Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.0037 Multiple vulnerabilities have been identified in IBM Intelligent Operations Center 2 January 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Intelligent Operations Center Publisher: IBM Operating System: Linux variants Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Increased Privileges -- Remote with User Interaction Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-13785 CVE-2018-12539 CVE-2018-3214 CVE-2018-3211 CVE-2018-3209 CVE-2018-3183 CVE-2018-3180 CVE-2018-3169 CVE-2018-3149 CVE-2018-3139 CVE-2018-3136 CVE-2018-2973 CVE-2018-2964 CVE-2018-2952 CVE-2018-2940 CVE-2018-2814 CVE-2018-2800 CVE-2018-2799 CVE-2018-2798 CVE-2018-2797 CVE-2018-2796 CVE-2018-2795 CVE-2018-2794 CVE-2018-2790 CVE-2018-2783 CVE-2018-2678 CVE-2018-2677 CVE-2018-2663 CVE-2018-2657 CVE-2018-2641 CVE-2018-2639 CVE-2018-2638 CVE-2018-2637 CVE-2018-2634 CVE-2018-2633 CVE-2018-2629 CVE-2018-2618 CVE-2018-2603 CVE-2018-2602 CVE-2018-2599 CVE-2018-2588 CVE-2018-2582 CVE-2018-2579 CVE-2018-1656 CVE-2018-1517 CVE-2018-1413 CVE-2018-0739 CVE-2017-15095 CVE-2017-12624 CVE-2017-7525 CVE-2017-3737 CVE-2017-3736 CVE-2017-3735 CVE-2016-5597 CVE-2016-5549 CVE-2016-5548 CVE-2016-5547 CVE-2016-2183 Reference: ASB-2018.0290 ASB-2018.0264 ASB-2018.0259 ESB-2016.2268 ESB-2016.2263 ESB-2016.2239.2 ESB-2016.2238 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10791133 http://www.ibm.com/support/docview.wss?uid=ibm10730863 Comment: This bulletin contains two (2) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Multiple vulnerabilities in IBM(R) Java(TM) SDK and IBM(R) Java(TM) Runtime affect IBM(R) Intelligent Operations Center products Document information More support for: IBM Intelligent Operations Center Component: Not Applicable Software version: 1.6.0, 1.6.0.1, 1.6.0.2, 1.6.0.3, 5.1, 5.1.0.1, 5.1.0.2, 5.1.0.3, 5.1.0.4, 5.1.0.5, 5.1.0.6, 5.1.0.7, 5.1.0.8, 5.1.0.9, 5.1.0.10, 5.1.0.11, 5.1.0.12, 5.1.0.13, 5.1.0.14 Operating system(s): Linux, Windows Reference #: 0791133 Modified date: 21 December 2018 Security Bulletin Summary There are multiple vulnerabilities in IBM(R) SDK Java(TM) Technology Edition, Versions 6, 7, and 8, and IBM(R) Runtime Environment Java(TM), Versions 6, 7, and 8 that are used by IBM(R) Intelligent Operations Center, IBM(R) Intelligent Operations Center for Emergency Management, and IBM(R) Water Operations for Waternamics. IBM(R) Intelligent Operations Center has addressed the applicable CVEs. Vulnerability Details If you run your own Java(TM) code using the IBM(R) Java(TM) JRE that is delivered with this product, you should evaluate your code to determine whether additional Java(TM) vulnerabilities are applicable to your code. CVE IDs: CVE-2018-3183 CVE-2018-3209 CVE-2018-3169 CVE-2018-3149 CVE-2018-3211 CVE-2018-3180 CVE-2018-3214 CVE-2018-13785 CVE-2018-3136 CVE-2018-3139 CVEID: CVE-2018-3183 DESCRIPTION: A flaw in the javax.script API allows untrusted code running under a security manager to elevate its privileges. The fix addresses the flaw. Product Applicability: This issue is exploitable if the JRE is running untrusted code under a security manager (including untrusted applets or Web Start applications). Mitigation: The only solution is to upgrade the JRE. CVSS Base Score: 9.0 CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) CVEID: CVE-2018-3209 DESCRIPTION: A flaw in Java FX may allow elevation of privileges and execution of arbitrary code. Product Applicability: This does not apply to the IBM JRE/SDK, including Solaris, HP-UX and Mac OS. Mitigation: N/A. CVSS Base Score: 8.3 CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) CVEID: CVE-2018-3169 DESCRIPTION: A flaw in the java.lang.invoke implementation allows untrusted code to bypass the security manager and elevate its privileges. The fix adds additional constraint checking to resolve the flaw. Product Applicability: This issue is exploitable if the JRE is running untrusted code under a security manager (including untrusted applets or Web Start applications). Mitigation: The only