.0 - 9.0.0.1 IV80965 1. For 9.0 environments, upgrade to 9.0.0.1:
9.0.0-ISS-ISAM-FP0001
2. Apply 9.0.0.1 Interim Fix 1:
9.0.0.1-ISS-ISAM-IF0001
Get Notified about Future Security Bulletins
Subscribe to
My Notifications
to be notified of important product support alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
February 1, 2016: Original version published.
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ---
Security Bulletin: Vulnerabilities in GSKit affect IBM Security Access
Manager for Web (CVE-2015-7421, CVE-2015-7420)
Security Bulletin
Document information
More support for:
IBM Security Access Manager for Web
Software version:
7.0, 8.0, 8.0.0.2, 8.0.0.4, 8.0.0.5, 8.0.1, 8.0.1.2, 8.0.1.3, 9.0
Operating system(s):
Platform Independent
Reference #:
1974750
Modified date:
2016-02-07
Summary
Vulnerabilities were discovered in GSKit. IBM Security Access Manager for Web
uses GSKit and addressed the applicable CVE.
Vulnerability Details
CVEID:
CVE-2015-7421
DESCRIPTION:
A vulnerability in GSKit could allow a remote attacker to obtain sensitive
information. The internal ICC PRNG pool state is duplicated during a fork()
system call operation which results in a period of time where child processes
may generate identical PRNG output to the parent. This may allow possible
attacks related to predicable state which an attacker could exploit.
CVSS Base Score: 3.7
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107695
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:
CVE-2015-7420
DESCRIPTION:
A vulnerability in GSKit could allow a remote attacker to obtain sensitive
information. The GSKit PRNG state is duplicated during a fork() system call
operation which results in a period of time where child processes may
generate identical PRNG output to the parent.
CVSS Base Score: 3.7
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107694
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
IBM Security Access Manager for Web 7.0 (software)
IBM Security Access Manager for Web 7.0 appliances, all firmware versions
IBM Security Access Manager for Web 8.0 appliances, all firmware versions
IBM Security Access Manager 9.0 appliances, all firmware versions
Remediation/Fixes
The table below provides links to patches for all affected versions. Follow
the installation instructions in the README file included with the patch.
Product VRMF APAR Remediation
IBM Security Access Manager for Web 7.0 - 7.0.0.20 (software installations) IV80988 1. Apply Interim Fix 21:
7.0.0-ISS-SAM-IF0021
IBM Security Access Manager for Web 7.0 - 7.0.0.20 (appliances) IV80988 1. Apply Interim Fix 21:
7.0.0-ISS-WGA-IF0021
IBM Security Access Manager for Web 8.0 - 8.0.1.3 IV80979 1. For 8.0-8.0.1.2 environments, upgrade to 8.0.1.3:
8.0.1-ISS-WGA-FP0003
2. Apply 8.0.1.3 Interim Fix 4:8.0.1.3-ISS-WGA-IF0004
IBM Security Access Manager 9.0 - 9.0.0.1 IV80979 1. For 9.0 environments, upgrade to 9.0.0.1:
9.0.0-ISS-ISAM-FP0001
2. Apply 9.0.0.1 Interim Fix 1:
9.0.0.1-ISS-ISAM-IF0001
Get Notified about Future Security Bulletins
Subscribe to
My Notifications
to be notified of important product support alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
None
Change History
February 1, 2016: Original version published.
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ---
Security Bulletin: IBM Security Access Manager for Web is affected by
multiple NTP vulnerabilities
Security Bulletin
Document information
More support for:
IBM Security Access Manager for Web
Software version:
7.0, 8.0, 8.0.0.2, 8.0.0.4, 8.0.0.5, 8.0.1, 8.0.1.2, 8.0.1.3, 9.0
Operating system(s):
Appliance
Reference #:
1974652
Modified date:
2016-02-07
Summary
The Network Time Protocol (NTP) is used to synchronize a computer's time with
another referenced time source.
IBM Security Access Manager for Web uses NTP and is affected by multiple NTP
vulnerabilities.
