Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.2415
Vulnerabilities in IBM Cram Social Program Management
22 September 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Cram Social Program Management
Publisher: IBM
Operating System: AIX
HP-UX
Solaris
Windows
Linux variants
z/OS
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote with User Interaction
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2017-5661 CVE-2016-3092 CVE-2016-1182
CVE-2016-1181 CVE-2015-1832 CVE-2015-0899
CVE-2014-3596
Reference: ESB-2017.1643
ESB-2016.2223
ESB-2016.1709
Original Bulletin:
https://www-01.ibm.com/support/docview.wss?uid=swg22008736
https://www-01.ibm.com/support/docview.wss?uid=swg22008689
https://www-01.ibm.com/support/docview.wss?uid=swg22008731
https://www-01.ibm.com/support/docview.wss?uid=swg22008734
https://www-01.ibm.com/support/docview.wss?uid=swg22008692
Comment: This bulletin contains five (5) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Vulnerability in Apache Derby affects IBM Cram Social
Program Management (CVE-2015-1832)
Document information
More support for:
Cram Social Program Management
Software version:
6.0.5, 6.1.1, 6.2.0, 7.0.1
Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows, z/OS
Software edition:
All Editions
Reference #:
2008736
Modified date:
21 September 2017
Security Bulletin
Summary
IBM Cram Social Program Management uses the Apache Derby Library. Apache
Derby could allow a remote attacker to obtain sensitive information, caused
by a XML external entity (XXE) error when processing XML data by the XML
datatype and XmlVTI. An attacker could exploit this vulnerability to read
arbitrary files on the system or cause a denial of service.
Vulnerability Details
CVEID:
CVE-2015-1832
DESCRIPTION:
Apache Derby could allow a remote attacker to obtain sensitive information,
caused by a XML external entity (XXE) error when processing XML data by the
XML datatype and XmlVTI. An attacker could exploit this vulnerability to read
arbitrary files on the system or cause a denial of service.
CVSS Base Score: 6.4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/115625
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)
Affected Products and Versions
IBM Cram Social Program Management 7.0.0.0 - 7.0.1.0
IBM Cram Social Program Management 6.2.0.0 - 6.2.0.5
IBM Cram Social Program Management 6.1.0.0 - 6.1.1.5
IBM Cram Social Program Management 6.0.5.0 - 6.0.5.10
Remediation/Fixes
Product
VRMF
Remediation/First Fix
+-------------------------+------+--------------------------------------------+
|Product |VRMF |Remediation/First Fix |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |7.0 |Visit IBM Fix Central and upgrade to 7.0.1.1|
|Management | |or a subsequent 7.0.1 release |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.2 |Visit IBM Fix Central and upgrade to 6.2.0.6|
|Management | |or a subsequent 6.2.0 release |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.1 |Visit IBM Fix Central and upgrade to 6.1.1.6|
|Management | |or a subsequent 6.1.1 release |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.0.5 |Visit IBM Fix Central and upgrade to |
|Management | |6.0.5.10 iFix2 or a subsequent 6.0.5 release|
+-------------------------+------+--------------------------------------------+
Workarounds and Mitigations
For information on all other versions please contact Cram Customer Support.
Important note
IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the
System z Security web site . Security and integrity APARs and associated
fixes will be posted to this portal. IBM suggests reviewing the CVSS scores
and applying all security or integrity fixes as soon as possible to minimize
any potential risk.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
21 September 2017: Original document published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ---
Security Bulletin: Vulnerability in Apache Struts affects IBM Cram Social
Program Management (CVE-2016-1182, CVE-2016-1181, CVE-2015-0899)
Document information
More support for:
Cram Social Program Management
Software version:
6.0.5, 6.1.1, 6.2.0, 7.0.1
Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows, z/OS
Software edition:
All Editions
Reference #:
2008689
Modified date:
21 September 2017
Security Bulletin
Summary
IBM Cram Social Program Management uses the Apache Struts Library. Apache
Struts could allow a remote attacker to bypass security restrictions, caused
by the improper validation of input by the Validator; or Apache Struts could
allow a remote attacker to execute arbitrary code on the system, caused by
the failure to protect against unintended remote operations against
components on server memory by the ActionForm instance; or Apache Struts
could allow a remote attacker to bypass security restrictions, caused by an
error in the MultiPageValidator implementation.
