-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2892
   Multiple vulnerabilities have been identified in IBM WebSphere Portal
                             26 September 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM WebSphere Portal
Publisher:         IBM
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Increased Privileges           -- Existing Account            
                   Modify Permissions             -- Existing Account            
                   Cross-site Scripting           -- Existing Account            
                   Access Confidential Data       -- Remote/Unauthenticated      
                   Provide Misleading Information -- Remote with User Interaction
                   Unauthorised Access            -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-8013 CVE-2018-1820 CVE-2018-1736
                   CVE-2018-1716 CVE-2018-1673 CVE-2018-1672
                   CVE-2018-1660 CVE-2018-1420 CVE-2017-1423

Reference:         ASB-2018.0164
                   ASB-2018.0163
                   ESB-2018.1666
                   ESB-2018.1616
                   ESB-2018.1601
                   ESB-2017.2289

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10732287
   http://www.ibm.com/support/docview.wss?uid=ibm10715923
   http://www.ibm.com/support/docview.wss?uid=ibm10731155
   http://www.ibm.com/support/docview.wss?uid=ibm10729323
   http://www.ibm.com/support/docview.wss?uid=ibm10716981
   http://www.ibm.com/support/docview.wss?uid=swg22011400
   http://www.ibm.com/support/docview.wss?uid=ibm10729683
   http://www.ibm.com/support/docview.wss?uid=swg22014276
   http://www.ibm.com/support/docview.wss?uid=ibm10731435
   http://www.ibm.com/support/docview.wss?uid=swg22015586

Comment: This bulletin contains ten (10) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Cross-Site Scripting Vulnerability Affects IBM WebSphere
Portal (CVE-2018-1820)

Security Bulletin

Document information

More support for: WebSphere Portal

Software version: 8.0, 8.5, 9.0

Operating system(s): Platform Independent

Reference #: 0732287

Modified date: 25 September 2018

Summary

A fix is available for a cross-site scripting vulnerability in IBM WebSphere
Portal (CVE-2018-1820).

Vulnerability Details

CVEID: CVE-2018-1820
DESCRIPTION: IBM WebSphere Portal is vulnerable to cross-site scripting. This
vulnerability allows users to embed arbitrary JavaScript code in the Web UI
thus altering the intended functionality potentially leading to credentials
disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
150096 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

+--------------------+----------------------+
|  Affected Product  |  Affected Versions   |
+--------------------+----------------------+
|IBM WebSphere Portal|9.0.0.0 - 9.0.0.0 CF16|
+--------------------+----------------------+
|IBM WebSphere Portal|8.5.0.0 - 8.5.0.0 CF16|
+--------------------+----------------------+
|IBM WebSphere Portal|8.0.0.0 - 8.0.0.1 CF23|
+--------------------+----------------------+

Remediation/Fixes

+----------+-----------+-------+----------------------------------------------+
| Product  |   VRMF    | APARs |                     Fix                      |
+----------+-----------+-------+----------------------------------------------+
|IBM       |           |       |Upgrade to Cumulative Fix 16 (CF16) and then  |
|WebSphere |9.0        |PH02925|apply the Interim Fix PH02925.                |
|Portal    |           |       |                                              |
+----------+-----------+-------+----------------------------------------------+
|IBM       |           |       |Upgrade to Cumulative Fix 16 (CF16) and then  |
|WebSphere |8.5        |PH02925|apply the Interim Fix PH02925.                |
|Portal    |           |       |                                              |
+----------+-----------+-------+----------------------------------------------+
|IBM       |8.0.0.0    |       |Upgrade to Fix Pack 8.0.0.1 with Cumulative   |
|WebSphere |through    |PH02925|Fix 23 (CF23) and then apply the Interim Fix  |
|Portal    |8.0.01     |       |PH02925.                                      |
+----------+-----------+-------+----------------------------------------------+

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

25 September 2018: Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: Cross-Site Scripting Vulnerability in IBM WebSphere Portal
(CVE-2018-1660)

Security Bulletin

Document information

More support for: WebSphere Portal

Software version: 7.0, 8.0, 8.5, 9.0

Operating system(s): Platform Independent

Reference #: 0715923

Modified date: 25 September 2018

Summary

A fix is available for a cross-site scripting vulnerability in IBM WebSphere
Portal (CVE-2018-1660).

