Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2704 Security Bulletin: Multiple Security Vulnerabilities in Apache Tomcat affect IBM Rational License Key Server and IBM Administration and Reporting Tool 26 October 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Rational License Key Server IBM RLKS Administration and Reporting Tool Publisher: IBM Operating System: AIX Linux variants Solaris Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-12617 CVE-2017-12615 CVE-2017-5651 CVE-2017-5648 CVE-2017-5647 Reference: ASB-2017.0109 ESB-2017.2510 ESB-2017.2091 ESB-2017.1186 ESB-2017.1102 ESB-2017.1101 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=swg22008294 http://www.ibm.com/support/docview.wss?uid=swg22009870 Comment: This bulletin contains two (2) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Multiple Security Vulnerabilities in Apache Tomcat affect IBM Rational License Key Server Administration and Reporting Tool IBM Rational License Key Server & Administration Tool Document information More support for: Rational License Key Server RLKS Administration and Reporting Tool Software version: 8.1.4, 8.1.4.1, 8.1.4.2, 8.1.4.3, 8.1.4.4, 8.1.4.5, 8.1.4.6, 8.1.4.7, 8.1.4.8, 8.1.4.9 Operating system(s): AIX, Linux, Solaris, Windows Reference #: 2008294 Modified date: 24 October 2017 Security Bulletin Summary Apache Tomcat is shipped as a component of RLKS Administration and Reporting Tool (RLKS ART) which contains multiple security vulnerabilities that could potentially impact ART. Vulnerability Details CVEID: CVE-2017-5647 DESCRIPTION: Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an error in the processing of pipelined requests in send file. An attacker could exploit this vulnerability to obtain sensitive information from the wrong response. CVSS Base Score: 5.3 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 124400 for more information CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2017-5648 DESCRIPTION: Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by the failure to use the appropriate facade object by certain application listener calls. An attacker could exploit this vulnerability to access and modify data on the system. CVSS Base Score: 5.3 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 124399 for more information CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) CVEID: CVE-2017-5651 DESCRIPTION: Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an error in the send file processing that adds the invoked Processor to the cache twice. An attacker could exploit this vulnerability to obtain sensitive information from the wrong response. CVSS Base Score: 5.3 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 124397 for more information CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2017-12615 DESCRIPTION: Apache Tomcat could allow a remote attacker to execute arbitrary code on the system, caused by an error when running on Windows with HTTP PUTs enabled. By sending a specially crafted request, an attacker could exploit this vulnerability to upload a JSP file and execute arbitrary code on the system. CVSS Base Score: 8.1 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 132277 for more information CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2017-12617 DESCRIPTION: Apache Tomcat could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix related to an error when running on Windows with HTTP PUTs enabled. By sending a specially crafted request, an attacker could exploit this vulnerability to upload a JSP file and execute arbitrary code on the system. CVSS Base Score: 8.1 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 132484 for more information CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) Affected Products and Versions These vulnerabilities affect the following versions of the IBM RLKS Administration and Reporting Tool. o RLKS Administration and Reporting Tool version 8.1.4 o RLKS Administration and Reporting Tool version 8.1.4.1 o RLKS Administration and Reporting Tool version 8.1.4.2 o RLKS Administration and Reporting Tool version 8.1.4.3 o RLKS Administration and Reporting Tool version 8.1.4.4 o RLKS Administration and Reporting Tool version 8.1.4.5 o RLKS Administration and Reporting Tool version 8.1.4.6 o RLKS Administration and