Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2931 Multiple vulnerabilities have been identified in IBM Security Guardium 28 September 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Security Guardium Publisher: IBM Operating System: Linux variants Impact/Access: Root Compromise -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-12539 CVE-2018-11776 CVE-2018-2973 CVE-2018-2964 CVE-2018-2952 CVE-2018-2940 CVE-2018-1656 CVE-2018-1517 CVE-2018-1501 CVE-2018-1498 CVE-2017-8039 CVE-2017-4971 CVE-2017-3736 CVE-2017-3732 CVE-2017-1272 CVE-2016-9878 CVE-2016-0705 CVE-2015-8100 CVE-2015-5621 CVE-2014-3565 Reference: ASB-2018.0201 ASB-2018.0197 ASB-2018.0174 ASB-2018.0170 ESB-2015.2559 ESB-2015.2517 ESB-2015.2141 ESB-2015.1930 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10732785 http://www.ibm.com/support/docview.wss?uid=ibm10730323 http://www.ibm.com/support/docview.wss?uid=ibm10730317 http://www.ibm.com/support/docview.wss?uid=ibm10732783 http://www.ibm.com/support/docview.wss?uid=ibm10731655 http://www.ibm.com/support/docview.wss?uid=ibm10730329 http://www.ibm.com/support/docview.wss?uid=ibm10730313 Comment: This bulletin contains seven (7) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium Security Bulletin Document information More support for: IBM Security Guardium Software version: 10.0, 10.0.1, 10.1, 10.1.2, 10.1.3, 10.1.4, 10.5 Operating system(s): Linux Reference #: 0732785 Modified date: 27 September 2018 Summary There are multiple vulnerabilities in IBM(R) SDK Java(TM) Technology Edition, Version 6 used by IBM Security Guardium. These issues were disclosed as part of the IBM Java SDK updates in July 2018. Vulnerability Details CVEID: CVE-2017-3736 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 134397 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2017-3732 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 121313 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2016-0705 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. CVSS Base Score: 3.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 111140 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2018-1517 DESCRIPTION: A flaw in the java.math component in IBM SDK, Java Technology Edition may allow an attacker to inflict a denial-of-service attack with specially crafted String data. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 141681 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2018-1656 DESCRIPTION: The IBM Java Runtime Environment''s Diagnostic Tooling Framework for Java (DTFJ) does not protect against path traversal attacks when extracting compressed dump files. CVSS Base Score: 7.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 144882 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N) CVEID: CVE-2018-2964 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE Deployment component could allow an unauthenticated attacker to take control of the system. CVSS Base Score: 8.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 146827 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) CVEID: CVE-2018-2973 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded JSSE component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 146835 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N) CVEID: CVE-2018-2952 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Concurrency component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base Score: 3.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 146815 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2018-2940 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 146803 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) CVEID: CVE-2017-3736 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 134397 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2017-3732 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 121313 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2016-0705 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. CVSS Base Score: 3.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 111140 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2018-1517 DESCRIPTION: A flaw in the java.math component in IBM SDK, Java Technology Edition may allow an attacker to inflict a denial-of-service attack with specially crafted String data. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 141681 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2018-1656 DESCRIPTION: The IBM Java Runtime Environment''s Diagnostic Tooling Framework for Java (DTFJ) does not protect against path traversal attacks when extracting compressed dump files. CVSS Base Score: 7.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 144882 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N) CVEID: CVE-2018-2964 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE Deployment component could allow an unauthenticated attacker to take control of the system. CVSS Base Score: 8.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 146827 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) CVEID: CVE-2018-2973 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded JSSE component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 146835 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N) CVEID: CVE-2018-2952 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Concurrency component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base Score: 3.