Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3876 IBM Security Guardium addresses security vulnerabilities 14 December 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Security Guardium products Publisher: IBM Operating System: Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Root Compromise -- Existing Account Modify Permissions -- Remote/Unauthenticated Access Privileged Data -- Existing Account Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Read-only Data Access -- Existing Account Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-8012 CVE-2018-3646 CVE-2018-3620 CVE-2018-1891 CVE-2018-1889 CVE-2018-1509 CVE-2017-15804 CVE-2017-15713 CVE-2017-15671 CVE-2017-15670 CVE-2017-3162 CVE-2017-3161 CVE-2017-1597 CVE-2017-1272 CVE-2017-1265 CVE-2016-6811 CVE-2016-5001 CVE-2016-1182 CVE-2016-1181 CVE-2015-5237 CVE-2015-0899 CVE-2014-3627 CVE-2014-0229 CVE-2011-5320 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10787857 http://www.ibm.com/support/docview.wss?uid=swg22014231 http://www.ibm.com/support/docview.wss?uid=ibm10788333 http://www.ibm.com/support/docview.wss?uid=ibm10742865 http://www.ibm.com/support/docview.wss?uid=ibm10743371 http://www.ibm.com/support/docview.wss?uid=ibm10744513 http://www.ibm.com/support/docview.wss?uid=swg22014229 http://www.ibm.com/support/docview.wss?uid=ibm10731655 http://www.ibm.com/support/docview.wss?uid=ibm10742863 http://www.ibm.com/support/docview.wss?uid=ibm10731647 http://www.ibm.com/support/docview.wss?uid=ibm10730319 http://www.ibm.com/support/docview.wss?uid=ibm10741659 Comment: This bulletin contains twelve (12) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: IBM Security Guardium is affected by an OpenSource Apache Struts Vulnerability Document information Component: -- Software version: 10.5 Operating system(s): Linux Reference #: 0787857 Modified date: 13 December 2018 Summary IBM Security Guardium has addressed the following vulnerability. Vulnerability Details CVE-ID: CVE-2015-0899 Description: Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the MultiPageValidator implementation. An attacker could exploit this vulnerability using a modified page parameter to bypass restrictions and launch further attacks on the system. This vulnerability also affects other products. CVSS Base Score: 4.300 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 101770 for more information CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) Affected Products and Versions +-------------------------------------------------------+ | Affected IBM Security Guardium | Affected | | | Versions | |---------------------------------------+---------------| |IBM Security Guardium |10.0 - 10.5 | +-------------------------------------------------------+ Remediation/Fixes +---------------------------------------------------------------------+ | Product | VRMF | Remediation / First Fix | |------------------+-------------+------------------------------------| | | |http://www.ibm.com/support/ | | | |fixcentral/swg/quickorder?parent= | | | |IBM%20Security&product=ibm/ | |IBM Security |10.0 - 10.5 |Information+Management/ | |Guardium | |InfoSphere+Guardium&release=10.0& | | | |platform=All&function=fixId&fixids= | | | |SqlGuard_10.0p600_GPU_Nov-2018-V10.6| | | |&includeSupersedes=0&source=fc | +---------------------------------------------------------------------+ Workarounds and Mitigations None Acknowledgement IBM X-Force Ethical Hacking Team: Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza Change History Dec 11, 2018: Original version published - ------------------------------------------------------------------------------- Security Bulletin: IBM Security Guardium Database Activity Monitor is affected by a Weak Passsword Policy vulnerability Document information Component: -- Software version: 10.0, 10.0.1, 10.1, 10.1.2, 10.1.3, 10.1.4, 10.5 Operating system(s): Linux Reference #: 2014231 Modified date: 13 December 2018 Summary IBM Security Guardium Database Activity Monitor has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2017-1597 DESCRIPTION: IBM Security Guardium Database Activity Monitor does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 132610 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) Affected Products and Versions IBM Security Guardium Database Activity Monitor V10.0 - 10.5 Remediation/Fixes +-------------------------------------------------------------------------------+ |Product |VRMF |Remediation/First Fix | |------------+----------+-------------------------------------------------------| |IBM Security|10.0 - |http://www.ibm.com/support/fixcentral/swg/quickorder? | |Guardium |10.5 |parent=IBM%20Security&product=ibm/ | |Database | |Information+Management/InfoSphere+Guardium&release=10.0| |Activity | |&platform=All&function=fixId&fixids= | |Monitor | |SqlGuard_10.0p600_GPU_Nov-2018-V10.6&includeSupersedes=| | | |0&source=fc | +-------------------------------------------------------------------------------+ Workarounds and Mitigations None Change History Dec 13, 2018: Original Version Published - -------------------------------------------------------------------------------- Security Bulletin: IBM Security Guardium is affected by Open Source GNU glibc Vulnerabilities Document information Component: -- Software version: 10-10.5 Operating system(s): Linux Reference #: 0788333 Modified date: 13 December 2018 Summary IBM Security Guardium has addressed the following vulnerabilities. Vulnerability Details CVEID: CVE-2017-15804 DESCRIPTION: GNU C Library (aka glibc or libc6) is vulnerable to a buffer overflow, caused by improper bounds checking by glob function in glob.c. By using a specially-crafted file, a local attacker could overflow a buffer. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 133996 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) CVEID: CVE-2017-15671 DESCRIPTION: GNU C Library is vulnerable to a denial of service, caused by a memory leak in the glob function in glob.c. A remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 133909 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2017-15670 DESCRIPTION: GNU C Library is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the glob function in glob.c. By sending a specially-crafted string, a remote attacker could overflow a buffer and execute arbitrary code on the system. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 133915 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2011-5320 DESCRIPTION: GNU glibc is vulnerable to a denial of service, caused by a flaw in the scanf and related functions. By using a large string of os, a local attacker could exploit this vulnerability to cause a segmentation fault. CVSS Base Score: 6.2 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 133667 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Affected Products and Versions +-------------------------------------------------------------------------------------+ | Affected IBM Security Guardium | Affected Versions | |-------------------------------------------------------------+-----------------------| |IBM Security Guardium |10.0 - 10.5 | +-------------------------------------------------------------------------------------+ Remediation/Fixes +---------------------------------------------------------------------+ | Product | VRMF | Remediation / First Fix | |------------------+-------------+------------------------------------| | | |http://www.ibm.com/support/ | | | |fixcentral/swg/quickorder?parent= | | | |IBM%20Security&product=ibm/ | |IBM Security |10.0 - 10.5 |Information+Management/ | |Guardium | |InfoSphere+Guardium&release=10.0& | | | |platform=All&function=fixId&fixids= | | | |SqlGuard_10.0p600_GPU_Nov-2018-V10.6| | | |&includeSupersedes=0&source=fc | +---------------------------------------------------------------------+ Workarounds and Mitigations None Change History Dec 13, 2018: Original version published - ------------------------------------------------------------------------------- Security Bulletin: IBM Security Guardium is affected by a Cross-Site scripting vulnerabilities vulnerability Document information Component: -- Software version: 10-10.5 Operating system(s): Linux Reference #: 0742865 Modified date: 13 December 2018 Summary IBM Security Guardium has addressed the following vulnerabilities. Vulnerability Details CVEID: CVE-2018-1891 DESCRIPTION: IBM Security Guardium is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base Score: 5.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 152082 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions +-------------------------------------------------------------------------------------+ | Affected IBM Security Guardium | Affected Versions | |-------------------------------------------------------------+-----------------------| |IBM Security Guardium |10.0 - 10.5 | +-------------------------------------------------------------------------------------+ Remediation/Fixes +---------------------------------------------------------------------+ | Product | VRMF | Remediation / First Fix | |------------------+-------------+------------------------------------| | | |http://www.ibm.com/support/ | | | |fixcentral/swg/quickorder?parent= | | | |IBM%20Security&product=ibm/ | |IBM Security |10.0 - 10.5 |Information+Management/ | |Guardium | |InfoSphere+Guardium&release=10.0& | | | |platform=All&function=fixId&fixids= | | | |SqlGuard_10.0p600_GPU_Nov-2018-V10.6| | | |&includeSupersedes=0&source=fc | +---------------------------------------------------------------------+ Workarounds and Mitigations None Acknowledgement Bank New York Mellon (BNYM) Change History Dec 13, 2018: Original version published - -------------------------------------------------------------------------------- Security Bulletin: IBM Security Guardium is affected by a Cross-Site scripting vulnerability in user login vulnerability Document information Component: -- Software version: 10-10.5 Operating system(s): Linux Reference #: 0743371 Modified date: 13 December 2018 Summary IBM Security Guardium has addressed the following vulnerabilities. Vulnerability Details CVEID: CVE-2018-1889 DESCRIPTION: IBM Security Guardium is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base Score: 5.