Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2734 Security Bulletin: IBM OpenPages GRC Platform security updates 30 October 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM OpenPages GRC Platform Publisher: IBM Operating System: AIX Linux variants Windows Impact/Access: Cross-site Request Forgery -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-1333 CVE-2017-1300 CVE-2017-1290 CVE-2017-1148 CVE-2017-1147 CVE-2016-3048 Reference: ESB-2017.2729 ESB-2017.2379 ESB-2017.2331 ESB-2017.2278 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=swg22009684 http://www.ibm.com/support/docview.wss?uid=swg22009717 http://www.ibm.com/support/docview.wss?uid=swg22009770 http://www.ibm.com/support/docview.wss?uid=swg21997796 http://www.ibm.com/support/docview.wss?uid=swg21997685 Comment: This bulletin contains five (5) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: IBM OpenPages GRC Platform has addressed Cross-site Request Forgery (CVE-2017-1300) Security Bulletin Document information More support for: OpenPages GRC Platform Software version: 7.1, 7.2, 7.3 Operating system(s): AIX, Linux, Windows Reference #: 2009684 Modified date: 27 October 2017 Summary IBM OpenPages GRC Platform has addressed potential security exposure due to Cross-site request forgery. Vulnerability Details CVEID: CVE-2017-1300 DESCRIPTION: IBM OpenPages GRC Platform is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125162 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) Affected Products and Versions IBM OpenPages GRC Platform versions 7.1 through 7.3 Remediation/Fixes A fix has been created for each affected version of the named product. Download and install the fix as soon as possible. Fixes and installation instructions are provided at the URLs listed below: Fix Download URL For OpenPages GRC Platform 7.3.0 http://www.ibm.com/support/docview.wss?uid=swg24043595 - - Apply 7.3 Fix Pack 1 (7.3.0.1) or later For OpenPages GRC Platform 7.2.0 through 7.2.0.4 http://www.ibm.com/support/docview.wss?uid=swg24043802 - - Apply 7.2 Fix Pack 5 (7.2.0.5) or later For OpenPages GRC Platform 7.1.0 through 7.1.0.3 http://www.ibm.com/support/docview.wss?uid=swg24043897 - - Apply 7.1 Fix Pack 4 (7.1.0.4) or later Workarounds and Mitigations None known, apply fixes. References Complete CVSS v3 Guide On-line Calculator v3 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Acknowledgement None Change History 16 Oct 2017: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. ============================================================================ Security Bulletin: IBM OpenPages GRC Platform has addressed insecure object reference (CVE-2017-1148) Security Bulletin Document information More support for: OpenPages GRC Platform Software version: 7.2, 7.3 Operating system(s): AIX, Linux, Windows Reference #: 2009717 Modified date: 27 October 2017 Summary IBM OpenPages GRC Platform with OpenPages Loss Event Entry (LEE) application addressed potential security exposure due to insecure object reference. Vulnerability Details CVEID: CVE-2017-1148 DESCRIPTION: IBM OpenPages GRC Platform with OpenPages Loss Event Entry (LEE) application could allow a user to obtain sensitive information including private APIs that could be used in further attacks against the system. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/122201 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions IBM OpenPages GRC Platform versions 7.2 through 7.3 Remediation/Fixes A fix has been created for each affected version of the named product. Download and install the fix as soon as possible. Fixes and installation instructions are provided at the URLs listed below: Fix Download URL For OpenPages GRC Platform 7.3.0 http://www.ibm.com/support/docview.wss?uid=swg24043595 - - Apply 7.3 Fix Pack 1 (7.3.0.1) or later For OpenPages GRC Platform 7.2.0 through 7.2.0.4 http://www.ibm.com/support/docview.wss?uid=swg24043802 - - Apply 7.2 Fix Pack 5 (7.2.0.5) or later Workarounds and Mitigations None known, apply fixes. References Complete CVSS v3 Guide On-line Calculator v3 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Acknowledgement None Change History 16 Oct 2017: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. ============================================================================ Security Bulletin: IBM OpenPages GRC Platform has addressed secure HTTP header improvements (CVE-2017-1290) Security Bulletin Document information More support for: OpenPages GRC Platform Software version: 7.1, 7.2, 7.3 Operating system(s): AIX, Linux, Windows Reference #: 2009770 Modified date: 27 October 2017 Summary IBM OpenPages GRC Platform has addressed potential security exposure due to some missing secure HTTP headers Vulnerability Details CVEID: CVE-2017-1290 DESCRIPTION: IBM OpenPages GRC Platform is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base Score: 5.