Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1121 IBM Security Bulletin: IBM API Connect is impacted by multiple open source software vulnerabilities. 3 April 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM API Connect Publisher: IBM Operating System: Linux variants Network Appliance Impact/Access: Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-11698 CVE-2018-11697 CVE-2018-11696 CVE-2018-11695 CVE-2018-11694 CVE-2018-11693 CVE-2018-11499 CVE-2018-0210 CVE-2018-0021 CVE-2017-0268 CVE-2016-10531 Reference: ASB-2017.0073 ESB-2018.1183 ESB-2018.0581 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10794165 http://www.ibm.com/support/docview.wss?uid=ibm10878136 Comment: This bulletin contains two (2) advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- IBM API Connect is impacted by multiple open source software vulnerabilities. Product: IBM API Connect Software version: 5.0.8.0 - 5.0.8.4, 2018.1-2018.4.1.2 Operating system(s): Appliance, Linux Reference #: 0794165 Security Bulletin Summary IBM API Connect has addressed the following vulnerabilities. Vulnerability Details CVEID: CVE-2017-0268 DESCRIPTION: Microsoft Server Message Block 1.0 (SMBv1) could allow a remote attacker to obtain sensitive information, caused by improper handling of incoming requests. By sending specially-crafted packet data to the server, a remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 125554 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2018-0210 DESCRIPTION: Cisco Data Center Network Manager is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input by the web-based management interface. By persuading an user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 139992 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) CVEID: CVE-2018-0021 DESCRIPTION: Juniper Networks Junos OS is vulnerable to a man-in-the-middle attack, caused by an error when configured with short MacSec keys. By using brute-force techniques, a remote attacker from within the local network could exploit this vulnerability to obtain the secret passphrases configured for these keys. CVSS Base Score: 8.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 141516 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) CVEID: CVE-2016-10531 DESCRIPTION: Node.js marked module is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the link components. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim''s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim''s cookie-based authentication credentials. CVSS Base Score: 6.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 149101 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVEID: CVE-2018-11698 DESCRIPTION: LibSaas could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read of a memory region in the function Sass::handle_error. By using a specially-crafted file, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service. CVSS Base Score: 4.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 144297 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L) CVEID: CVE-2018-11499 DESCRIPTION: LibSass is vulnerable to a denial of service, caused by a use-after-free in handle_error() in sass_context.cpp. A remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 143880 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2018-11693 DESCRIPTION: LibSaas could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read of a memory region in the function Sass::Prelexer::skip_over_scopes. By using a specially-crafted file, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service. CVSS Base Score: 4.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 144323 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L) CVEID: CVE-2018-11697 DESCRIPTION: LibSaas could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read of a memory region in the function Sass::Prelexer::exactly(). By using a specially-crafted file, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service. CVSS Base Score: 4.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 144302 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L) CVEID: CVE-2018-11696 DESCRIPTION: LibSaas is vulnerable to a denial of service, caused by a NULL pointer dereference in the function Sass::Inspect::operator. By using a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 3.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 144308 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVEID: CVE-2018-11694 DESCRIPTION: LibSaas is vulnerable to a denial of service, caused by a NULL pointer dereference in the function Sass::Functions::selector_append. By using a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 3.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 144317 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVEID: CVE-2018-11695 DESCRIPTION: LibSaas is vulnerable to a denial of service, caused by a NULL pointer dereference in the function Sass::Expand::operator. By using a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 3.