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 152080 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions +-------------------------------------------------------------------------------------+ | Affected IBM Security Guardium | Affected Versions | |-------------------------------------------------------------+-----------------------| |IBM Security Guardium |10.0 - 10.5 | +-------------------------------------------------------------------------------------+ Remediation/Fixes +---------------------------------------------------------------------+ | Product | VRMF | Remediation / First Fix | |------------------+-------------+------------------------------------| | | |http://www.ibm.com/support/ | | | |fixcentral/swg/quickorder?parent= | | | |IBM%20Security&product=ibm/ | |IBM Security |10.0 - 10.5 |Information+Management/ | |Guardium | |InfoSphere+Guardium&release=10.0& | | | |platform=All&function=fixId&fixids= | | | |SqlGuard_10.0p600_GPU_Nov-2018-V10.6| | | |&includeSupersedes=0&source=fc | +---------------------------------------------------------------------+ Workarounds and Mitigations None Acknowledgement Riyhad Bank Change History Dec 13, 2018: Original version published - -------------------------------------------------------------------------------- Security Bulletin: IBM Security Guardium is affected by a Foreshadow Spectre Variant vulnerability Document information Component: -- Software version: 10-10.5 Operating system(s): Linux Reference #: 0744513 Modified date: 13 December 2018 Summary IBM Security Guardium has addressed the following vulnerabilities Vulnerability Details CVEID: CVE-2018-3646 DESCRIPTION: Multiple Intel CPU's could allow a local attacker to obtain sensitive information, caused by a flaw in the CPU speculative branch instruction execution feature. By conducting targeted cache side-channel attacks and via a terminal page fault, an attacker with guest OS privilege could exploit this vulnerability to leak information residing in the L1 data cache and read data belonging to different security contexts. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 148319 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) CVEID: CVE-2018-3620 DESCRIPTION: Multiple Intel CPU's could allow a local attacker to obtain sensitive information, caused by a flaw in the CPU speculative branch instruction execution feature. By conducting targeted cache side-channel attacks and via a terminal page fault, an attacker could exploit this vulnerability to leak information residing in the L1 data cache and read data belonging to different security contexts. Note: This vulnerability is also known as the "L1 Terminal Fault (L1TF)" or "Foreshadow" attack. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 148318 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) Affected Products and Versions +-------------------------------------------------------------------------------------+ | Affected IBM Security Guardium | Affected Versions | |-------------------------------------------------------------+-----------------------| |IBM Security Guardium |10.0 - 10.5 | +-------------------------------------------------------------------------------------+ Remediation/Fixes +---------------------------------------------------------------------+ | Product | VRMF | Remediation / First Fix | |------------------+-------------+------------------------------------| | | |http://www.ibm.com/support/ | | | |fixcentral/swg/quickorder?parent= | | | |IBM%20Security&product=ibm/ | |IBM Security |10.0 - 10.5 |Information+Management/ | |Guardium | |InfoSphere+Guardium&release=10.0& | | | |platform=All&function=fixId&fixids= | | | |SqlGuard_10.0p600_GPU_Nov-2018-V10.6| | | |&includeSupersedes=0&source=fc | +---------------------------------------------------------------------+ Workarounds and Mitigations None Change History Dec 13, 2018: Original version published - -------------------------------------------------------------------------------- Security Bulletin: IBM Security Guardium is affected by a Improper Certificate Validation vulnerability Document information Component: -- Software version: 10.0, 10.0.1, 10.1, 10.1.2, 10.1.3, 10.1.4, 10.5 Operating system(s): Linux Reference #: 2014229 Modified date: 13 December 2018 Summary IBM Security Guardium has addressed the following vulnerability Vulnerability Details CVEID: CVE-2017-1265 DESCRIPTION: IBM Security Guardium does not validate, or incorrectly validates, a certificate. This weakness might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) techniques. CVSS Base Score: 3.