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 146815 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2018-2940 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 146803 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) CVEID: CVE-2018-12539 DESCRIPTION: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the failure to restrict the use of Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations to only the process owner. An attacker could exploit this vulnerability to execute untrusted native code and gain elevated privileges on the system. CVSS Base Score: 8.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 148389 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Affected Products and Versions IBM Security Guardium V10.0 - 10.5 Remediation/Fixes +--------------------+--------------+----------------------------------------------------------------------------------------+ |Product |VRMF |Remediation/First Fix | +--------------------+--------------+----------------------------------------------------------------------------------------+ |IBM Security |10.0 - 10.5 |https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product= | |Guardium | |ibm%2FInformation+Management%2FInfoSphere+Guardium&fixids= | | | |SqlGuard_10.0p512_Sep-24-2018&source=SAR&function=fixId&parent=IBM%20Security | +--------------------+--------------+----------------------------------------------------------------------------------------+ Workarounds and Mitigations None Change History Sep 26, 2018: Original Version Published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - -------------------------------------------------------------------------------- Security Bulletin: IBM Security Guardium is affected by a Missing Security Control vulnerability Security Bulletin Document information More support for: IBM Security Guardium Software version: 10.5 Operating system(s): Linux Reference #: 0730323 Modified date: 27 September 2018 Summary IBM Security Guardium has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2018-1501 DESCRIPTION: IBM Security Guardium EcoSystem could allow an unauthorized user to obtain sensitive information due to missing security controls. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 141226 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions +--------------------------------------------------------------------+--------------------------+ | Affected IBM Security Guardium | Affected Versions | +--------------------------------------------------------------------+--------------------------+ |IBM Security Guardium |10.5 | +--------------------------------------------------------------------+--------------------------+ Remediation/Fixes +---------------------+---------------+--------------------------------------------------+ | Product | VRMF | Remediation / First Fix | +---------------------+---------------+--------------------------------------------------+ | | |https://www-945.ibm.com/support/fixcentral/swg/ | | | |selectFixes?product= | |IBM Security Guardium|10.5 |ibm%2FInformation+Management%2FInfoSphere+Guardium| | | |&fixids=SqlGuard_10.0p512_Sep-24-2018&source=SAR& | | | |function=fixId&parent=IBM%20Security | +---------------------+---------------+--------------------------------------------------+ Workarounds and Mitigations None Acknowledgement IBM X-Force Ethical Hacking Team: Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza Change History Sep 27, 2018: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - -------------------------------------------------------------------------------- Security Bulletin: IBM Security Guardium is affected by a Password in Clear Text vulnerability Document information More support for: IBM Security Guardium Software version: 10.5 Operating system(s): Linux Reference #: 0730317 Modified date: 27 September 2018 Security Bulletin Summary IBM Security Guardium has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2018-1498 DESCRIPTION: IBM Security Guardium EcoSystem stores user credentials in plain in clear text which can be read by a local user. CVSS Base Score: 6.2 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 141223 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) Affected Products and Versions +--------------------------------------------+-----------------+ | Affected IBM Security Guardium |Affected Versions| +--------------------------------------------+-----------------+ |IBM Security Guardium |10.5 | +--------------------------------------------+-----------------+ Remediation/Fixes +---------------------+---------------+--------------------------------------------------+ | Product | VRMF | Remediation / First Fix | +---------------------+---------------+--------------------------------------------------+ | | |https://www-945.ibm.com/support/fixcentral/swg/ | | | |selectFixes?product= | |IBM Security Guardium|10.5 |ibm%2FInformation+Management%2FInfoSphere+Guardium| | | |&fixids=SqlGuard_10.0p512_Sep-24-2018&source=SAR& | | | |function=fixId&parent=IBM%20Security | +---------------------+---------------+--------------------------------------------------+ Workarounds and Mitigations None Acknowledgement IBM X-Force Ethical Hacking Team: Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza Change History Sep 27, 2018: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - -------------------------------------------------------------------------------- Security Bulletin: IBM Security Guardium is affected by a Publicly disclosed Apache Struts vulnerability Security Bulletin Document information More support for: IBM Security Guardium Software version: 10.1.4, 10.5 Operating system(s): Linux Reference #: 0732783 Modified date: 27 September 2018 Summary IBM Security Guardium has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2018-11776 DESCRIPTION: Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base Score: 9.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 148694 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Affected Products and Versions +---------------------------------+-----------------+ | Affected IBM Security Guardium |Affected Versions| +---------------------------------+-----------------+ |IBM Security Guardium |10.1.4-10.5 | +---------------------------------+-----------------+ Remediation/Fixes +---------------------+---------------+--------------------------------------------------+ | Product | VRMF | Remediation / First Fix | +---------------------+---------------+--------------------------------------------------+ | | |https://www-945.ibm.com/support/fixcentral/swg/ | | | |selectFixes?product= | |IBM Security Guardium|10.1.4 |ibm%2FInformation+Management%2FInfoSphere+Guardium| | | |&fixids= | | | |SqlGuard_10.0p413_Apache-Struts-Vulnerability-Fix&| | | |source=SAR&function=fixId&parent=IBM%20Security | +---------------------+---------------+--------------------------------------------------+ | | |https://www-945.ibm.com/support/fixcentral/swg/ | | | |selectFixes?product= | |IBM Security Guardium|10.5 |ibm%2FInformation+Management%2FInfoSphere+Guardium| | | |&fixids=SqlGuard_10.0p512_Sep-24-2018&source=SAR& | | | |function=fixId&parent=IBM%20Security | +---------------------+---------------+--------------------------------------------------+ Workarounds and Mitigations None Change History Sep 26, 2018: Original Version Published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - -------------------------------------------------------------------------------- Security Bulletin: IBM Security Guardium is affected by a Query Parameter in SSL Request vulnerability Document information More support for: IBM Security Guardium Software version: 10.0 - 10.5 Operating system(s): Linux Reference #: 0731655 Modified date: 27 September 2018 Security Bulletin Summary IBM Security Guardium has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2017-1272 DESCRIPTION: IBM Security Guardium stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. CVSS Base Score: 3.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 124747 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions +--------------------------------------------+-----------------+ | Affected IBM Security Guardium |Affected Versions| +--------------------------------------------+-----------------+ |IBM Security Guardium |10.0 -10.5 | +--------------------------------------------+-----------------+ Remediation/Fixes +---------------------+---------------+--------------------------------------------------+ | Product | VRMF | Remediation / First Fix | +---------------------+---------------+--------------------------------------------------+ | | |https://www-945.ibm.com/support/fixcentral/swg/ | | | |selectFixes?product= | |IBM Security Guardium|10.0 - 10.5 |ibm%2FInformation+Management%2FInfoSphere+Guardium| | | |&fixids=SqlGuard_10.0p512_Sep-24-2018&source=SAR& | | | |function=fixId&parent=IBM%20Security | +---------------------+---------------+--------------------------------------------------+ Workarounds and Mitigations None Acknowledgement IBM X-Force Ethical Hacking Team: Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza Change History Sept 27, 2018: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - -------------------------------------------------------------------------------- Security Bulletin: IBM Security Guardium is affected by a Using Components with Known Vulnerabilities vulnerabilities Document information More support for: IBM Security Guardium Software version: 10.5 Operating system(s): Linux Reference #: 0730329 Modified date: 27 September 2018 Security Bulletin Summary IBM Security Guardium has addressed the following vulnerabilities. Vulnerability Details CVEID: CVE-2015-8100 DESCRIPTION: OpenBSD could allow a local attacker to obtain sensitive information, caused by the use of 0644 permissions for snmpd.conf by the net-snmp package. By reading the file, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base Score: 4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 107941 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2015-5621 DESCRIPTION: Net-SNMP is vulnerable to a denial of service, caused by incompletely parsed varBind variables being left in the list of variables by the snmp_pdu_parse() function. A remote attacker could exploit this vulnerability to cause the application to crash or possibly execute arbitrary code on the system. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 105232 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2014-3565 DESCRIPTION: Net-SNMP is vulnerable to a denial of service, caused by the improper handling of SNMP traps when started with the "-OQ" option. By sending an SNMP trap message containing a variable with a NULL type, a remote attacker could exploit this vulnerability to cause snmptrapd to crash. CVSS Base Score: 5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 95638 for the current score Affected Products and Versions +--------------------------------------------+-----------------+ | Affected IBM Security Guardium |Affected Versions| +--------------------------------------------+-----------------+ |IBM Security Guardium |10.5 | +--------------------------------------------+-----------------+ Remediation/Fixes +---------------------+---------------+--------------------------------------------------+ | Product | VRMF | Remediation / First Fix | +---------------------+---------------+--------------------------------------------------+ | | |https://www-945.ibm.com/support/fixcentral/swg/ | | | |selectFixes?product= | |IBM Security Guardium|10.5 |ibm%2FInformation+Management%2FInfoSphere+Guardium| | | |&fixids=SqlGuard_10.0p512_Sep-24-2018&source=SAR& | | | |function=fixId&parent=IBM%20Security | +---------------------+---------------+--------------------------------------------------+ Workarounds and Mitigations None Acknowledgement IBM X-Force Ethical Hacking Team: Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza Change History Sept 27, 2018: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - -------------------------------------------------------------------------------- Security Bulletin: IBM Security Guardium is affected by a Using Components with Known Vulnerabilities vulnerability Security Bulletin Document information More support for: IBM Security Guardium Software version: 10.5 Operating system(s): Linux Reference #: 0730313 Modified date: 27 September 2018 Summary IBM Security Guardium has addressed the following vulnerabilities. Vulnerability Details CVEID: CVE-2017-8039 DESCRIPTION: Pivotal Spring Web Flow could provide weaker than expected security, caused by an error related to applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property. An attacker could exploit this vulnerability to launch further attacks on the system. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 135398 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) CVEID: CVE-2017-4971 DESCRIPTION: Pivotal Spring Web Flow could provide weaker than expected, caused by an error related to applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property. An attacker could exploit this vulnerability to launch further attacks on the system. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 127748 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) CVEID: CVE-2016-9878 DESCRIPTION: Pivotal Spring Framework could allow a remote attacker to traverse directories on the system, caused by the failure to sanitize paths provided to ResourceServlet. An attacker could send a specially-crafted URL request containing directory traversal sequences to view arbitrary files on the system. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 120241 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions +--------------------------------------------+-----------------+ | Affected IBM Security Guardium |Affected Versions| +--------------------------------------------+-----------------+ |IBM Security Guardium |10.5 | +--------------------------------------------+-----------------+ Remediation/Fixes +---------------------+---------------+--------------------------------------------------+ | Product | VRMF | Remediation / First Fix | +---------------------+---------------+--------------------------------------------------+ | | |https://www-945.ibm.com/support/fixcentral/swg/ | | | |selectFixes?product= | |IBM Security Guardium|10.5 |ibm%2FInformation+Management%2FInfoSphere+Guardium| | | |&fixids=SqlGuard_10.0p512_Sep-24-2018&source=SAR& | | | |function=fixId&parent=IBM%20Security | +---------------------+---------------+--------------------------------------------------+ Workarounds and Mitigations None Acknowledgement IBM X-Force Ethical Hacking Team: Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza Change History Sep 27, 2018: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW63INWaOgq3Tt24GAQh4Mw//VjvgGwC/OTsdOdoOTgcpYZpReLVpTXxj s0eFKyYtZdBI0hNDttPino+nCnz/rKu6T3MIU3ZjPEEm+dLOBBo2aJlQANaojW2R gS/l0OVAlK6yiC/YSoujV9wKyfFRUUwZjk2Lv5F0FPnL1O8XprFqIF86iP/6LITG iDjvJUXEKGgnX7hs8QTmkJeOld6ap9DcjLbgyvvGvrBphlX2O9BspC/5KLorBE7e Rxp6RYzHymA4yii16QeU6DtQS+FAXGHS7bb8JBdjKPXXFBtfNirMZgwBT/fpLS+4 3AWmpvoDrhO6xgZS5/SCaU0qC5/NLI8oXf9AXPKgxb25SmCadh0ZZajGql1mCgpr TmZ/VjNFaycyBNf10MwomixIkY/ALJfDaCF/50jMWaU1nHrZxLoGEl6ofOGRx50j rsT16DFgTsFsnBRKYOX31v2oQENGYy7Q1IWUkbNiOWVTvb4Pw5iVmPPxyArqjkiu 5p+Zig2r8+CXGHxUSF88zhoKKk4ijyqkVv5789OaLFLt8e4Er7MRP0cYETGAM4kD MZ5PEsy20Zy29MRXFaba/m8/lF4cUKKL77n2bCVTlJwu0a8oJtnHGOETZNSfzJGd cP0BBInz5vXcPkG955cp4FwHQsIk8QNQiogE3v4n77n5nYmymofH++127kRa+Q1M aYJXNnEWuyI= =4z+A -----END PGP SIGNATURE-----