Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3872 IBM Business Monitor receives security updates 14 December 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Business Monitor Publisher: IBM Operating System: AIX Linux variants Mac OS Solaris Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Increased Privileges -- Existing Account Cross-site Request Forgery -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-1926 CVE-2018-1904 CVE-2018-1901 CVE-2018-1840 Reference: ESB-2018.3853 ESB-2018.3851 ESB-2018.3835 ESB-2018.3723 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10787987 http://www.ibm.com/support/docview.wss?uid=ibm10787979 http://www.ibm.com/support/docview.wss?uid=ibm10787991 http://www.ibm.com/support/docview.wss?uid=ibm10787997 Comment: This bulletin contains four (4) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2018-1840) Product Alias/Synonym Monitor, WAS Document information Software version: IBM Business Monitor V8.5.5, V8.5.6, V8.5.7 Operating system(s): AIX, Linux, Mac OS, Solaris, Windows Reference #: 0787987 Modified date: 13 December 2018 Summary IBM WebSphere Application Server is shipped as a component of Business Monitor. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details For vulnerability details and information about fixes, see the Potential Privilege escalation vulnerability in WebSphere Application Server (CVE-2018-1840) Security Bulletin. Affected Products and Versions +-----------------------------------------------------------------+ |Principal product and version| Affected product and version | |-----------------------------+-----------------------------------| |Business Monitor V8.5.7 |WebSphere Application Server V8.5.5| |-----------------------------+-----------------------------------| |Business Monitor V8.5.6 |WebSphere Application Server V8.5.5| |-----------------------------+-----------------------------------| |Business Monitor V8.5.5 |WebSphere Application Server V8.5.5| +-----------------------------------------------------------------+ Change History 12 December 2018: original document published - -------------------------------------------------------------------------------- Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2018-1901) Product Alias/Synonym Monitor, WAS Document information More support for: IBM Business Monitor Software version: V8.5.5, V8.5.6, V8.5.7 Operating system(s): AIX, Linux, Mac OS, Solaris, Windows Reference #: 0787979 Modified date: 13 December 2018 Summary IBM WebSphere Application Server is shipped as a component of Business Monitor. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details For vulnerability details and information about fixes, see Potential Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2018-1901) Security Bulletin. Affected Products and Versions +-----------------------------------------------------------------+ |Principal product and version| Affected product and version | |-----------------------------+-----------------------------------| |Business Monitor V8.5.7 |WebSphere Application Server V8.5.5| |-----------------------------+-----------------------------------| |Business Monitor V8.5.6 |WebSphere Application Server V8.5.5| |-----------------------------+-----------------------------------| |Business Monitor V8.5.5 |WebSphere Application Server V8.5.5| +-----------------------------------------------------------------+ Change History 12 December 2018: original document published - -------------------------------------------------------------------------------- Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2018-1904) Document information Component: -- Software version: 8.5.5, 8.5.6, 8.5.7 Operating system(s): AIX, Linux, Solaris, Windows, z/OS Software edition: Not Applicable Reference #: 0787991 Modified date: 13 December 2018 Summary IBM WebSphere Application Server is shipped as a component of Business Monitor. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details For vulnerability details and information about fixes, please consult Potential Remote code execution vulnerability in WebSphere Application Server (CVE-2018-1904). Affected Products and Versions +-----------------------------------------------------------------------------+ |Principal Product and Versions |Affected Supporting Product and Versions | |----------------------------------+------------------------------------------| |IBM Business Monitor V8.5.7 |WebSphere Application Server V8.5.5 | |----------------------------------+------------------------------------------| |IBM Business Monitor V8.5.6 |WebSphere Application Server V8.5.5 | |----------------------------------+------------------------------------------| |IBM Business Monitor V8.5.5 |WebSphere Application Server V8.5.5 | +-----------------------------------------------------------------------------+ Change History 12 December 2018: original document published - -------------------------------------------------------------------------------- Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2018-1926) Product Alias/Synonym Monitor, WAS Security Bulletin Document information Software version: IBM Business Monitor V8.5.5, V8.5.6, V8.5.7 Operating system(s): AIX, Linux, Mac OS, Solaris, Windows Reference #: 0787997 Modified date: 13 December 2018 Summary IBM WebSphere Application Server is shipped as a component of Business Monitor. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details For vulnerability details and information about fixes, see the Potential cross-site request forgery in WebSphere Application Server Admin Console (CVE-2018-1926) Security Bulletin. Affected Products and Versions +-----------------------------------------------------------------+ |Principal product and version| Affected product and version | |-----------------------------+-----------------------------------| |Business Monitor V8.5.7 |WebSphere Application Server V8.5.5| |-----------------------------+-----------------------------------| |Business Monitor V8.5.6 |WebSphere Application Server V8.5.5| |-----------------------------+-----------------------------------| |Business Monitor V8.5.5 |WebSphere Application Server V8.5.5| +-----------------------------------------------------------------+ Change History 12 December 2018: original document published - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXBMW6GaOgq3Tt24GAQjtEQ/9Gm+6RdRkQGp9ntE3ekefkBY6Y11226Lz vWJLj33lxHV0hhfyrnl9oOW3O6Sr0OZDWEcqSR99qfbpQUTxf4a/eK5QmYyHjHEC WL0NUqwmGOWev7q4N5NWXfwUZB/cbWu9VYMmBoxc9JkiMDyMx+KYU+lMYz8IB7Rl C5XpkzPFoR49P186sFBaQsu4gH96Cw+iaa9UnaiSt3yAqYex0xIKDhs0Np5Mz0VX YA5FxArwlYOWnVa7hwoCO+izZPJGYcwqwLCmL8EZDjqa0mnAuvwYFUkVBXgEW35e Q4ktsuj78q2hLIctfa64qOibITt3f1PToi28ztBLM8IwRwe3VmZ19UAE4CcAFvrd +HCpFnvdP7nUmeHFjHBVECmLsm/HWJzufOqnDtztU8uPsIkU37AUEzHunVp3BUAZ UjV4dtmttqKcoi30G942DZVYfxf57KlZfPG81ioGI785TA0ImuaGDANwHaV3RaIS +jSX2OW/9R6R9KOcaCu1B+viveUGlvaxKMX+XjweW4IRqzZPkUaoly6RS2b3iCew 4H9bh0XkxOvjEcLS7FXKXVRqyyicV6FBFJTDIGMt8qAlwLMHn14X1ySVLxlfTKMG yvdhrq/EZQWHKpblXfNJQZF7LX5C2eS2Fxx9CtyWKvE4q99hakQtXTR2zdo3jF5P 15tuv2yfugs= =5ict -----END PGP SIGNATURE-----