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 124740 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions IBM Security Guardium V10.0 - 10.5 Remediation/Fixes +-------------------------------------------------------------------------------+ |Product |VRMF |Remediation/First Fix | |------------+----------+-------------------------------------------------------| |IBM Security|10.0 - |http://www.ibm.com/support/fixcentral/swg/quickorder? | |Guardium |10.5 |parent=IBM%20Security&product=ibm/ | | | |Information+Management/InfoSphere+Guardium&release=10.0| | | |&platform=All&function=fixId&fixids= | | | |SqlGuard_10.0p600_GPU_Nov-2018-V10.6&includeSupersedes=| | | |0&source=fc | +-------------------------------------------------------------------------------+ Workarounds and Mitigations None Acknowledgement IBM X-Force Ethical Hacking Team: Ron Craig, Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza Change History Dec 13, 2018: Original Version Published - -------------------------------------------------------------------------------- Security Bulletin: IBM Security Guardium is affected by a Query Parameter in SSL Request vulnerability Document information Component: -- Software version: 10.0 - 10.5 Operating system(s): Linux Reference #: 0731655 Modified date: 13 December 2018 Summary IBM Security Guardium has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2017-1272 DESCRIPTION: IBM Security Guardium stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. CVSS Base Score: 3.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 124747 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions +-------------------------------------------------------+ | Affected IBM Security Guardium | Affected | | | Versions | |---------------------------------------+---------------| |IBM Security Guardium |10.0 -10.5 | +-------------------------------------------------------+ Remediation/Fixes +---------------------------------------------------------------------+ | Product | VRMF | Remediation / First Fix | |------------------+-------------+------------------------------------| | | |http://www.ibm.com/support/ | | | |fixcentral/swg/quickorder?parent= | | | |IBM%20Security&product=ibm/ | |IBM Security |10.0 - 10.5 |Information+Management/ | |Guardium | |InfoSphere+Guardium&release=10.0& | | | |platform=All&function=fixId&fixids= | | | |SqlGuard_10.0p600_GPU_Nov-2018-V10.6| | | |&includeSupersedes=0&source=fc | +---------------------------------------------------------------------+ Workarounds and Mitigations None Acknowledgement IBM X-Force Ethical Hacking Team: Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza Change History Dec 11, 2018: Original version published - ------------------------------------------------------------------------------- Security Bulletin: IBM Security Guardium is affected by a Using Components with Known Vulnerabilities vulnerability Security Bulletin Document information Component: -- Software version: 10-10.5 Operating system(s): Linux Reference #: 0742863 Modified date: 13 December 2018 Summary IBM Security Guardium has addressed the following vulnerabilities. Vulnerability Details CVEID: CVE-2015-5237 DESCRIPTION: Google Protocol Buffers could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in MessageLite::SerializeToString. A remote attacker could exploit this vulnerability to execute arbitrary code on the vulnerable system or cause a denial of service. CVSS Base Score: 6.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 105989 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) CVEID: CVE-2017-3162 DESCRIPTION: Apache Hadoop could allow a remote attacker to bypass security restrictions, caused by the interaction between HDFS clients and a servlet on the DataNode to browse the HDFS namespace. An attacker could exploit this vulnerability to bypass security restrictions. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 125388 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) CVEID: CVE-2017-3161 DESCRIPTION: Apache Hadoop is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the HDFS web UI. A remote attacker could exploit this vulnerability using the unescaped query parameter in a specially-crafted URL to execute script in a victim''s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim''s cookie-based authentication credentials. CVSS Base Score: 6.