Vulnerability Details

CVEID: CVE-2018-1660
DESCRIPTION: IBM WebSphere Portal is vulnerable to cross-site scripting. This
vulnerability allows users to embed arbitrary JavaScript code in the Web UI
thus altering the intended functionality potentially leading to credentials
disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
144886 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

+--------------------+----------------------+
|  Affected Product  |  Affected Versions   |
+--------------------+----------------------+
|IBM WebSphere Portal|9.0.0.0 - 9.0.0.0 CF15|
+--------------------+----------------------+
|IBM WebSphere Portal|8.5.0.0 - 8.5.0.0 CF15|
+--------------------+----------------------+
|IBM WebSphere Portal|8.0.0.0 - 8.0.0.1 CF23|
+--------------------+----------------------+
|IBM WebSphere Portal|7.0.0.0 - 7.0.0.2 CF30|
+--------------------+----------------------+

For unsupported versions IBM recommends upgrading to a fixed, supported version
of the product.

Remediation/Fixes

+----------+-----------+-------+----------------------------------------------+
| Product  |   VRMF    | APARs |                     Fix                      |
+----------+-----------+-------+----------------------------------------------+
|IBM       |           |       |                                              |
|WebSphere |9.0        |PI98353|Upgrade to Cumulative Fix 16 (CF16).          |
|Portal    |           |       |                                              |
+----------+-----------+-------+----------------------------------------------+
|IBM       |           |       |                                              |
|WebSphere |8.5        |PI98353|Upgrade to Cumulative Fix 16 (CF16).          |
|Portal    |           |       |                                              |
+----------+-----------+-------+----------------------------------------------+
|IBM       |8.0.0.0    |       |Upgrade to Fix Pack 8.0.0.1 with Cumulative   |
|WebSphere |through    |PI98353|Fix 23 (CF23) and then apply the Interim Fix  |
|Portal    |8.0.01     |       |PI98353.                                      |
+----------+-----------+-------+----------------------------------------------+
|IBM       |7.0.0.0    |       |Upgrade to Fix Pack 7.0.0.2 with Cumulative   |
|WebSphere |through    |PI98353|Fix 30 (CF30) and then apply the Interim Fix  |
|Portal    |7.0.0.2    |       |PI98353.                                      |
+----------+-----------+-------+----------------------------------------------+

 

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z
Security Portal to receive the latest critical System z security and integrity
service. If you are not subscribed, see the instructions on the System z
Security web site. Security and integrity APARs and associated fixes will be
posted to this portal. IBM suggests reviewing the CVSS scores and applying all
security or integrity fixes as soon as possible to minimize any potential risk.

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

25 September 2018: Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


- --------------------------------------------------------------------------------

Security Bulletin: Cross-Site Scripting Vulnerability in IBM WebSphere Portal
(CVE-2018-1673)

Security Bulletin


Summary

A fix is available for a cross-site scripting vulnerability in IBM WebSphere
Portal (CVE-2018-1673).

Vulnerability Details

CVEID: CVE-2018-1673
DESCRIPTION: IBM WebSphere Portal is vulnerable to cross-site scripting. This
vulnerability allows users to embed arbitrary JavaScript code in the Web UI
thus altering the intended functionality potentially leading to credentials
disclosure within a trusted session.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
145108 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

+--------------------+----------------------+
|  Affected Product  |  Affected Versions   |
+--------------------+----------------------+
|IBM WebSphere Portal|9.0.0.0 - 9.0.0.0 CF15|
+--------------------+----------------------+
|IBM WebSphere Portal|8.5.0.0 - 8.5.0.0 CF15|
+--------------------+----------------------+
|IBM WebSphere Portal|8.0.0.0 - 8.0.0.1 CF23|
+--------------------+----------------------+
|IBM WebSphere Portal|7.0.0.0 - 7.0.0.2 CF30|
+--------------------+----------------------+

For unsupported versions IBM recommends upgrading to a fixed, supported version
of the product.

