Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1084 IBM Event Streams is affected by multiple vulnerabilities 1 April 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Event Streams Publisher: IBM Operating System: Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-6486 CVE-2019-3823 CVE-2019-3822 CVE-2018-16890 CVE-2018-16875 Reference: ESB-2019.0893 ESB-2019.0381.2 ESB-2019.0373.2 ESB-2019.0369 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10876552 http://www.ibm.com/support/docview.wss?uid=ibm10876554 Comment: This bulletin contains two (2) advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- IBM Event Streams is affected by Go vulnerabilities Product: WebSphere IBM Event Streams Software version: All Versions Operating system(s): Linux Reference #: 0876552 Security Bulletin Summary IBM Event Streams has addressed the following vulnerabilities in the Go Runtimes shipped. Vulnerability Details CVE-ID: CVE-2019-6486 Description: Golang Go is vulnerable to a denial of service, caused by mishandling P-521 and P-384 elliptic curves. By using specially-crafted inputs, a local attacker could exploit this vulnerability to consume all available CPU resources. CVSS Base Score: 6.2 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 156156 for more information CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2018-16875 DESCRIPTION: Go Programming Language is vulnerable to a denial of service, caused by the failure to limit the amount of work performed for each chain verification. By sending specially-crafted pathological inputs, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 154318 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Affected Products and Versions IBM Event Streams 2018.3.0 IBM Event Streams 2018.3.1 Remediation/Fixes Upgrade to IBM Event Streams 2019.1.1 which is available from Passport Advantage . Change History Initial Version March 2019 *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - ---------------------------------------------------------------------------------- IBM Event Streams is affected by cURL vulnerabilities Product: WebSphere IBM Event Streams Software version: All Versions Operating system(s): Linux Reference #: 0876554 Security Bulletin Summary IBM Event Streams has addressed the following vulnerabilities in the shipped cURL libraries. Vulnerability Details CVEID: CVE-2018-16890 DESCRIPTION: cURL libcurl could allow a remote attacker to obtain sensitive information. The function handling incoming NTLM type-2 messages fails to properly validate incoming data and triggers an integer overflow. An attacker could exploit this vulnerability using the overflow to accept a bad length + offset combination that would lead to a buffer read out-of-bounds. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 156649 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2019-3822 DESCRIPTION: cURL libcurl is vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header generates the request HTTP header contents based on previously received data. By sending an overly large "nt response" data, a remote attacker could overflow a buffer and execute arbitrary code on the system. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 156651 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2019-3823 DESCRIPTION: cURL libcurl could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read when handling certain SMTP responses. An attacker could exploit this vulnerability to obtain sensitive information. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 156650 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions IBM Event Streams 2018.3.0 IBM Event Streams 2018.3.1 Remediation/Fixes Upgrade to IBM Event Streams 2019.1.1 which is available from Passport Advantage . Change History Initial version March 2019 *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXKF9TWaOgq3Tt24GAQiJFxAAujNMuzJAJInCcy2QP54SIt2OE0Pb7AI8 rAkPW2El+fjqc39gT1qpCKWZYCPZw6T706wKVdS0IrvS3XfAMXkfTwk7MoSi+1LR Fh5tsvj6byV/ZU1pl1ZjQivzLe/HoAJntQqos9sBx1vn3ZJjmjv2JGe0/PCjlMIA HVIs2fgHkQUh55iZEVUhr4uu6mNr3Djx1dKoDYjjcZCYonHcQVpslwpHhMCOZs3I oEZ4YOrqVlb5o7KkDYNVq8+cNYsM6Mwrrtz2vfuagwvLpw7JEoPbRD0Xg6Stmtw+ Xs71UNC/GeyqTpdmU4QvQk2vfN2PrpRMDBS9tj76a7ItyVQmmUNFFBIFQfX7Mbhq bxrniVZ8wehMOVbi4XhWUnMQNbekjF4B57tDH3SCDWG3zvQpbdwUDZ9kj15HreF5 uF5mkHxHpHWlRqUhbvnj7jmAIfSbWmsmDTxjJL03x1e3wI85lOaSAPXagPD+JsKL 3tUILnINqXC4OEbZ+ErsA2dJf64KTL05Ois8q5jUSQVWGJxld+mzOIC2VcXF0xVV c6lXtKyuxuNfPo0rxCYt+F+iHm6ioZiCePUFiL++vS+TwuWQ5lVG0CK6fD4JS6of TVjQrzJkZ0UC64oEizLgYyE9O/XVp1NtVlJCE9Zn2zcVGVDkE1Xnxztw7tm1plU8 2C+t/NZEB7w= =YnFz -----END PGP SIGNATURE-----