Vulnerability Details
CVEID:
CVE-2014-9297
DESCRIPTION:
Network Time Protocol (NTP) Project NTP daemon (ntpd) could allow a remote
attacker to conduct spoofing attacks, caused by insufficient entropy in PRNG.
An attacker could exploit this vulnerability to spoof the IPv6 address ::1 to
bypass ACLs and launch further attacks on the system.
CVSS Base Score: 5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100004
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID:
CVE-2014-9298
DESCRIPTION:
Network Time Protocol (NTP) Project NTP daemon (ntpd) could allow a remote
attacker to obtain sensitive information, caused by the improper validation
of the length value in extension field pointers. An attacker could exploit
this vulnerability to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100005
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID:
CVE-2015-1798
DESCRIPTION:
Network Time Protocol (NTP) Project NTP daemon (ntpd) could allow a remote
attacker to bypass security restrictions, caused by the acceptance of packets
that do not contain a message authentication code (MAC) as valid packets wen
configured for symmetric key authentication. An attacker could exploit this
vulnerability using man-in-the-middle techniques to bypass the authentication
process.
CVSS Base Score: 5.4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/#/vulnerabilities/102051
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:A/AC:M/Au:N/C:P/I:P/A:P)
CVEID:
CVE-2015-1799
DESCRIPTION:
Network Time Protocol (NTP) Project NTP daemon (ntpd) is vulnerable to a
denial of service, caused by an error when using symmetric key
authentication. By sending specially-crafted packets to both peering hosts,
an attacker could exploit this vulnerability to prevent synchronization.
CVSS Base Score: 5.4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/#/vulnerabilities/102052
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:A/AC:M/Au:N/C:P/I:P/A:P)
CVEID:
CVE-2015-3405
DESCRIPTION:
Network Time Protocol (NTP) could allow a remote attacker to conduct spoofing
attacks, caused by the generation of MD5 symmetric keys on big-endian systems
by the ntp-keygen utility. An attacker could exploit this vulnerability using
the generated MD5 keys to spoof an NTP client or server.
CVSS Base Score: 5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/#/vulnerabilities/104387
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Affected Products and Versions
IBM Security Access Manager for Web 7.0 appliances, all firmware versions
IBM Security Access Manager for Web 8.0 appliances, all firmware versions
IBM Security Access Manager 9.0 appliances, all firmware versions
Remediation/Fixes
The table below provides links to patches for all affected versions. Follow
the installation instructions in the README file included with the patch.
Product VRMF APAR Remediation
IBM Security Access Manager for Web 7.0 - 7.0.0.20 (appliances) IV80982 1. Apply Interim Fix 21:
7.0.0-ISS-WGA-IF0021
IBM Security Access Manager for Web 8.0 - 8.0.1.3 IV80905 1. For 8.0-8.0.1.2 environments, upgrade to 8.0.1.3:
8.0.1-ISS-WGA-FP0003
2. Apply 8.0.1.3 Interim Fix 4:8.0.1.3-ISS-WGA-IF0004
IBM Security Access Manager 9.0 - 9.0.0.1 IV80905 1. For 9.0 environments, upgrade to 9.0.0.1:
9.0.0-ISS-ISAM-FP0001
2. Apply 9.0.0.1 Interim Fix 1:
9.0.0.1-ISS-ISAM-IF0001
Workarounds and Mitigations
None.
Get Notified about Future Security Bulletins
Subscribe to
My Notifications
to be notified of important product support alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
February 1, 2016: Original version published.
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ---
Security Bulletin: A cross-site scripting vulnerability has been identified
in IBM Security Access Manager for Web (CVE-2015-8531)
Security Bulletin
Document information
More support for:
IBM Security Access Manager for Web
Software version:
8.0, 8.0.0.2, 8.0.0.4, 8.0.0.5, 8.0.1, 8.0.1.2, 8.0.1.3, 9.0
Operating system(s):
Appliance
Reference #:
1974651
Modified date:
2016-02-07
Summary
IBM Security Access Manager for Web is vulnerable to cross-site scripting
attacks that could be used to steal the victim's authentication credentials.