solution is to upgrade the JRE. CVSS Base Score: 8.3 CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) CVEID: CVE-2018-3149 DESCRIPTION: A flaw in the JNDI component allows classes to be loaded from arbitrary URLs even when the system property "com.sun.jndi.ldap.object.trustURLCodebase" is set to "false". The fix ensures that URL codebases are not trusted when com.sun.jndi.ldap.object.trustURLCodebase=false. Product Applicability: This issue is exploitable if the JRE is running untrusted code under a security manager (including untrusted applets or Web Start applications). Mitigation: The only solution is to upgrade the JRE. CVSS Base Score: 8.3 CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) CVEID: CVE-2018-3211 DESCRIPTION: An unknown flaw in Oracle's Java Usage Tracker. Product Applicability: This does not apply to the IBM JRE/SDK, including Solaris, HP-UX and Mac OS. Mitigation: N/A CVSS Base Score: 6.6 CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N) CVEID: CVE-2018-3180 DESCRIPTION: A flaw in the JSSE component means that TLS connections do not always check the validity of the hostname on the server-side certificate. The fix ensures that server-side certificates are checked correctly. Product Applicability: This issue affects products or applications that use TLS to connect to remote servers. Mitigation: The only solution is to upgrade the JRE. CVSS Base Score: 5.6 CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2018-3214 DESCRIPTION: A flaw in the sound component results in an infinite loop when reading a specially crafted WAV file. This potentially allows an attacker to inflict a denial-of-service attack. The fix ensure that the malformed WAV data is handled gracefully. Product Applicability: This issue affects products/applications that read WAV data from untrusted sources using the javax.sound.sampled.AudioSystem.getAudioFileFormat() API. This issue is also exploitable if the JRE is running untrusted code under a security manager (including untrusted applets or Web Start applications). Mitigation: The only solution is to upgrade the JRE. CVSS Base Score: 5.3 CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2018-13785 DESCRIPTION: A flaw in libpng 1.6.34 may trigger a divide-by-zero while processing a maliciously crafted PNG file, leading to crash and denial of service. The fix upgrades the libpng code in the Java runtime (used only for Applet splash screens) to 1.6.35. Product Applicability: This issue is applicable if the JRE is installed as a system JRE, such that it is used to launch and execute applets in a browser. Mitigation: The only solution is to upgrade the JRE. CVSS Base Score: 3.7 CVEID: CVE-2018-3136 DESCRIPTION: A flaw in the JAR implementation allows the sealing of a JAR file to be broken. The fix ensures that sealed JAR files cannot be "unsealed". Product Applicability: This issue is exploitable if the JRE is running untrusted code under a security manager (including untrusted applets or Web Start applications). Mitigation: The only solution is to upgrade the JRE. CVSS Base Score: 3.4 CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N) CVEID: CVE-2018-3139 DESCRIPTION: A flaw in the implemention of java.net.HttpURLConnection may lead to exposure of sensitive information in HTTP headers. The fix ensures that the sensitive information is not exposed. Product Applicability: This issue applies to products or applications that use java.net.HttpURLConnection or javax.net.ssl.HttpsURLConnectioninstances that are set to automatically follow redirects - i.e. instances upon which setFollowRedirects() has been called. Mitigation: The only solution is to upgrade the JRE. CVSS Base Score: 3.1 CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N) Affected Products and Versions +---------------------------------------------+--------------------------------------------------------------+ |Principal Product and Versions |Affected Supporting Products and Versions | +---------------------------------------------+--------------------------------------------------------------+ |IBM(R) Intelligent Operations Center V1.6.0 - |IBM SDK, Java Technology Edition, Version 6 Service Refresh 16| |V5.1.0.14 |Fix Pack 55 and earlier releases | | | | | |IBM SDK, Java Technology Edition, Version 6R1 Service Refresh | | |8 Fix Pack 55 and earlier releases | +---------------------------------------------+ | | |IBM SDK, Java Technology Edition, Version 7 Service Refresh 10| |IBM(R) Intelligent Operations Center for |Fix Pack 15 and earlier releases | |Emergency Management V1.6 - V5.1.0.6 | | | |IBM SDK, Java Technology Edition, Version 7R1 Service Refresh | | |4 Fix Pack 15 and earlier releases | +---------------------------------------------+ | | |IBM SDK, Java Technology Edition, Version 8 Service Refresh 5 | |IBM(R) Water Operations for Waternamics V5.1 - |Fix Pack 7 and earlier releases | |V5.2.1.1 | | | | | | | | +---------------------------------------------+--------------------------------------------------------------+ Remediation/Fixes The fix for this issue is available in IBM(R) Intelligent Operations Center version 5.2 on Passport Advantage. Refer to the following security bulletins for vulnerability details and information about fixes: o IJ10930: FIX SECURITY VULNERABILITY CVE-2018-3183 CVE(s): CVE-2018-3183 o IJ10931: FIX SECURITY VULNERABILITY CVE-2018-3169 CVE(s): CVE-2018-3169 o IJ10932: FIX SECURITY VULNERABILITY CVE-2018-3149 CVE(s): CVE-2018-3149 o IJ10894: FIX SECURITY VULNERABILITY CVE-2018-3180 CVE(s): CVE-2018-3180 o IJ10933: FIX SECURITY VULNERABILITY CVE-2018-3214 CVE(s): CVE-2018-3214 o IJ10934: FIX SECURITY VULNERABILITY CVE-2018-13785 CVE(s): CVE-2018-13785 o IJ10935: FIX SECURITY VULNERABILITY CVE-2018-3136 CVE(s): CVE-2018-3136 o IJ10895: FIX SECURITY VULNERABILITY CVE-2018-3139 CVE(s): CVE-2018-3139 Workarounds and Mitigations Until you apply the fixes, it may be possible to reduce the risk of successful attacks by restricting network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from unprivileged users may help reduce the risk of successful attack. Both approaches may break application functionality, so IBM strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem. Change History 21 December 2018: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Product Component Platform Version Edition IBM Intelligent Linux, 1.6, 5.1, 5.1.0.2, 5.1.0.3, Operations Center for Windows 5.1.0.4, 5.1.0.5, 5.1.0.6 Emergency Management IBM Water Operations 5.1, 5.2, 5.2.0.1, 5.2.0.2, for Waternamics Linux 5.2.0.3, 5.2.0.4, 5.2.0.5, 5.2.0.6, 5.2.1, 5.2.1.1 - -------------------------------------------------------------------------------- Security Bulletin: Multiple vulnerabilities in IBM(R) Java(TM) SDK and IBM(R) Java(TM) Runtime affect IBM(R) Intelligent Operations Center products Security Bulletin Document information More support for: IBM Intelligent Operations Center Component: Not Applicable Software version: 1.6.0, 1.6.0.1, 1.6.0.2, 1.6.0.3, 5.1, 5.1.0.1, 5.1.0.2, 5.1.0.3, 5.1.0.4, 5.1.0.5, 5.1.0.6, 5.1.0.7, 5.1.0.8, 5.1.0.9, 5.1.0.10, 5.1.0.11, 5.1.0.12, 5.1.0.13, 5.1.0.14 Operating system(s): Linux, Windows Reference #: 0730863 Modified date: 21 December 2018 Summary There are multiple vulnerabilities in IBM(R) SDK Java(TM) Technology Edition, Versions 6, 7, and 8, and IBM(R) Runtime Environment Java(TM), Versions 6, 7, and 8 that are used by IBM(R) Intelligent Operations Center, IBM(R) Intelligent Operations Center for Emergency Management, and IBM(R) Water Operations for Waternamics. IBM(R) Intelligent Operations Center has addressed the applicable CVEs. Vulnerability Details If you run your own Java(TM) code using the IBM(R) Java(TM) JRE that is delivered with this product, you should evaluate your code to determine whether additional Java(TM) vulnerabilities are applicable to your code. CVE IDs: CVE-2018-2964 CVE-2018-2973 CVE-2018-2940 CVE-2018-2952 CVE-2018-1656 CVE-2018-1517 CVE-2018-2579 CVE-2018-2588 CVE-2018-2663 CVE-2018-2677 CVE-2018-2678 CVE-2018-2602 CVE-2018-2599 CVE-2018-2603 CVE-2018-2629 CVE-2018-2657 CVE-2018-2618 CVE-2018-2641 CVE-2018-2582 CVE-2018-2634 CVE-2018-2637 CVE-2018-2633 CVE-2018-2638 CVE-2018-2639 CVE-2018-2783 CVE-2018-2800 CVEID: CVE-2018-2964 DESCRIPTION: An unspecified vulnerability related to the Java SE Deployment component could allow an unauthenticated attacker to take control of the system. CVSS Base Score: 8.