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125151 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions IBM OpenPages versions 7.1 through 7.3 Remediation/Fixes A fix has been created for each affected version of the named product. Download and install the fix as soon as possible. Fixes and installation instructions are provided at the URLs listed below: Fix Download URL For OpenPages GRC Platform 7.3.0 http://www.ibm.com/support/docview.wss?uid=swg24043595 - - Apply 7.3 Fix Pack 1 (7.3.0.1) or later For OpenPages GRC Platform 7.2.0 through 7.2.0.4 http://www.ibm.com/support/docview.wss?uid=swg24043802 - - Apply 7.2 Fix Pack 5 (7.2.0.5) or later For OpenPages GRC Platform 7.1.0 through 7.1.0.3 http://www.ibm.com/support/docview.wss?uid=swg24043897 - - Apply 7.1 Fix Pack 4 (7.1.0.4) or later Workarounds and Mitigations None known, apply fixes. References Complete CVSS v3 Guide On-line Calculator v3 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Acknowledgement The vulnerability was reported to IBM by Akik Rahman Change History 16 October 2017 : Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. ============================================================================ Security Bulletin: IBM OpenPages GRC Platform is affected by an information disclosure issue (CVE-2017-1333) Security Bulletin Document information More support for: OpenPages GRC Platform Software version: 7.1, 7.2, 7.3 Operating system(s): Windows Reference #: 1997796 Modified date: 27 October 2017 Summary IBM OpenPages GRC Platform has a potential information disclosure issue, due to Windows Internet Information Server (IIS) default configuration. Vulnerability Details CVEID: CVE-2017-1333 DESCRIPTION: IBM OpenPages GRC Platform could allow an unauthenticated user to obtain sensitive information about the server that could be used in future attacks against the system. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/126241 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions IBM OpenPages versions 7.1 through 7.3 Remediation/Fixes For OpenPages GRC Platform version 7.1.0.x through 7.3.0.x customers, if you are using Windows Internet Information Server (IIS) as IBM Cognos web server. Remediation instructions are provided at the URL listed below: http://www.ibm.com/support/docview.wss?uid=swg22006922 References Complete CVSS v3 Guide On-line Calculator v3 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Acknowledgement The vulnerability was reported to IBM by Akik Rahman Change History 30 June 2017: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. ============================================================================ Security Bulletin: IBM OpenPages GRC Platform is affected by multiple XSS reflection vulnerabilities (CVE-2017-1147, CVE-2016-3048) Security Bulletin Document information More support for: OpenPages GRC Platform Software version: 7.1, 7.2, 7.3 Operating system(s): AIX, Linux, Windows Reference #: 1997685 Modified date: 27 October 2017 Summary IBM OpenPages GRC Platform has addressed potential security exposure due to multiple XSS reflection vulnerabilities. Vulnerability Details CVEID: CVE-2017-1147 DESCRIPTION: IBM OpenPages GRC Platform is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base Score: 5.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/122200 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVEID: CVE-2016-3048 DESCRIPTION: IBM OpenPages GRC Platform is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base Score: 5.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114711 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions IBM OpenPages versions 7.1 through 7.3 Remediation/Fixes A fix has been created for each affected version of the named product. Download and install the fix as soon as possible. Fixes and installation instructions are provided at the URLs listed below: Fix Download URL For OpenPages GRC Platform 7.3 http://www.ibm.com/support/docview.wss?uid=swg24043595 - - Apply 7.3 Fix Pack 1 (7.3.0.1) or later For OpenPages GRC Platform 7.2 http://www.ibm.com/support/docview.wss?uid=swg24043802 - - Apply 7.2 Fix Pack 5 (7.2.0.5) or later For OpenPages GRC Platform 7.1 http://www.ibm.com/support/docview.wss?uid=swg24043897 - - Apply 7.1 Fix Pack 4 (7.1.0.4) or later Workarounds and Mitigations None known, apply fixes. References Complete CVSS v3 Guide On-line Calculator v3 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Acknowledgement The vulnerability was reported to IBM by InteliSecure Change History 3 October 2017 : Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWfagrYx+lLeg9Ub1AQgyKw//YO1f7t+3+dEoTcMtk1xb4sX9VaZB9We+ xVsJLRfChfNpaw3yf7NFQAaB2ywNGDQO59WlLIsrcVnloGtdOE+xbscdRZf+6G9y d2WxEB5OCt+YhB+8BT+0KPv7fsPA7cDXDuW5gyDBUry5kvS++ZPUg6FRIaYuyY/K LsiQDHmo5Rs3c6mA0Y4F2Bf+m/JyMUu/7QdkWlticKxcILdkVGz/RHIX6dSq6qFB jBHPl8eJRdPN09Pk1twDpFr6XJm2zkgbEktQZE9y8S1irFjrUJMrXMS7ALqEfe9Q dyBEwCUZ0r9aYh0/NITnF8O3ANHmN2mXsuiceQe1Uv5hrMAONJiX0dWSewmqbbFU dRhOm6ZeZUD1x+nUXurB3M9r4ohemet3z685mQGOXIeEoQXEmqURFr+CEYoYc1uf YU0I5jtGg+nP0KiqvHcTFHHJFj191fgKedxQG/8LX+5a5/Q2tCWoCZTQV9DLquM0 mZM60+PpDvsx3YeWcoj96WVM0Q2S9/7anrA7IrjBe7NrspFJuPcc7SfYqSs0bb4d JJ5/O9S5NSLNs+B1MqZ+PaQsn224ClZGGFVmiGED/VxXtsh0iLMNdeQ2mWStOkrf XOGVNJBjYHjzYbHsXx0f9i1UOEPTTLqvt6gF3o2T5y0TsvWZpmM8jgyChEU8lQ08 7HOe2aYwn/M= =nlkn -----END PGP SIGNATURE-----