Vulnerability Details
CVEID:
CVE-2016-1182
DESCRIPTION:
Apache Struts could allow a remote attacker to bypass security restrictions,
caused by the improper validation of input by the Validator. An attacker
could exploit this vulnerability to modify validation rules and error
messages.
CVSS Base Score: 4.8
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/113853
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
)
CVEID:
CVE-2016-1181
DESCRIPTION:
Apache Struts could allow a remote attacker to execute arbitrary code on the
system, caused by the failure to protect against unintended remote operations
against components on server memory by the ActionForm instance. An attacker
could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 8.1
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/113852
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
)
CVEID:
CVE-2015-0899
DESCRIPTION:
Apache Struts could allow a remote attacker to bypass security restrictions,
caused by an error in the MultiPageValidator implementation. An attacker
could exploit this vulnerability using a modified page parameter to bypass
restrictions and launch further attacks on the system. This vulnerability
also affects other products.
CVSS Base Score: 4.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/101770
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Affected Products and Versions
IBM Cram Social Program Management 7.0.0.0 - 7.0.1.0
IBM Cram Social Program Management 6.2.0.0 - 6.2.0.5
IBM Cram Social Program Management 6.1.0.0 - 6.1.1.5
IBM Cram Social Program Management 6.0.5.0 - 6.0.5.10
Remediation/Fixes
+-------------------------+------+--------------------------------------------+
|Product |VRMF |Remediation/First Fix |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |7.0 |Visit IBM Fix Central and upgrade to 7.0.1.1|
|Management | |or a subsequent 7.0.1 release |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.2 |Visit IBM Fix Central and upgrade to 6.2.0.6|
|Management | |or a subsequent 6.2.0 release |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.1 |Visit IBM Fix Central and upgrade to 6.1.1.6|
|Management | |or a subsequent 6.1.1 release |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.0.5 |Visit IBM Fix Central and upgrade to |
|Management | |6.0.5.10 iFix2 or a subsequent 6.0.5 release|
+-------------------------+------+--------------------------------------------+
Workarounds and Mitigations
For information on all other versions please contact Cram Customer Support.
Important note
IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the
System z Security web site . Security and integrity APARs and associated
fixes will be posted to this portal. IBM suggests reviewing the CVSS scores
and applying all security or integrity fixes as soon as possible to minimize
any potential risk.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
21 September 2017: Original document published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ---
Security Bulletin: Vulnerability in Apache Axis affects IBM Cram Social
Program Management (CVE-2014-3596)
Document information
More support for:
Cram Social Program Management
Software version:
6.0.5, 6.1.1, 6.2.0, 7.0.1
Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows, z/OS
Software edition:
All Editions
Reference #:
2008731
Modified date:
21 September 2017
Security Bulletin
Summary
IBM Cram Social Program Management uses the Apache Axis Library. Apache Axis
and Axis2 could allow a remote attacker to conduct spoofing attacks, caused
by and incomplete fix related to the failure to verify that the server
hostname matches a domain name in the subject's Common Name (CN) field of the
X.509 certificate.
Vulnerability Details
CVEID:
CVE-2014-3596
DESCRIPTION:
Apache Axis and Axis2 could allow a remote attacker to conduct spoofing
attacks, caused by and incomplete fix related to the failure to verify that
the server hostname matches a domain name in the subject's Common Name (CN)
field of the X.509 certificate. By persuading a victim to visit a Web site
containing a specially-crafted certificate, an attacker could exploit this
vulnerability using man-in-the-middle techniques to spoof an SSL server.