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 146827 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) CVEID: CVE-2018-2973 DESCRIPTION: An unspecified vulnerability related to the Java SE JSSE component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 146835 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N) CVEID: CVE-2018-2940 DESCRIPTION: An unspecified vulnerability related to the Java SE Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 146803 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) CVEID: CVE-2018-2952 DESCRIPTION: An unspecified vulnerability related to the Java SE Concurrency component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.. CVSS Base Score: 3.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 146815 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2018-1656 DESCRIPTION: The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) does not protect against path traversal attacks when extracting compressed dump files. CVSS Base Score: 7.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 144882 for the current score CVSS Environmental Score*: Undefined CVSS Vector:(CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N) CVEID: CVE-2018-1517 DESCRIPTION: A flaw in the java.math component in IBM SDK, Java Technology Edition may allow an attacker to inflict a denial-of-service attack with specially crafted String data. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 141681 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2018-2579 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base Score: 3.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 137833 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2018-2588 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit LDAP component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 137841 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2018-2663 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 137917 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVEID: CVE-2018-2677 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded AWT component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 137932 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVEID: CVE-2018-2678 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JNDI component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 137933 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVEID: CVE-2018-2602 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded I18N component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and low availability impact. CVSS Base Score: 4.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 137854 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L) CVEID: CVE-2018-2599 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JNDI component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and low availability impact. CVSS Base Score: 4.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 137851 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L) CVEID: CVE-2018-2603 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 137855 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2018-2629 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JGSS component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 137880 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N) CVEID: CVE-2018-2657 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, JRockit Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 137910 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2018-2618 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 137870 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2018-2641 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded AWT component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact. CVSS Base Score: 6.