Reporting Tool version 8.1.4.7 o RLKS Administration and Reporting Tool version 8.1.4.8 o RLKS Administration and Reporting Tool version 8.1.4.9 Remediation/Fixes Follow the instructions in How to manually update Apache Tomcat? to upgrade to Apache Tomcat, version 7.0.82 or later, where these vulnerabilities have been fixed. References Complete CVSS v3 Guide On-line Calculator v3 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 24 October 2017 : Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Product Alias/Synonym IBM Rational License Key Server & Administration Tool - ------------------------------------------------------------------------------- Security Bulletin: Security vulnerabilities in IBM Java Runtime affect IBM RLKS Administration and Reporting Tool Admin Document information More support for: Rational License Key Server RLKS Administration and Reporting Tool Software version: 8.1.4.9, 8.1.5, 8.1.5.1, 8.1.5.2 Operating system(s): AIX, Linux, Solaris, Windows Reference #: 2009870 Modified date: 25 October 2017 IBM RLKS Administration and Reporting Tool Security Bulletin Summary There are multiple vulnerabilities related to IBM(R) Runtime Environment Java(TM) Technology Edition which is used and shipped by different versions of IBM Rational License Key Server Administration and Reporting Tool Admin (ART). Vulnerability Details CVEID: CVE-2017-10115 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 128876 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2017-10116 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Security component could allow an unauthenticated attacker to take control of the system. CVSS Base Score: 8.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 128877 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) Affected Products and Versions These vulnerabilities impact the following components and their releases: o RLKS Administration and Reporting Tool version 8.1.4.9 o RLKS Administration and Reporting Tool version 8.1.5 o RLKS Administration and Reporting Tool version 8.1.5.1 o RLKS Administration and Reporting Tool version 8.1.5.2 Remediation/Fixes For IBM RLKS Administration and Reporting Tool v. 8.1.5.x Replace the JRE used in IBM RLKS Administration and Reporting Tool. Steps to replace the JRE 1. Go to Fix Central. 2. Download the Java 8 runtime package that is applicable for your target platform. 3. Additionally, download the files US_export_policy.jar and local_policy.jar. 4. Shutdown RLKS Administration and Reporting Tool. 5. Go to the installation location of RLKS Administration and Reporting Tool. 6. Rename <install location>/jre folder to <install location>/jre_back. This step backs up the existing JRE. 7. Extract the downloaded JRE into <install location> folder. 8. Copy the downloaded US_export_policy.jar and local_policy.jar files to <install location>/jre/lib/security. 9. Startup RLKS Administration and Reporting Tool. 10. Login to the tool using rcladmin user and verify that you see the configured license servers under 'Server' tab. For IBM RLKS Administration and Reporting Tool v. 8.1.4.9 or earlier Upgrade to the latest version of 8.1.5.x. Then, update the JRE using the instructions mentioned above. Workarounds and Mitigations None References Complete CVSS v3 Guide On-line Calculator v3 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 25 October 2017 : Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Product Alias/Synonym IBM RLKS Administration and Reporting Tool - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWfFpAIx+lLeg9Ub1AQj0/A//QFmWEHtTCL5o+37QIOSWZA4EtBFlU7Nw RqE9B8DVOBIvixIZeE6KgBYIraCqMecFwX3KVXvGYTuevz/ZPFTdbwHP7AJ3zhGM zsFWRz0sPw2HXnuEp4OUp46DiHK6zsYuCglOLh9G7i2b8K3I5U4TVJXfAaQLD7/3 CFLGfojVvVLxw43r7BYEfZro4pyX4u1nophwu+r98tAQYTMml02lqWuYWvWZhrIF vIUMmpLCcA5dcCp9u5cj+gH2JRlohn6DW3tSx9Ih8LeZr6eo5GPNbfWB+UT3nzBL CA2qWCfFA+AhLEOaGO40hm6v2mzGTMCPtR0uIG+ehxd6ZurQxNljK5nvv1XXkVDr e3BxknIV8FVphSNCe4BxlWbhjn6HiJqU6jQ3r7zDOH2tA5tf0ODi0Rh+Zt13LpCt rwU8sRPBGdrHGUaJnfTi3P8qQ5U7nWDHoWkCnyolnZXnjkE+ZKAoYhNy2XYxnP2V JRlbzFGS6ACUZJU62siy1nSjG6Z/P0xycj26FszmX9RvCIPgu1xRbL8gC30mMZay xrR7v8NP+VaXlsVrTeyUWNc5hCHORY4eMDddZzgjARfbeOJ6jJhG1x7TA5j8QEXV iN841p//05iA9XnWYUtdzPDt+tdnxES4kTavnvd9qi8+ATl6ARJtmJG81K+QDiKh dfNmJ+5Lv/k= =LcUI -----END PGP SIGNATURE-----