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 125387 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVEID: CVE-2017-15713 DESCRIPTION: Apache Hadoop could allow a remote authenticated attacker to obtain sensitive information. By using a specially-crafted file, a remote attacker could exploit this vulnerability to expose private files. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 138064 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2016-6811 DESCRIPTION: Apache Hadoop could allow a local attacker to gain elevated privileges on the system. By escalating to yarn user, an attacker could exploit this vulnerability to execute arbitrary commands on the system with root privileges. CVSS Base Score: 8.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 142610 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2016-5001 DESCRIPTION: Apache Hadoop could allow a local authenticated attacker to obtain sensitive information, caused by a flaw in the short-circuit reads feature. By using a specially-crafted block token, a local attacker could exploit this vulnerability to obtain sensitive information. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 131248 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2014-3627 DESCRIPTION: Apache Hadoop could allow a remote attacker to obtain sensitive information, caused by an error when running the YARN NodeManager process. An attacker could exploit this vulnerability using a symlink attack to obtain sensitive information. CVSS Base Score: 5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 99127 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVEID: CVE-2014-0229 DESCRIPTION: Cloudera CDH is vulnerable to a denial of service, caused by the failure to check authorization for multiple commands in the built-in Apache Hadoop. By issuing a command, a remote authenticated attacker could exploit this vulnerability to cause the DataNodes to shutdown or perform unnecessary operations. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 132524 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L) Affected Products and Versions +-------------------------------------------------------------------------------------+ | Affected IBM Security Guardium | Affected Versions | |-------------------------------------------------------------+-----------------------| |IBM Security Guardium |10.0 - 10.5 | +-------------------------------------------------------------------------------------+ Remediation/Fixes +---------------------------------------------------------------------+ | Product | VRMF | Remediation / First Fix | |------------------+-------------+------------------------------------| | | |http://www.ibm.com/support/ | | | |fixcentral/swg/quickorder?parent= | | | |IBM%20Security&product=ibm/ | |IBM Security |10.0 - 10.5 |Information+Management/ | |Guardium | |InfoSphere+Guardium&release=10.0& | | | |platform=All&function=fixId&fixids= | | | |SqlGuard_10.0p600_GPU_Nov-2018-V10.6| | | |&includeSupersedes=0&source=fc | +---------------------------------------------------------------------+ Workarounds and Mitigations None Acknowledgement IBM X-Force Ethical Hacking Team: Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza Change History Dec 11, 2018: Original version published - ------------------------------------------------------------------------------- Security Bulletin: IBM Security Guardium is affected by a public disclosed vulnerability from Apache ZooKeeper Document information Component: -- Software version: 10.5 Operating system(s): Linux Reference #: 0731647 Modified date: 13 December 2018 Summary IBM Security Guardium has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2018-8012 DESCRIPTION: Apache Zookeeper could allow a remote attacker to bypass security restrictions, caused by the failure to enforce authentication or authorization when a server attempts to join a quorum. An attacker could exploit this vulnerability to join the cluster and begin propagating counterfeit changes to the leader. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 143565 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) Affected Products and Versions +-------------------------------------------------------+ | Affected IBM Security Guardium | Affected | | | Versions | |---------------------------------------+---------------| |IBM Security Guardium |10.0 - 10.5 | +-------------------------------------------------------+ Remediation/Fixes +---------------------------------------------------------------------+ | Product | VRMF | Remediation / First Fix | |------------------+-------------+------------------------------------| | | |http://www.ibm.com/support/ | | | |fixcentral/swg/quickorder?parent= | | | |IBM%20Security&product=ibm/ | |IBM Security |10.0 - 10.5 |Information+Management/ | |Guardium | |InfoSphere+Guardium&release=10.0& | | | |platform=All&function=fixId&fixids= | | | |SqlGuard_10.0p600_GPU_Nov-2018-V10.6| | | |&includeSupersedes=0&source=fc | +---------------------------------------------------------------------+ Workarounds and Mitigations None Acknowledgement IBM X-Force Ethical Hacking Team: Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza Change History Dec 13, 2018: Original version published - ------------------------------------------------------------------------------- Security Bulletin: IBM Security Guardium is affected by an Improper Certificate Validation vulnerability Document information Component: -- Software version: 10.5 Operating system(s): Linux Reference #: 0730319 Modified date: 13 December 2018 Summary IBM Security Guardium has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2018-1509 DESCRIPTION: IBM Security Guardium EcoSystem does not validate, or incorrectly validates, a certificate.This weakness might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host. CVSS Base Score: 3.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 141417 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions +-------------------------------------------------------+ | Affected IBM Security Guardium | Affected | | | Versions | |---------------------------------------+---------------| |IBM Security Guardium |10.5 | +-------------------------------------------------------+ Remediation/Fixes +---------------------------------------------------------------------+ | Product | VRMF | Remediation / First Fix | |------------------+-------------+------------------------------------| | | |http://www.ibm.com/support/ | | | |fixcentral/swg/quickorder?parent= | | | |IBM%20Security&product=ibm/ | |IBM Security |10.5 |Information+Management/ | |Guardium | |InfoSphere+Guardium&release=10.0& | | | |platform=All&function=fixId&fixids= | | | |SqlGuard_10.0p600_GPU_Nov-2018-V10.6| | | |&includeSupersedes=0&source=fc | +---------------------------------------------------------------------+ Workarounds and Mitigations None Acknowledgement IBM X-Force Ethical Hacking Team: Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza Change History Dec 13, 2018: Original version published - ------------------------------------------------------------------------------- Security Bulletin: Vulnerabilities in Struts v2 affect IBM Security Guardium (CVE-2016-1181, CVE-2016-1182) Document information Component: -- Software version: 10-10.5 Operating system(s): Linux Reference #: 0741659 Modified date: 13 December 2018 Summary Struts v2 vulnerabilities affect IBM Security Guardium. IBM Security Guardium has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2016-1181 DESCRIPTION: Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base Score: 8.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 113852 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2016-1182 DESCRIPTION: Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. CVSS Base Score: 4.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 113853 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L) Affected Products and Versions +-------------------------------------------------------------------------------------+ | Affected IBM Security Guardium | Affected Versions | |-------------------------------------------------------------+-----------------------| |IBM Security Guardium |10.0 - 10.5 | +-------------------------------------------------------------------------------------+ Remediation/Fixes +---------------------------------------------------------------------+ | Product | VRMF | Remediation / First Fix | |------------------+-------------+------------------------------------| | | |http://www.ibm.com/support/ | | | |fixcentral/swg/quickorder?parent= | | | |IBM%20Security&product=ibm/ | |IBM Security |10.0 - 10.5 |Information+Management/ | |Guardium | |InfoSphere+Guardium&release=10.0& | | | |platform=All&function=fixId&fixids= | | | |SqlGuard_10.0p600_GPU_Nov-2018-V10.6| | | |&includeSupersedes=0&source=fc | +---------------------------------------------------------------------+ Workarounds and Mitigations None Change History Dec 13, 2018: Original version published - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXBMjzGaOgq3Tt24GAQjCmA/8C599VWFA0FYK7CoXhNylDRoearL/6HFh bOxYUFGcvTqI9SrW9AEm7cw3EuPUPsZ+nixuP6fcdCea6BFu5EH0ZXwsUUXHQHl6 W7RmA+mi2+zepEh9we2bh//9ioCxepM7OGxDhjOPSVCj0N6e61TA+Lc2XZHkNIk8 itKA56rAjoDfjbb1eQGYKJEB0ISd85egb4pxO3w8eFWqkH683EfAwIqlwycqm0gC qSopDRetnvWiFGpnrbetbjYaoiuzinPjYWNcTO3wuUz5YO1Vu8W8mhD6V5j1w8z8 JXBogmScRgliWfN2Z0QlA8vmGGFmM8y4yPSOk6adsLYI3SC/1f/zPklze1Y3dtmU 2f+aaDkjTP1buj6lz+VsrWF4Pi83coDwRgQSwk20c8dpbJVyCbKk0WCal6vfrrWc 8KbivHIH+Wm7DmucFqWQyphLYcCg6Lg5fPJ9u01ZL0Ymfw5ObGow7eG7joQ3cYzE wUdpWPfmrqnV4Yxe78R1XfzApcFWhwP4W3VcJz3KJTdrqePUsBku9gpxaoMO0e/f rxOn3dwWUD7ZzHm+wcHrLpj3/JF+/lSXEZG10UzfthvhFnJyOQGOHnvl72w8ZUXx t3d5NdskoK7k9oVs7k7v/pbtMJgC0xNFtLDqmPZlxz99EBcFx4aeanRMecUY505Z NPTd9XpEqdM= =D4Ax -----END PGP SIGNATURE-----