Remediation/Fixes

+---------+-----------+-------+-----------------------------------------------+
| Product |   VRMF    | APARs |                      Fix                      |
+---------+-----------+-------+-----------------------------------------------+
|         |           |PH00469|                                               |
|IBM      |           |PH00542|                                               |
|WebSphere|9.0        |PH02132|Upgrade to Cumulative Fix 16 (CF16).           |
|Portal   |           |PH02133|                                               |
|         |           |PH02134|                                               |
|         |           |PH02136|                                               |
+---------+-----------+-------+-----------------------------------------------+
|         |           |PH00469|                                               |
|IBM      |           |PH00542|                                               |
|WebSphere|8.5        |PH02132|Upgrade to Cumulative Fix 16 (CF16).           |
|Portal   |           |PH02133|                                               |
|         |           |PH02134|                                               |
|         |           |PH02136|                                               |
+---------+-----------+-------+-----------------------------------------------+
|IBM      |8.0.0.0    |PH00469|Upgrade to Fix Pack 8.0.0.1 with Cumulative Fix|
|WebSphere|through    |PH00542|23 (CF23) and then apply the Interim Fixes     |
|Portal   |8.0.01     |       |PH00469, PH00542.                              |
+---------+-----------+-------+-----------------------------------------------+
|IBM      |7.0.0.0    |       |Upgrade to Fix Pack 7.0.0.2 with Cumulative Fix|
|WebSphere|through    |PH00469|30 (CF30) and then apply the Interim Fix       |
|Portal   |7.0.0.2    |       |PH00469.                                       |
+---------+-----------+-------+-----------------------------------------------+

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

The vulnerability was reported to IBM by Giulio Comi

Change History

25 September 2018: Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: WebSphere Portal

Software version: 7.0, 8.0, 8.5, 9.0

Operating system(s): Platform Independent

Reference #: 0731155

Modified date: 25 September 2018

- --------------------------------------------------------------------------------

Security Bulletin: Cross-Site Scripting Vulnerability in IBM WebSphere Portal
(CVE-2018-1716)

Security Bulletin

Document information

More support for: WebSphere Portal

Software version: 7.0, 8.0, 8.5, 9.0

Operating system(s): Platform Independent

Reference #: 0729323

Modified date: 25 September 2018

Summary

A fix is available for a cross-site scripting vulnerability in IBM WebSphere
Portal (CVE-2018-1716).

Vulnerability Details

CVEID: CVE-2018-1716
DESCRIPTION: IBM WebSphere Portal is vulnerable to cross-site scripting. This
vulnerability allows users to embed arbitrary JavaScript code in the Web UI
thus altering the intended functionality potentially leading to credentials
disclosure within a trusted session.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
147164 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

+--------------------+----------------------+
|  Affected Product  |  Affected Versions   |
+--------------------+----------------------+
|IBM WebSphere Portal|9.0.0.0 - 9.0.0.0 CF15|
+--------------------+----------------------+
|IBM WebSphere Portal|8.5.0.0 - 8.5.0.0 CF15|
+--------------------+----------------------+
|IBM WebSphere Portal|8.0.0.0 - 8.0.0.1 CF23|
+--------------------+----------------------+
|IBM WebSphere Portal|7.0.0.0 - 7.0.0.2 CF30|
+--------------------+----------------------+

For unsupported versions IBM recommends upgrading to a fixed, supported version
of the product.

Remediation/Fixes

+----------+-----------+-------+----------------------------------------------+
| Product  |   VRMF    | APARs |                     Fix                      |
+----------+-----------+-------+----------------------------------------------+
|IBM       |           |       |                                              |
|WebSphere |9.0        |PH00535|Upgrade to Cumulative Fix 16 (CF16).          |
|Portal    |           |       |                                              |
+----------+-----------+-------+----------------------------------------------+
|IBM       |           |       |                                              |
|WebSphere |8.5        |PH00535|Upgrade to Cumulative Fix 16 (CF16).          |
|Portal    |           |       |                                              |
+----------+-----------+-------+----------------------------------------------+
|IBM       |8.0.0.0    |       |Upgrade to Fix Pack 8.0.0.1 with Cumulative   |
|WebSphere |through    |PH00535|Fix 23 (CF23) and then apply the Interim Fix  |
|Portal    |8.0.01     |       |PH00535.                                      |
+----------+-----------+-------+----------------------------------------------+
|IBM       |7.0.0.0    |       |Upgrade to Fix Pack 7.0.0.2 with Cumulative   |
|WebSphere |through    |PH00535|Fix 30 (CF30) and then apply the Interim Fix  |
|Portal    |7.0.0.2    |       |PH00535.                                      |
+----------+-----------+-------+----------------------------------------------+

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

25 September 2018: Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: Impersonation Issue Affects IBM WebSphere Portal
(CVE-2018-1672)

Security Bulletin

Document information

More support for: WebSphere Portal

Software version: 7.0, 8.0, 8.5, 9.0

Operating system(s): Platform Independent

Reference #: 0716981

Modified date: 25 September 2018

Summary

Impersonation may lead to incorrect user context in IBM WebSphere Portal
(CVE-2018-1672)

Vulnerability Details

CVEID: CVE-2018-1672
DESCRIPTION: IBM WebSphere Portal may fail to set the correct user context in
certain impersonation scenarios, which can allow a user to act with the
identity of a different user.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
144958 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