CVSS Base Score: 4.3
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/95377
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Affected Products and Versions
IBM Cram Social Program Management 7.0.0.0 - 7.0.1.0
IBM Cram Social Program Management 6.2.0.0 - 6.2.0.5
IBM Cram Social Program Management 6.1.0.0 - 6.1.1.5
IBM Cram Social Program Management 6.0.5.0 - 6.0.5.10
Remediation/Fixes
+-------------------------+------+--------------------------------------------+
|Product |VRMF |Remediation/First Fix |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |7.0 |Visit IBM Fix Central and upgrade to 7.0.1.1|
|Management | |or a subsequent 7.0.1 release |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.2 |Visit IBM Fix Central and upgrade to 6.2.0.6|
|Management | |or a subsequent 6.2.0 release |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.1 |Visit IBM Fix Central and upgrade to 6.1.1.6|
|Management | |or a subsequent 6.1.1 release |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.0.5 |Visit IBM Fix Central and upgrade to |
|Management | |6.0.5.10 iFix2 or a subsequent 6.0.5 release|
+-------------------------+------+--------------------------------------------+
Workarounds and Mitigations
For information on all other versions please contact Cram Customer Support.
Important note
IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the
System z Security web site . Security and integrity APARs and associated
fixes will be posted to this portal. IBM suggests reviewing the CVSS scores
and applying all security or integrity fixes as soon as possible to minimize
any potential risk.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
21 September 2017: Original document published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ---
Security Bulletin: Vulnerability in Apache FOP affects IBM Cram Social
Program Management (CVE-2017-5661)
Document information
More support for:
Cram Social Program Management
Software version:
6.0.5, 6.1.1, 6.2.0, 7.0.1
Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows, z/OS
Software edition:
All Editions
Reference #:
2008734
Modified date:
21 September 2017
Security Bulletin
Summary
IBM Cram Social Program Management uses the Apache FOP Library. Apache FOP
could allow a remote authenticated attacker to obtain sensitive information,
caused by an XML external entity (XXE) error when processing XML data. By
using a specially-crafted SVG file. A remote attacker could exploit this
vulnerability to obtain sensitive information or possibly cause a denial of
service.
Vulnerability Details
CVEID:
CVE-2017-5661
DESCRIPTION:
Apache FOP could allow a remote authenticated attacker to obtain sensitive
information, caused by an XML external entity (XXE) error when processing XML
data. By using a specially-crafted SVG file. A remote attacker could exploit
this vulnerability to obtain sensitive information or possibly cause a denial
of service.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/124797
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
IBM Cram Social Program Management 7.0.0.0 - 7.0.1.0
IBM Cram Social Program Management 6.2.0.0 - 6.2.0.5
IBM Cram Social Program Management 6.1.0.0 - 6.1.1.5
IBM Cram Social Program Management 6.0.5.0 - 6.0.5.10
Remediation/Fixes
+-------------------------+------+--------------------------------------------+
|Product |VRMF |Remediation/First Fix |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |7.0 |Visit IBM Fix Central and upgrade to 7.0.1.1|
|Management | |or a subsequent 7.0.1 release |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.2 |Visit IBM Fix Central and upgrade to 6.2.0.6|
|Management | |or a subsequent 6.2.0 release |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.1 |Visit IBM Fix Central and upgrade to 6.1.1.6|
|Management | |or a subsequent 6.1.1 release |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.0.5 |Visit IBM Fix Central and upgrade to |
|Management | |6.0.5.10 iFix2 or a subsequent 6.0.5 release|
+-------------------------+------+--------------------------------------------+
Workarounds and Mitigations
For information on all other versions please contact Cram Customer Support.