Vulnerability Details
CVEID:
CVE-2015-8531
DESCRIPTION:
IBM Security Access Manager for Web is vulnerable to cross-site scripting,
caused by improper validation of user-supplied input. A remote attacker could
exploit this vulnerability using a specially-crafted URL to execute script in
a victim's Web browser within the security context of the hosting Web site,
once the URL is clicked. An attacker could use this vulnerability to steal
the victim's cookie-based authentication credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/109673
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
IBM Security Access Manager for Web 8.0 appliances, all firmware versions
IBM Security Access Manager 9.0 appliances, all firmware versions
Remediation/Fixes
The table below provides links to patches for all affected versions. Follow
the installation instructions in the README file included with the patch.
Product VRMF APAR Remediation
IBM Security Access Manager for Web 8.0 - 8.0.1.3 IV80692 1. For 8.0-8.0.1.2 environments, upgrade to 8.0.1.3:
8.0.1-ISS-WGA-FP0003
2. Apply 8.0.1.3 Interim Fix 4:8.0.1.3-ISS-WGA-IF0004
IBM Security Access Manager 9.0 - 9.0.0.1 IV80692 1. For 9.0 environments, upgrade to 9.0.0.1:
9.0.0-ISS-ISAM-FP0001
2. Apply 9.0.0.1 Interim Fix 1:
9.0.0.1-ISS-ISAM-IF0001
Get Notified about Future Security Bulletins
Subscribe to
My Notifications
to be notified of important product support alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
None.
Change History
February 1, 2016: Original version published.
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ---
Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security
Access Manager for Web (CVE-2014-8121)
Security Bulletin
Document information
More support for:
IBM Security Access Manager for Web
Software version:
7.0, 8.0, 8.0.0.2, 8.0.0.4, 8.0.0.5, 8.0.1, 8.0.1.2, 8.0.1.3, 9.0
Operating system(s):
Appliance
Reference #:
1974653
Modified date:
2016-02-07
Summary
A GNU C library (glibc) vulnerability affects IBM Security Access Manager for
Web.
Vulnerability Details
CVEID:
CVE-2014-8121
DESCRIPTION:
GNU C Library (glibc) is vulnerable to a denial of service, caused by the
failure to properly check if a file is open by DB_LOOKUP in nss_files/files-
XXX.c in the Name Service Switch (NSS). By performing a look-up on a database
while iterating over it, an attacker could exploit this vulnerability to
cause the application to enter into an infinite loop.
CVSS Base Score: 5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/102652
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Affected Products and Versions
IBM Security Access Manager for Web 7.0 appliances, all firmware versions
IBM Security Access Manager for Web 8.0 appliances, all firmware versions
IBM Security Access Manager 9.0 appliances, all firmware versions
Remediation/Fixes
The table below provides links to patches for all affected versions. Follow
the installation instructions in the README file included with the patch.
Product VRMF APAR Remediation
IBM Security Access Manager for Web 7.0 - 7.0.0.20 (appliances) IV80983 1. Apply Interim Fix 21:
7.0.0-ISS-WGA-IF0021
IBM Security Access Manager for Web 8.0 - 8.0.1.3 IV80933 1. For 8.0-8.0.1.2 environments, upgrade to 8.0.1.3:
8.0.1-ISS-WGA-FP0003
2. Apply 8.0.1.3 Interim Fix 4:8.0.1.3-ISS-WGA-IF0004
IBM Security Access Manager 9.0 - 9.0.0.1 IV80933 1. For 9.0 environments, upgrade to 9.0.0.1:
9.0.0-ISS-ISAM-FP0001
2. Apply 9.0.0.1 Interim Fix 1:
9.0.0.1-ISS-ISAM-IF0001
Get Notified about Future Security Bulletins
Subscribe to
My Notifications
to be notified of important product support alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
February 1, 2016: Original version published.