+-----------------------------+-------------------------+
|      Affected Product       |    Affected Versions    |
+-----------------------------+-------------------------+
|IBM WebSphere Portal         |9.0.0.0 - 9.0.0.0 CF15   |
+-----------------------------+-------------------------+
|IBM WebSphere Portal         |8.5.0.0 - 8.5.0.0 CF15   |
+-----------------------------+-------------------------+
|IBM WebSphere Portal         |8.0.0.0 - 8.0.0.1 CF23   |
+-----------------------------+-------------------------+
|IBM WebSphere Portal         |7.0.0.0 - 7.0.0.2 CF30   |
+-----------------------------+-------------------------+

For unsupported versions IBM recommends upgrading to a fixed, supported version
of the product.

Remediation/Fixes

+----------+-----------+-------+----------------------------------------------+
| Product  |   VRMF    | APARs |                     Fix                      |
+----------+-----------+-------+----------------------------------------------+
|IBM       |           |       |                                              |
|WebSphere |9.0        |PH00088|Upgrade to Cumulative Fix 16 (CF16).          |
|Portal    |           |       |                                              |
+----------+-----------+-------+----------------------------------------------+
|IBM       |           |       |                                              |
|WebSphere |8.5        |PH00088|Upgrade to Cumulative Fix 16 (CF16).          |
|Portal    |           |       |                                              |
+----------+-----------+-------+----------------------------------------------+
|IBM       |8.0.0.0    |       |Upgrade to Fix Pack 8.0.0.1 with Cumulative   |
|WebSphere |through    |PH00088|Fix 23 (CF23) and then apply the Interim Fix  |
|Portal    |8.0.01     |       |PH00088.                                      |
+----------+-----------+-------+----------------------------------------------+
|IBM       |7.0.0.0    |       |Upgrade to Fix Pack 7.0.0.2 with Cumulative   |
|WebSphere |through    |PH00088|Fix 30 (CF30) and then apply the Interim Fix  |
|Portal    |7.0.0.2    |       |PH00088.                                      |
+----------+-----------+-------+----------------------------------------------+

Workarounds and Mitigations

Disable impersonation feature. See https://www.ibm.com/support/knowledgecenter/
SSHRKX_8.5.0/mp/admin-system/impers_enable_disable.html for details.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

25 September 2018: Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


- --------------------------------------------------------------------------------

Security Bulletin: Information Disclosure Vulnerability in IBM WebSphere Portal
(CVE-2017-1423)

Security Bulletin

Document information

More support for: WebSphere Portal

Component: --, ">More...

Software version: 8.5, 9.0

Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows

Reference #: 2011400

Modified date: 25 September 2018

Summary

IBM WebSphere Portal has addressed an information disclosure vulnerability
related to the Web Application Bridge component (CVE-2017-1423).

Vulnerability Details


CVEID: CVE-2017-1423
DESCRIPTION: IBM WebSphere Portal exposes backend server URLs that are
configured for usage by the Web Application Bridge component.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
127476 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

+------------------------+-------------------------------+
|    Affected Product    |       Affected Versions       |
+------------------------+-------------------------------+
|IBM WebSphere Portal    |9.0.0.0 - 9.0.0.0 CF15         |
+------------------------+-------------------------------+
|IBM WebSphere Portal    |8.5.0.0 - 8.5.0.0 CF15         |
+------------------------+-------------------------------+

Remediation/Fixes

+-------------+-----------+-------+-------------------------------------------+
|Product      |VRMF       |APARs  |Fix                                        |
+-------------+-----------+-------+-------------------------------------------+
|IBM WebSphere|9.0        |PI83352|Upgrade to Cumulative Fix 15 (CF15) or     |
|Portal       |           |       |higher and apply the listed additional     |
|             |           |       |manual steps *).                           |
+-------------+-----------+-------+-------------------------------------------+
|IBM WebSphere|8.5        |PI83352|Upgrade to Cumulative Fix 15 (CF15) or     |
|Portal       |           |       |higher and apply the listed additional     |
|             |           |       |manual steps *).                           |
+-------------+-----------+-------+-------------------------------------------+

*) Additional manual steps:

 1. Log into the WebSphere Integrated Solutions Console as an admin user.
 2. In the menu on the left, select Resources -> Resource Environment ->
    Resource Environment Providers
 3. In the list of Resource Environment Providers, click on the "WP
    ConfigService" one.
 4. Click on "Custom properties" under the "Additional Properties" heading.
 5. Click on the "New..." button.
 6. In the "Name" field, enter "wab.url.mapping.enabled" (without the quotes).
 7. In the "Value" field, enter "true" (without the quotes).
 8. Click the "OK" button.
 9. Click the "Save directly to the master configuration" link.
10. Restart WebSphere Portal.