Important note
IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the
System z Security web site . Security and integrity APARs and associated
fixes will be posted to this portal. IBM suggests reviewing the CVSS scores
and applying all security or integrity fixes as soon as possible to minimize
any potential risk.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
21 September 2017: Original document published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ---
Security Bulletin: Vulnerability in Apache Commons FileUpload affects IBM
Cram Social Program Management (CVE-2016-3092)
Document information
More support for:
Cram Social Program Management
Software version:
6.0.5, 6.1.1, 6.2.0, 7.0.1
Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows, z/OS
Software edition:
All Editions
Reference #:
2008692
Modified date:
21 September 2017
Security Bulletin
Summary
IBM Cram Social Program Management uses the Apache Commons FileUpload
Library. Apache Tomcat is vulnerable to a denial of service, caused by an
error in the Apache Commons FileUpload component. By sending file upload
requests, an attacker could exploit this vulnerability to cause the server to
become unresponsive.
Vulnerability Details
CVEID:
CVE-2016-3092
DESCRIPTION:
Apache Tomcat is vulnerable to a denial of service, caused by an error in the
Apache Commons FileUpload component. By sending file upload requests, an
attacker could exploit this vulnerability to cause the server to become
unresponsive.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/114336
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
IBM Cram Social Program Management 7.0.0.0 - 7.0.1.0
IBM Cram Social Program Management 6.2.0.0 - 6.2.0.5
IBM Cram Social Program Management 6.1.0.0 - 6.1.1.5
IBM Cram Social Program Management 6.0.5.0 - 6.0.5.10
Remediation/Fixes
+-------------------------+------+--------------------------------------------+
|Product |VRMF |Remediation/First Fix |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |7.0 |Visit IBM Fix Central and upgrade to 7.0.1.1|
|Management | |or a subsequent 7.0.1 release |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.2 |Visit IBM Fix Central and upgrade to 6.2.0.6|
|Management | |or a subsequent 6.2.0 release |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.1 |Visit IBM Fix Central and upgrade to 6.1.1.6|
|Management | |or a subsequent 6.1.1 release |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.0.5 |Visit IBM Fix Central and upgrade to |
|Management | |6.0.5.10 iFix2 or a subsequent 6.0.5 release|
+-------------------------+------+--------------------------------------------+
Workarounds and Mitigations
For information on all other versions please contact Cram Customer Support.
Important note
IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the
System z Security web site . Security and integrity APARs and associated
fixes will be posted to this portal. IBM suggests reviewing the CVSS scores
and applying all security or integrity fixes as soon as possible to minimize
any potential risk.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
21 September 2017: Original document published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWcR7T4x+lLeg9Ub1AQgoAg//S7/T0G972t+as0LPee1Frj0HNOo1mxla
exjU0Bmq0YuCJ5ZvGZNZ/lAj5VqkjFBJjBl2ZhB5hII7vrYu3xX6Kb+9zIgC77Yt
/3Lq1r/W61gpPAs+pixWlY3FLfE3HiIpHHCbulo1qExxWXGb/dmupfJg4WThaB3j
L9xpcUYHjPA/Mlj7+3vGLC+v4DIno/XF/VtnC0SVERb5sfTDG0tRpWju36YmVUCA
4nLrUkH5khVMSOGPhSgi5C4mlpgm+t6V1eP1y1pU4Im5HfdD6Jbb9KnRXq2UaAgU
OCti6HccPWdMK+uBz5A1qUmdDgG1nyIzvQmSAUmGSxI3v7WjH5DtHgy5jBUeo4s6
B0pP6O0/EXV2wFQvJfR7JUi2Gg2vyUfc8tRqWOTJmnzvURQt+0CX10gLH6bitliI
p5hgzqaRMBVpYRzM4S/0agEmk16A/qTaLw8y+FNd2cRIDRz4rvwaAd0B0qBpPuZq
JdyRL/fBUFwkTCyB9c8eNfh84yWNfsfsf+AaTf2KApkJtmcxGZ+6h84fxmarsJKO
++WPWJm2EsfNNodel7zuHkDk7Q2GSGRvH66rEo1PgV7sVS0pBXvDp/MmTcXoug0Z
3Re94VDZNTjRNJ3qIasJ/fDSf7YQinMrGsWPW1oZONdoEbD5ilBuKw+7EiU9tU2D
hfMS4psb4GM=
=BveR
-----END PGP SIGNATURE-----