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ---
Security Bulletin: A Linux-PAM vulnerability affects IBM Security Access
Manager for Web (CVE-2015-3238)
Security Bulletin
Document information
More support for:
IBM Security Access Manager for Web
Software version:
7.0, 8.0, 8.0.0.2, 8.0.0.4, 8.0.0.5, 8.0.1, 8.0.1.2, 8.0.1.3, 9.0
Operating system(s):
Appliance
Reference #:
1974738
Modified date:
2016-02-07
Summary
Pluggable Authentication Modules (PAM) provide a system whereby
administrators can set up authentication policies without having to recompile
programs to handle authentication.
IBM Security Access Manager for Web is affected by a Linux-PAM vulnerability.
Vulnerability Details
CVEID:
CVE-2015-3238
DESCRIPTION:
Linux-PAM could allow a local attacker to obtain sensitive information,
caused by an error in the _unix_run_helper_binary function in the pam_unix
module. An attacker could exploit this vulnerability using an overly large
password to enumerate usernames and cause the system to hang.
CVSS Base Score: 5.1
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/106368
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)
Affected Products and Versions
IBM Security Access Manager for Web 7.0 appliances, all firmware versions
IBM Security Access Manager for Web 8.0 appliances, all firmware versions
IBM Security Access Manager 9.0 appliances, all firmware versions
Remediation/Fixes
The table below provides links to patches for all affected versions. Follow
the installation instructions in the README file included with the patch.
Product VRMF APAR Remediation
IBM Security Access Manager for Web 7.0 - 7.0.0.20 (appliances) IV80987 1. Apply Interim Fix 21:
7.0.0-ISS-WGA-IF0021
IBM Security Access Manager for Web 8.0 - 8.0.1.3 IV80975 1. For 8.0-8.0.1.2 environments, upgrade to 8.0.1.3:
8.0.1-ISS-WGA-FP0003
2. Apply 8.0.1.3 Interim Fix 4:8.0.1.3-ISS-WGA-IF0004
IBM Security Access Manager 9.0 - 9.0.0.1 IV80975 1. For 9.0 environments, upgrade to 9.0.0.1:
9.0.0-ISS-ISAM-FP0001
2. Apply 9.0.0.1 Interim Fix 1:
9.0.0.1-ISS-ISAM-IF0001
Get Notified about Future Security Bulletins
Subscribe to
My Notifications
to be notified of important product support alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
February 1, 2016: Original version published.
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVrk6Dn6ZAP0PgtI9AQImSg/+Pw0ZIs9EZ6+YYeBZETMkf0/gaqcGiTd6
ne0QqxOBGQfiQro4B6RD+1Gm1KhuIySyBLJTB6TjlbUxR/s7cpbQ92WhiovL+kfa
QuI/huiE+R/tXuJcd19wF6HangIPYU8EveECPn8yebx30oisDvK+KL42+rItwFb/
pEO390LZ7FIctB4XB1ktyCZh4OwwDRrSBQyk3qddwALoU4C7iXGeZbLpNWv0t1Br
8GG5QtS3LRamPg1j4+SMn83fZne9zYCqbgjyh4WKFsZ5KNQLEVuxhmI6059xjvV0
uUjiG8QHyYyGAMafKOdlqI0U2nryszewh1epo7IXORZfbUZZ0z4MtvernglcrC0q
JzEtFkasYKuCQIRx4v8UuNHXQNXKdorUwRn/jK3SG8tpMT8Oafo9ig+iDVVK7jCE
KbnwFgyKktbs9TzsCBphwqpZ1OrsNIHyfI0BRWZjOTq1K0f3AV1G3aSjlxYWEbwK
tDBzDIez7btbF5TriOHg5tLdAfDS9awu4nkTQklTNN/bAhe4srKrZxTJNbmpySl7
og14Qf8H+qnrhUfhNuZapDbASsV7Pyz4XhBoJ6uXw5m+corFBO42oXEdFkHrqTcY
oMQ/06eB9RxRLRhzXJu+j3pbOKIKuksrqwliIyfHC2dzFBitKSLNKc8oiR4ECRXa
e3/eXG0EKoY=
=R87m
-----END PGP SIGNATURE-----