 

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

Reference

Complete CVSS v2 Guide
On-line Calculator v2

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

15 December 2017: Original Version Published
25 September 2018: Clarified that manual steps are required in CF15 and higher

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


- --------------------------------------------------------------------------------
Security Bulletin: Open Redirect Vulnerability in IBM WebSphere Portal
(CVE-2018-1736)

Security Bulletin

Document information

More support for: WebSphere Portal

Software version: 7.0, 8.0, 8.5, 9.0

Operating system(s): Platform Independent

Reference #: 0729683

Modified date: 25 September 2018

Summary

A fix is available for an Open Redirect Vulnerability in IBM WebSphere Portal
(CVE-2018-1736).

Vulnerability Details

CVEID: CVE-2018-1736
DESCRIPTION: IBM WebSphere Portal could allow a remote attacker to conduct
phishing attacks, using an open redirect attack. By persuading a victim to
visit a specially-crafted Web site, a remote attacker could exploit this
vulnerability to spoof the URL displayed to redirect a user to a malicious Web
site that would appear to be trusted. This could allow the attacker to obtain
highly sensitive information or conduct further attacks against the victim.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
147906 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

Affected Products and Versions

+--------------------+----------------------+
|  Affected Product  |  Affected Versions   |
+--------------------+----------------------+
|IBM WebSphere Portal|9.0.0.0 - 9.0.0.0 CF15|
+--------------------+----------------------+
|IBM WebSphere Portal|8.5.0.0 - 8.5.0.0 CF15|
+--------------------+----------------------+
|IBM WebSphere Portal|8.0.0.0 - 8.0.0.1 CF23|
+--------------------+----------------------+
|IBM WebSphere Portal|7.0.0.0 - 7.0.0.2 CF30|
+--------------------+----------------------+

For unsupported versions IBM recommends upgrading to a fixed, supported version
of the product.

Remediation/Fixes

+----------+-----------+-------+----------------------------------------------+
| Product  |   VRMF    | APARs |                     Fix                      |
+----------+-----------+-------+----------------------------------------------+
|IBM       |           |       |                                              |
|WebSphere |9.0        |PH01459|Upgrade to Cumulative Fix 16 (CF16).          |
|Portal    |           |       |                                              |
+----------+-----------+-------+----------------------------------------------+
|IBM       |           |       |                                              |
|WebSphere |8.5        |PH01459|Upgrade to Cumulative Fix 16 (CF16).          |
|Portal    |           |       |                                              |
+----------+-----------+-------+----------------------------------------------+
|IBM       |8.0.0.0    |       |Upgrade to Fix Pack 8.0.0.1 with Cumulative   |
|WebSphere |through    |PH01459|Fix 23 (CF23) and then apply the Interim Fix  |
|Portal    |8.0.01     |       |PH01459.                                      |
+----------+-----------+-------+----------------------------------------------+
|IBM       |7.0.0.0    |       |Upgrade to Fix Pack 7.0.0.2 with Cumulative   |
|WebSphere |through    |PH01459|Fix 30 (CF30) and then apply the Interim Fix  |
|Portal    |7.0.0.2    |       |PH01459.                                      |
+----------+-----------+-------+----------------------------------------------+

Note: PH01459 introduces a configurable white list for external hosts, which
are allowed as redirects via the CategoryProfileUpdater Module. Server relative
redirects are continuously working. Redirects to external hosts not specified
in the white list are blocked. You can configure this whitelist via the
WCMConfigService:

+------------------------------------------------------+----------------------+
|                       Property                       |     Description      |
+------------------------------------------------------+----------------------+
|                                                      |The value is a        |
|                                                      |boolean. It is used to|
|                                                      |enable/disable the    |
|                                                      |white list. Possible  |
|                                                      |values are "true" and |
|categoryProfileUpdaterModule.redirectURL.restrictHosts|"false". If set to    |
|                                                      |"false", the behavior |
|                                                      |prior to the fix is   |
|                                                      |restored (not         |
|                                                      |recommended). Default |
|                                                      |is "true" (white list |
|                                                      |enabled).             |
+------------------------------------------------------+----------------------+
|                                                      |White list to allow   |
|                                                      |only certain hosts.   |
|                                                      |The list is a         |
|categoryProfileUpdaterModule.redirectURL.allowedHosts |comma-delimited       |
|                                                      |string. Default is    |
|                                                      |empty (no hosts are   |
|                                                      |allowed).             |
+------------------------------------------------------+----------------------+

Example:
categoryProfileUpdaterModule.redirectURL.restrictHosts=true
categoryProfileUpdaterModule.redirectURL.allowedHosts=www.ibm.com

Having these set would only allow the redirect URL to be to arbitrary urls at
the www.ibm.com host (E.g. http://www.ibm.com/, https://www.ibm.com/us-en/).