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 137893 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N) CVEID: CVE-2018-2582 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Hotspot component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 137836 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) CVEID: CVE-2018-2634 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded JGSS component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. CVSS Base Score: 6.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 137886 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N) CVEID: CVE-2018-2637 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JMX component could allow an unauthenticated attacker to cause high confidentiality impact, high integrity impact, and no availability impact. CVSS Base Score: 7.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 137889 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) CVEID: CVE-2018-2633 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JNDI component could allow an unauthenticated attacker to take control of the system. CVSS Base Score: 8.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 137885 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) CVEID: CVE-2018-2638 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE Deployment component could allow an unauthenticated attacker to take control of the system. CVSS Base Score: 8.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 137890 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) CVEID: CVE-2018-2639 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE Deployment component could allow an unauthenticated attacker to take control of the system. CVSS Base Score: 8.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 137891 for the current score CVSS Environmental Score*: Undefined CVSS Vector:(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) CVEID: CVE-2018-2783 DESCRIPTION: Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u161 and 8u152; Java SE Embedded: 8u152; JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS Base Score: 7.4 (Confidentiality and Integrity impacts). CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 141939 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) CVEID: CVE-2018-2800 DESCRIPTION: Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u181, 7u171 and 8u162; JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, JRockit accessible data as well as unauthorized read access to a subset of Java SE, JRockit accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS Base Score: 4.2 (Confidentiality and Integrity impacts). CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 141956 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N) Affected Products and Versions +---------------------------------------------+--------------------------------------------------------------+ |Principal Product and Versions |Affected Supporting Products and Versions | +---------------------------------------------+--------------------------------------------------------------+ |IBM(R) Intelligent Operations Center V1.6.0 - |IBM SDK, Java Technology Edition, Version 6 Service Refresh 16| |V5.1.0.14 |Fix Pack 55 and earlier releases | | | | | |IBM SDK, Java Technology Edition, Version 6R1 Service Refresh | | |8 Fix Pack 55 and earlier releases | +---------------------------------------------+ | | |IBM SDK, Java Technology Edition, Version 7 Service Refresh 10| |IBM(R) Intelligent Operations Center for |Fix Pack 15 and earlier releases | |Emergency Management V1.6 - V5.1.0.6 | | | |IBM SDK, Java Technology Edition, Version 7R1 Service Refresh | | |4 Fix Pack 15 and earlier releases | +---------------------------------------------+ | | |IBM SDK, Java Technology Edition, Version 8 Service Refresh 5 | |IBM(R) Water Operations for Waternamics V5.1 - |Fix Pack 7 and earlier releases | |V5.2.1.1 | | | | | | | | +---------------------------------------------+--------------------------------------------------------------+ Remediation/Fixes IBM(R) Intelligent Operations Center and related products use IBM(R) WebSphere Application Server, IBM(R) WebSphere Application Server Liberty Profile, IBM(R) Db2, IBM(R) Installation Manager, IBM(R) WebSphere MQ, and Cognos(R), which use the affected IBM(R) Java(TM) SDK and IBM(R) Java(TM) JRE versions. The fix for this issue is available in IBM(R) Intelligent Operations Center version 5.2 on Passport Advantage. The following areas may require remediation using the information provided in the listed security bulletins: +------------+-------------------------------------------------------------------------+ | Area | Security Bulletins | +------------+-------------------------------------------------------------------------+ |Data server | | |for IBM(R) | | |Intelligent | | |Operations | | |Center V5.1 | | |- V5.1.0.14,| | |IBM(R) |IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM | |Intelligent |Java Runtime affect IBM(R) Db2(R) | |Operations | | |Center for |CVE(s): CVE-2018-2783, CVE-2018-2794 | |Emergency | | |Management |IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM | |V5.1 - |Java Runtime affect IBM(R) Db2(R) | |V5.1.0.6, | | |and IBM(R) |CVE(s): CVE-2018-2579, CVE-2018-2678, CVE-2018-2618, CVE-2018-2602 | |Water | | |Operations | | |for | | |Waternamics | | |V5.1 - | | |V5.2.1.1 | | +------------+-------------------------------------------------------------------------+ |Application | | |server for | | |IBM(R) | | |Intelligent | | |Operations | | |Center V5.1 | | |- V5.1.0.14,|IBM Security Bulletin: Multiple Vulnerabilities in IBM(R) Java SDK affects | |IBM(R) |WebSphere Application Server July 2018 CPU | |Intelligent | | |Operations |CVE(s): CVE-2018-1656, CVE-2018-12539 | |Center for | | |Emergency |IBM Security Bulletin: Multiple Vulnerabilities in IBM(R) Java SDK affects | |Management |WebSphere Application Server April 2018 CPU | |V5.1 - | | |V5.1.0.6, |CVE(s): CVE-2018-2783, CVE-2018-2800 | |and IBM(R) | | |Water | | |Operations | | |for | | |Waternamics | | |V5.1 - | | |V5.2.1.1 | | +------------+-------------------------------------------------------------------------+ |Analytics | | |server for | | |IBM(R) | | |Intelligent | | |Operations | | |Center V5.1 |IBM Security Bulletin: Multiple Vulnerabilities in IBM(R) Java SDK affects | |- V5.1.0.14,|WebSphere Application Server July 2018 CPU | |IBM(R) | | |Intelligent |CVE(s): CVE-2018-1656, CVE-2018-12539 | |Operations | | |Center for |IBM Security Bulletin: Multiple Vulnerabilities in IBM Java SDK affects | |Emergency |WebSphere Application Server April 2018 CPU | |Management | | |V5.1- |CVE(s): CVE-2018-2783, CVE-2018-2800 | |V5.1.0.6, | | |and IBM(R) | | |Water | | |Operations | | |for | | |Waternamics | | |V5.1 - | | |V5.2.1.1 | | +------------+-------------------------------------------------------------------------+ |IBM(R) | | |WebSphere(R) | | |MQ used by | | |IBM(R) | | |Intelligent | | |Operations |IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime | |Center V5.1 |affect IBM MQ | |- V5.1.0.14 | | |and IBM(R) |CVE(s): CVE-2018-2799, CVE-2018-2798, CVE-2018-2797, CVE-2018-2796, | |Water |CVE-2018-2795, CVE-2018-2794, CVE-2018-2814, CVE-2018-2783, CVE-2018-2790| |Operations | | |for | | |Waternamics | | |V5.1 - | | |V5.2.1.1 | | +------------+-------------------------------------------------------------------------+ |IBM(R) | | |Business | | |Process | | |Manager used| | |by IBM(R) | | |Intelligent | | |Operations | | |Center | | |V1.6.0 - | | |V5.1.0.14, | | |IBM(R) |IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect | |Intelligent |IBM Integration Designer used in IBM Business Process Manager | |Operations | | |Center for |CVE(s): CVE-2018-2633, CVE-2018-2637, CVE-2018-2603, CVE-2018-2602, | |Emergency |CVE-2018-2579 | |Management | | |V1.6 - | | |V5.1.0.6, | | |and IBM(R) | | |Water | | |Operations | | |for | | |Waternamics | | |V5.1 - | | |V5.2.1.1 | | +------------+-------------------------------------------------------------------------+ |Cognos(R) used| | |by IBM(R) | | |Intelligent | | |Operations | | |Center | | |V1.6.0 | | |-V5.1.0.14, |IBM Security Bulletin: Multiple vulnerabilities in IBM Cognos Business | |IBM(R) |intelligence affect Rational Insight | |Intelligent | | |Operations |CVE(s): CVE-2017-3735, CVE-2017-3736, CVE-2018-0739, CVE-2017-3737, | |Center for |CVE-2017-7525, CVE-2017-12624, CVE-2017-15095, CVE-2018-1413, | |Emergency |CVE-2018-2579, CVE-2018-2588, CVE-2018-2663, CVE-2018-2677, CVE-2018-2678| |Management |, CVE-2018-2599, CVE-2018-2603, CVE-2018-2657, CVE-2018-2618, | |V1.6 - |CVE-2018-2634, CVE-2018-2637, CVE-2018-2800, CVE-2018-2795, CVE-2018-2796| |V5.1.0.6, |, CVE-2018-2797, CVE-2018-2798, CVE-2018-2799, CVE-2018-2783, | |and IBM(R) |CVE-2018-2814, CVE-2018-2790 | |Water | | |Operations | | |for | | |Waternamics | | |V5.1 - | | |V5.2.1.1 | | +------------+-------------------------------------------------------------------------+ |IBM(R) | | |Installation| | |Manager used|IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime | |by IBM(R) |affect IBM Installation Manager and IBM Packaging Utility | |Intelligent | | |Operations |CVE(s): CVE-2018-2814, CVE-2018-2783 | |Center | | |V1.6.0 - |IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime | |V5.1.0.14, |affect IBM Installation Manager and IBM Packaging Utility | |IBM(R) | | |Intelligent |CVE(s): CVE-2018-2579, CVE-2018-2602, CVE-2018-2603, CVE-2018-2618, | |Operations |CVE-2018-2633 | |Center for | | |Emergency |IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime | |Management |affect IBM Installation Manager and IBM Packaging Utility | |V1.6 - | | |V5.1.0.6, |CVE(s): CVE-2016-5547, CVE-2016-5548, CVE-2016-5549, CVE-2016-2183 | |and IBM(R) | | |Water |IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM | |Operations |Installation Manager and IBM Packaging Utility (CVE-2016-5597) | |for | | |Waternamics | | |V5.1 - | | |V5.2.1.1 | | +------------+-------------------------------------------------------------------------+ |IBM(R) SPSS(R) | | |Analytic | | |Server used | | |by IBM(R) | | |Intelligent | | |Operations | | |Center V5.1 |IBM Security Bulletin: Vulnerability in IBM(R) Java SDK affects IBM SPSS | |- V5.1.0.14 |Analytic Server (CVE-2018-2602, CVE-2018-2634) | |and IBM(R) | | |Water | | |Operations | | |for | | |Waternamics | | |V5.1 - | | |V5.2.1.1 | | +------------+-------------------------------------------------------------------------+ Workarounds and Mitigations Until you apply the fixes, it may be possible to reduce the risk of successful attacks by restricting network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from unprivileged users may help reduce the risk of successful attack. Both approaches may break application functionality, so IBM strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem. Acknowledgement CVE-2018-1517 was reported to IBM by Michael Weissbacher. Change History 21 December 2018: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Product Component Platform Version Edition IBM Intelligent Linux, 1.6, 5.1, 5.1.0.2, 5.1.0.3, Operations Center for Windows 5.1.0.4, 5.1.0.5, 5.1.0.6 Emergency Management IBM Water Operations 5.1, 5.2, 5.2.0.1, 5.2.0.2, for Waternamics Linux 5.2.0.3, 5.2.0.4, 5.2.0.5, 5.2.0.6, 5.2.1, 5.2.1.1 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXCxUYWaOgq3Tt24GAQiwoA//Qd/G1PFzMmFPx64ThX/qkBb8E5oo2XnY /rv92BG4WuNu+0sdB0vzXj5hMAVtduZTcsXCd4W3H+vlX8P+wF9vhD/nctCwTxpz gjFd/jBKPh5HIK9UsdqpGR7fFQomyGjdY8DbEL4NiO52FC5ax0Wp6UJd/xNr4ACH JMtFZ4lQDIe+XlP8gfRXQoZ3gzpVc+x8Nu18JMW1pMkcT2c4CGTZaic4nz4yx1PG 4xhw6FFY7ZB9Oo9QJi4GeX1IZ1NUkQiKkGoHMIMbEZFw2NGpxoXpo/T75SROOVgC uz2aA2Q939YtkGykTcPFI4NVQSYZ7Wex1ycWU6Z3PFT/r5xZSoaVSje4qdNHADfo exGluLGAonQ9AdcmSgWQ5XLqnAiHfOi2lL65jBKZaIF50LGo0LGZNUDTi/ApYPdg GFu2ccE/QigvWp9UGlGnPp0q5za4I8aTvIIH75WHnva93NxOF3yBf9rtE7zgsW6J HndTGHLjnSxllD7gVq2O1MYd9BiDCizYupYkK8C9FAGmiQtzKou4iqeVhUasujG0 12nkPEOpPrEF8EFVwDEMPYYnxrxAyzGQg40+cVx8kYOxZm+scF9WrlOyPd7QpJJU VwVMyUByI9gsf3cIBVnbPWMDvzvofy7AQWn9Vdeer/ioYFtEP7davYeHiMIFm5Ly M5JH9kX3zWg= =0pc7 -----END PGP SIGNATURE-----