-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0300
     Multiple vulnerabilities affect IBM Financial Transaction Manager
                              1 February 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Financial Transaction Manager
Publisher:         IBM
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Access Confidential Data        -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-4032 CVE-2018-2026 CVE-2018-1670

Reference:         ESB-2019.0258
                   ESB-2019.0176
                   ESB-2018.2977.2

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10869520
   http://www.ibm.com/support/docview.wss?uid=ibm10795538
   http://www.ibm.com/support/docview.wss?uid=ibm10731545

Comment: This bulletin contains three (3) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Financial Transaction Manager for ACH Services is affected
by a potential SQL Injection vulnerability (CVE-2019-4032)

Security Bulletin

Document information

More support for: Financial Transaction Manager

Component: Financial Transaction Manager for ACH Services

Software version: 3.1.0

Operating system(s): Platform Independent

Reference #: 0869520

Modified date: 31 January 2019

Summary

IBM Financial Transaction Manager for ACH Services (FTM ACH) for Multi-
Platform has addressed the following vulnerability. A potential Blind SQL
injection on a web service.

Vulnerability Details

CVEID:  CVE-2018-1670

DESCRIPTION: IBM Financial Transaction Manager for ACH Services for
Multi-Platform could allow an authenticated user to obtain sensitive product
configuration information from log files.

CVSS Base Score: 3.1

CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/144946  for the current
score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

v3.1.0.0 - 3.1.0.3

Remediation/Fixes


 Product      VRMF               APAR      Remediation/First Fix
FTM ACH      3.1.0.0 - 3.1.0.2  PH07876   3.1.0.3-FTM-ACH-MP-iFix0001


Workarounds and Mitigations

None


Reference

Complete CVSS v3 Guide On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog

Change History

31 January 2019: Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE
IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Product Alias/Synonym

FTM FTM ACH


- --------------------------------------------------------------------------------

Security Bulletin: Financial Transaction Manager for ACH Services is affected
by a potential directory listing of internal product files vulnerability
(CVE-2018-2026)

Security Bulletin

Document information

More support for: Financial Transaction Manager

Component: Financial Transaction Manager for ACH Services

Software version: 3.0.6, 3.1.0

Operating system(s): Platform Independent

Reference #: 0795538

Modified date: 31 January 2019

Summary

IBM Financial Transaction Manager for ACH Services (FTM ACH) for Multi-
Platform has addressed the following vulnerability. A potential directory
listing vulnerability could allow an authenticated user to obtain a directory
listing of internal product files.

Vulnerability Details

CVEID: CVE-2018-2026

DESCRIPTION: IBM Fnancial Transaction Manager for Digital Payments could allow
an authenticated user to obtain a directory listing of internal product files.

CVSS Base Score: 4.3

CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/155552 for the current
score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

FTM ACH v3.0.6.0 - 3.0.6.4, v3.1.0.0 - 3.1.0.3

Remediation/Fixes


 Product      VRMF               APAR      Remediation/First Fix
FTM ACH      3.0.6.0 - 3.0.6.4  PH07380   3.0.6-FTM-ACH-MP-fp0005
FTM ACH      3.1.0.0 - 3.1.0.3  PH07380   3.1.0.3-FTM-ACH-MP-iFix0001


Workarounds and Mitigations

None


Reference

Complete CVSS v3 Guide On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog

Change History

31 January 2019: Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE
IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Product Alias/Synonym

FTM FTM ACH

- --------------------------------------------------------------------------------

Security Bulletin: Financial Transaction Manager for ACH Services:
Information Leakage in configuration listing (CVE-2018-1670)

Security Bulletin

Document information

More support for: Financial Transaction Manager

Component: Financial Transaction Manager for ACH Services

Software version: 3.0.6, 3.1.0

Operating system(s): Platform Independent

Reference #: 0731545

Modified date: 31 January 2019

Summary

IBM Financial Transaction Manager for ACH Services (FTM ACH) for Multi-
Platform could allow an authenticated user to obtain sensitive product
configuration information from log files.

Vulnerability Details

CVEID: CVE-2018-1670

DESCRIPTION: IBM Financial Transaction Manager for ACH Services for
Multi-Platform could allow an authenticated user to obtain sensitive product
configuration information from log files. i

CVSS Base Score: 3.1

CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/144946 for the current
score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

FTM ACH v3.0.6.0 - 3.0.6.4, v3.1.0.0 - 3.1.0.3

Remediation/Fixes


 Product      VRMF               APAR      Remediation/First Fix
FTM ACH      3.0.6.1            PH02828   3.0.6.1-FTM-ACH-MP-iFix0009
FTM ACH      3.0.6.0 - 3.0.6.4  PH02828   3.0.6-FTM-ACH-MP-fp0005
FTM ACH      3.1.0.0 - 3.1.03   PH02828   3.1.0.3-FTM-ACH-MP-iFix0001


Workarounds and Mitigations

None


Reference

Complete CVSS v3 Guide On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog

Change History

31 January 2019: Updated for v3.1.0.3 interim fix (iFix) 1 29 January 2019:
Updated for v3.0.6.1 interim fix (iFix) 9 18 January 2019: Original version
published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE
IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Product Alias/Synonym

FTM FTM ACH

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXFOZtWaOgq3Tt24GAQiAdRAAg82Mc3N0Zclg18VLwbhFAIkWpidxtrBe
CqDBnCLjTWmVyLgU3QSZ+eBWQfkR8T/NNpXJimJ+GleZW5Zng0uCEaARuLjKCeV6
369q9HiwGVl6YEyMBUs/DxHnZnUqUci2oF2BRD/SyNH194EGry/nvVAcHgU/bWgH
wz+IArP1wqoKRFaY7YMcCPIKjtqMsa3ZrnWoFDudGtFiL676qjVp6W5roEHmoymF
nyJe1bHm+JwGzdhC7jbILW3is3R0qd/X83waNS6BrsP77CQikVw5vY3WRSMlRA7d
tNEAWfPmSOKpDPwoVy7TbDFIjtWQUf8Y9lZLJg4nf53g8TOysDx+HVFE6BaVidXq
abpil5WV+QZc4Rsl0cQCqoT5mY/YbQOZFRWdQTu+NWV8oX4Mp/WiM9FQQSIA7yRa
y/IKgK0U66xu46Ifcyz0lsxk4kNO28n7OkT8wh10DYMXype0m2i69o37Xye3uQCv
erSQpDh6MLxq/Ur6Z1tA4L6XTI40GMQ6Otd96Kjz4BPgvSMtpQ3nloHNaCZkPKta
Bkem0eqlI9V3MvUnrrGTLDb0JuG0MWynS4o69wLO8ghNcPQv0JrIchgwcvMaZoY3
bPUFYjZT4jt2y2C+Qs/TXgvKmmoFHn9fHp1eUYTpgB5xvkIvbbm+gR9DvFNA5dRJ
71P7m720zMA=
=jQt0
-----END PGP SIGNATURE-----