If redirects are blocked, a message containing the URL can be found in the log:

"The redirect URL '<REDIRECT_URL>' for the CategoryProfileUpdater Module is
unauthorized and has been blocked. To configure a whitelist of permitted hosts
for the redirect URL use WCMConfigService property
categoryProfileUpdaterModule.redirectURL.allowedHosts, or temporarily disable
(not recommended) using categoryProfileUpdaterModule.redirectURL.restrictHosts=
false. See PH01459 / CVE-2018-1736."

Based on this message you need to decide, whether to enhance the white list for
a valid scenario or leave it blocked.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

25 September 2018: Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


- --------------------------------------------------------------------------------

Security Bulletin: Security Misconfiguration during Combined Cumulative Fix
Installation Affects IBM WebSphere Portal (CVE-2018-1420)

Security Bulletin

Document information

More support for: WebSphere Portal

Component: --, ">More...

Software version: 7.0, 8.0, 8.5, 9.0

Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS

Reference #: 2014276

Modified date: 25 September 2018

Summary

IBM WebSphere Portal resets access control settings to the out of the box
configuration during Combined Cumulative Fix (CF) installation. This can lead
to security miss-configuration of the installation (CVE-2018-1420).

Vulnerability Details

CVEID: CVE-2018-1420
DESCRIPTION: IBM WebSphere Portal resets access control settings to the out of
the box configuration during Combined Cumulative Fix (CF) installation. This
can lead to security miss-configuration of the installation.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
138950 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

+-----------------------------+-------------------------+
|      Affected Product       |    Affected Versions    |
+-----------------------------+-------------------------+
|IBM WebSphere Portal         |9.0.0.0 - 9.0.0.0 CF15   |
+-----------------------------+-------------------------+
|IBM WebSphere Portal         |8.5.0.0 - 8.5.0.0 CF15   |
+-----------------------------+-------------------------+
|IBM WebSphere Portal         |8.0.0.0 - 8.0.0.1 CF22   |
+-----------------------------+-------------------------+
|IBM WebSphere Portal         |7.0.0.0 - 7.0.0.2 CF30   |
+-----------------------------+-------------------------+

For unsupported versions IBM recommends upgrading to a fixed, supported version
of the product.

Remediation/Fixes

+---------+-------+----------------+------------------------------------------+
| Product | VRMF  |     APARs      |                   Fix                    |
+---------+-------+----------------+------------------------------------------+
|         |       |PI91232,        |Upgrade only to Cumulative Fix 16 (CF16)  |
|         |       |PI94709,        |or newer Cumulative Fixes. If Cumulative  |
|IBM      |       |PI94883,        |Fix 15 (CF15) or any older Cumulative Fix |
|WebSphere|9.0    |PI95100,        |has been applied, you might need to       |
|Portal   |       |PI95153,        |correct access control settings of out of |
|         |       |PI95154,        |the box resources manually. See           |
|         |       |PI95155, PI95156|"Workarounds and Mitigations" section for |
|         |       |                |details.                                  |
+---------+-------+----------------+------------------------------------------+
|         |       |                |Upgrade only to Cumulative Fix 16 (CF16)  |
|         |       |PI91232,        |or newer Cumulative Fixes. If Cumulative  |
|         |       |PI94709,        |Fix 15 (CF15) or any older Cumulative Fix |
|IBM      |       |PI94883,        |has been applied, you might need to       |
|WebSphere|8.5    |PI95100,        |correct access control settings of out of |
|Portal   |       |PI95153,        |the box resources manually. See           |
|         |       |PI95154,        |"Workarounds and Mitigations" section for |
|         |       |PI95155, PI95156|details.                                  |
|         |       |                |                                          |
+---------+-------+----------------+------------------------------------------+
|         |       |PI91232,        |Upgrade to Fix Pack 8.0.0.1 and apply only|
|         |       |PI94709,        |Cumulative Fix 23 (CF23) or newer. If     |
|IBM      |8.0.0.0|PI94883,        |Cumulative Fix 22 (CF22) or any older     |
|WebSphere|through|PI95100,        |Cumulative Fix has been applied, you might|
|Portal   |8.0.01 |PI95153,        |need to correct access control settings of|
|         |       |PI95154,        |out of the box resources manually. See    |
|         |       |PI95155, PI95156|"Workarounds and Mitigations" section for |
|         |       |                |details.                                  |
+---------+-------+----------------+------------------------------------------+
|         |       |                |There will no further Cumulative Fixes be |
|         |       |                |issued. If  Cumulative Fix 30 (CF30) or   |
|IBM      |7.0.0.0|                |any older Cumulative Fix has been applied,|
|WebSphere|through|                |you might need to correct access control  |
|Portal   |7.0.0.2|                |settings of out of the box resources      |
|         |       |                |manually. See " Workarounds and           |
|         |       |                |Mitigations" section for details.         |
+---------+-------+----------------+------------------------------------------+

Workarounds and Mitigations

Prior to the fixed Cumulative Fix versions as listed in the "Remediation/
Fixes", the installation of a Combined Cumulative Fix (CF) resets access
control settings for the IBM WebSphere Portal out of the box resources. The out
of the box access control settings are restored for them. If the access control
settings of these out of the box resources had been changed before, you need to
set them again to their customized values after Cumulative Fix installation.

See the IBM Knowledge center how to manage the access control and get an
overview of initial access control settings.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z
Security Portal to receive the latest critical System z security and integrity
service. If you are not subscribed, see the instructions on the System z
Security web site. Security and integrity APARs and associated fixes will be
posted to this portal. IBM suggests reviewing the CVSS scores and applying all
security or integrity fixes as soon as possible to minimize any potential risk.

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

25 September 2018: Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: Security Vulnerability in Apache Batik Affects IBM WebSphere
Portal (CVE-2018-8013)

Security Bulletin

Document information

More support for: WebSphere Portal

Software version: 7.0, 8.0, 8.5, 9.0

Operating system(s): Platform Independent

Reference #: 0731435

Modified date: 25 September 2018

Summary

A fix is available for a vulnerability in Apache Batik that affects IBM
WebSphere Portal (CVE-2018-8013).

Vulnerability Details

CVEID: CVE-2018-8013
DESCRIPTION: Apache Batik could allow a remote attacker to obtain sensitive
information, caused by an error when deserializing subclass of
`AbstractDocument`. An attacker could exploit this vulnerability to reveal
files and obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
143678 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

+--------------------+----------------------+
|  Affected Product  |  Affected Versions   |
+--------------------+----------------------+
|IBM WebSphere Portal|9.0.0.0 - 9.0.0.0 CF15|
+--------------------+----------------------+
|IBM WebSphere Portal|8.5.0.0 - 8.5.0.0 CF15|
+--------------------+----------------------+
|IBM WebSphere Portal|8.0.0.0 - 8.0.0.1 CF23|
+--------------------+----------------------+
|IBM WebSphere Portal|7.0.0.0 - 7.0.0.2 CF30|
+--------------------+----------------------+

For unsupported versions IBM recommends upgrading to a fixed, supported version
of the product.

Remediation/Fixes

+----------+-----------+-------+----------------------------------------------+
| Product  |   VRMF    | APARs |                     Fix                      |
+----------+-----------+-------+----------------------------------------------+
|IBM       |           |       |                                              |
|WebSphere |9.0        |PH02735|Upgrade to Cumulative Fix 16 (CF16).          |
|Portal    |           |       |                                              |
+----------+-----------+-------+----------------------------------------------+
|IBM       |           |       |                                              |
|WebSphere |8.5        |PH02735|Upgrade to Cumulative Fix 16 (CF16).          |
|Portal    |           |       |                                              |
+----------+-----------+-------+----------------------------------------------+
|IBM       |8.0.0.0    |       |Upgrade to Fix Pack 8.0.0.1 with Cumulative   |
|WebSphere |through    |PH02735|Fix 23 (CF23) and then apply the Interim Fix  |
|Portal    |8.0.01     |       |PH02735.                                      |
+----------+-----------+-------+----------------------------------------------+
|IBM       |7.0.0.0    |       |Upgrade to Fix Pack 7.0.0.2 with Cumulative   |
|WebSphere |through    |PH02735|Fix 30 (CF30) and then apply the Interim Fix  |
|Portal    |7.0.0.2    |       |PH02735.                                      |
+----------+-----------+-------+----------------------------------------------+

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

25 September 2018: Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


- --------------------------------------------------------------------------------

Security Bulletin: Vulnerability in CKEditor Might Affect IBM WebSphere Portal

Security Bulletin

Document information

More support for: WebSphere Portal

Software version: 8.0, 8.5, 9.0

Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS

Reference #: 2015586

Modified date: 25 September 2018

Summary

A vulnerability in CKEditor might affect IBM WebSphere Portal.

Vulnerability Details

CVEID: Not available
DESCRIPTION: CKEditor could allow a remote attacker with access to a spoofed
version of ckeditor.com to gain unauthorized access to a victim's system. An
attacker could exploit this vulnerability using a DNS spoofing attack to modify
the current URL of an SSL protected opening page.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
141623 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

+--------------------------------------+--------------------------------+
|           Affected Product           |       Affected Versions        |
+--------------------------------------+--------------------------------+
|IBM WebSphere Portal                  |9.0.0.0 - 9.0.0.0 CF15          |
+--------------------------------------+--------------------------------+
|IBM WebSphere Portal                  |8.5.0.0 - 8.5.0.0 CF15          |
+--------------------------------------+--------------------------------+
|IBM WebSphere Portal                  |8.0.0.0 - 8.0.0.1 CF22          |
+--------------------------------------+--------------------------------+

Remediation/Fixes

+------------+---------+-------+----------------------------------------------+
|Product     |VRMF     |APARs  |Fix                                           |
+------------+---------+-------+----------------------------------------------+
|IBM         |9.0      |PI95413|Upgrade to Cumulative Fix 16 (CF16).          |
|WebSphere   |         |       |(Combined Cumulative Fixes for WebSphere      |
|Portal      |         |       |Portal 9.0)                                   |
+------------+---------+-------+----------------------------------------------+
|IBM         |8.5      |PI95413|Upgrade to Cumulative Fix 16 (CF16).          |
|WebSphere   |         |       |(Combined Cumulative Fixes for WebSphere      |
|Portal      |         |       |Portal 8.5.0.0)                               |
+------------+---------+-------+----------------------------------------------+
|IBM         |8.0.0    |PI95413|Upgrade to Fix Pack 8.0.0.1 with Cumulative   |
|WebSphere   |through  |       |Fix 23 (CF23).                                |
|Portal      |8.0.0.1  |       |(Combined Cumulative Fixes for WebSphere      |
|            |         |       |Portal 8.0.0.1)                               |
+------------+---------+-------+----------------------------------------------+

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z
Security Portal to receive the latest critical System z security and integrity
service. If you are not subscribed, see the instructions on the System z
Security web site. Security and integrity APARs and associated fixes will be
posted to this portal. IBM suggests reviewing the CVSS scores and applying all
security or integrity fixes as soon as possible to minimize any potential risk.

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

25 September 2018: Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW6sLN2aOgq3Tt24GAQi6Vg//UufVHm8RZhpfrrUei73VKZBId4dTXu8M
ik01r4dnDYcSBUPXQ5U2hLCQ/m+r3DyUKpuc2XllPapDMIQ0dxVs1wHDOnIXb3VU
2763YCbmcJQN0hXP7u5880a+HY/bTgHMPqXOiFVlskQQV2kheaQw52cHgqdNzTXH
bNxa58g54EUIz0CFRiVBHpzcb9/TCviBRUhdXUF44ieRH+QmYzMxyU/O6wXrgP9Z
T1198s9ePqf/wV3Xk3VTxdvkC93V6rpDrzIiP3+T9uJnFQkFgkhfXh+9ctOjj9aG
0fOPKirAljdydNdXNdg0yIORKGll6p/TRoWlOg2DqkPla9nXr7AAqkPsYapDXiwD
B7QeaMZuVYxVU+Ku1fupqsW9GUrQ30KYj8pvKAJAWFKQc8d10xMDjM7WxmfZepq0
zQR2MOwk3QNAcRR02dWsAYWT5az60yifK1dqGJ4ToCjVIJULmiYkOXQvhnBBd/Ua
nWZrQaCzn4Yoi5g54TBhbfmfP1awaByJ/VIjWjBwJYOPSFuDscmmDjAZZfyUaUNT
pLtOi0PJSmEKJTHJ1R/zHghcb7nRksUnTCoNs1tPhe7Z+p9iTmThbS2a0WBPRV48
g/M0WqVeocA4m6wJDu6Tm2eci5L1pENHxmUSKQB8yFix31XW0/BTPkj2RthGlmsD
yNB0G24OEhU=
=wZYi
-----END PGP SIGNATURE-----