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 144311 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) Affected Products and Versions IBM API Connect version 5.0.8.0-5.0.8.4;2018.1-2018.4.1.2 Remediation/Fixes +------------------------+------------+-------+----------------------------------------------------------------------------------------------+ |Affected Product |Addressed in|APAR |Remediation/First Fix | | |VRMF | | | +------------------------+------------+-------+----------------------------------------------------------------------------------------------+ | | | |Addressed in IBM API Connect V5.0.8.5 fix pack. | | | | | | |IBM API Connect | | |Follow this link and find the APIConnect-Portal package. | |5.0.8.0-5.0.8.4 |5.0.8.5 |LI80724| | | | | |http://www.ibm.com/support/fixcentral/swg/quickorderparent=ibm%7EWebSphere& | | | | |product=ibm/WebSphere/IBM+API+Connect&release=5.0.8.4&platform=All&function=all | | | | |&source=fc | +------------------------+------------+-------+----------------------------------------------------------------------------------------------+ | | | |+-----------------------------------------------------------------------------+ | | | | ||Addressed in IBM API Connect v2018.4.1.3fixpack. | | | | | || | | | | | ||Management server and Analytics components are impacted. | | | | | || | | |IBM API Connect V2018.1 |2018.4.1.3 |LI80724||Follow this link and find the appropriate form factor for your installation: | | |- 2018.4.1.2 |fixpack | ||"management" , "analytics" or apicup* or *ICP* for 2018.4.1.3. | | | | | || | | | | | ||http://www.ibm.com/support/fixcentral/swg/quickorderparent=ibm%7EWebSphere& | | | | | ||product=ibm/WebSphere/IBM+API+Connect&release=2018.4.1.2&platform=All& | | | | | ||function=all&source=fc | | | | | |+-----------------------------------------------------------------------------+ | +------------------------+------------+-------+----------------------------------------------------------------------------------------------+ Workarounds and Mitigations None Reference Complete CVSS v3 Guide On-line Calculator v3 Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History April 1, 2018: Bulletin updated *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - ------------------------------------------------------------------------------ API Connect is impacted by multiple nodeJS vulnerabilities (CVE-2018-12122 CVE-2018-12121 CVE-2018-12123 CVE-2018-12116) Product: IBM API Connect Software version: 5.0.8.0-5.0.8.5, 2018.1-2018.4.1.1 Operating system(s): Platform Independent Reference #: 0878136 Security Bulletin Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2018-12122 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by improper validation of HTTP headers. By sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 153456 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2018-12121 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by improper validation of HTTP headers. By sending specially-crafted HTTP requests with maximum sized headers, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 153455 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2018-12123 DESCRIPTION: Node.js is vulnerable to HTTP request splitting attacks, caused by improper input validation by the path option of an HTTP request. A remote attacker could exploit this vulnerability to inject arbitrary HTTP request and cause the browser to send 2 HTTP requests, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting. CVSS Base Score: 6.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 153457 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVEID: CVE-2018-12116 DESCRIPTION: Node.js is vulnerable to HTTP request splitting attacks, caused by improper input validation by the path option of an HTTP request. A remote attacker could exploit this vulnerability to inject arbitrary HTTP request and cause the browser to send 2 HTTP requests, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting. CVSS Base Score: 6.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 153452 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions +---------------------------+-----------------+ |Affected IBM API Management|Affected Versions| +---------------------------+-----------------+ |IBM API Connect |2018.1-2018.4.1.1| +---------------------------+-----------------+ |IBM API Connect |5.0.8.0-5.0.8.5 | +---------------------------+-----------------+ Remediation/Fixes +----------------+----------+-------+-----------------------------------------+ | Affected | Fixed in | APAR | Remediation / First Fix | | releases | VRMF | | | +----------------+----------+-------+-----------------------------------------+ | | | |Addressed in IBM API Connect | | | | |v2018.4.1.2fixpack. | | | | | | | | | |Developer Portal is impacted. | | | | | | |IBM API Connect |2018.4.1.2| |Follow this link and find the appropriate| |V2018.1-2018.4.1|fixpack |LI80736|form factor for your installation: | | | | | | | | | |http://www.ibm.com/support/fixcentral/swg| | | | |/quickorderparent=ibm%7EWebSphere& | | | | |product=ibm/WebSphere/IBM+API+Connect& | | | | |release=2018.4.1&platform=All&function= | | | | |all&source=fc | +----------------+----------+-------+-----------------------------------------+ | | | |Addressed in 5.0.8.6 fixpack. | | | | | | | | | |Management server andDeveloper Portal are| | | | |impacted. | | | | | | | | | |Follow this link and find the | |IBM API Connect |5.0.8.6 | |APIConnect_Management and | |V5.0.8.0-5.0.8.5|fixpack |LI80736|APIConnect-Portal package. | | | | | | | | | | | | | | |http://www.ibm.com/support/fixcentral/swg| | | | |/quickorderparent=ibm%7EWebSphere& | | | | |product=ibm/WebSphere/IBM+API+Connect& | | | | |release=5.0.8.5&platform=All&function=all| | | | |&source=fc | +----------------+----------+-------+-----------------------------------------+ Workarounds and Mitigations None Reference Complete CVSS v3 Guide On-line Calculator v3 Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog IBM API Connect Support Lifecycle Policy (v2018) Change History March 27, 2019: Original bulletin published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXKQJ8maOgq3Tt24GAQixQg/9F/4KPR70oYz6Va61tdJAbniH8CXKObAT OZqLkcuF8ZwDeP9DpUm+nwygV2K+FEePYU8B5bCcsjVn8b+Ng9i1wK2DGljTvwnu NMpgTEMHi4xv0scuiULYJS6Z6v6kk4M80A844FPQRJUdMaobmppta+tM9oeZFKNL 8yZFTZwwn2idx8Cx7JIC/MmjJE0kpzh8UwgBHQG2YgHldJhakdPHLHJST7Fxb32n Dv+HJn5qPZ7R+8pDNZp+nsJg2H4BRm2GGq2GbW7HQ5l/GuSCkYpjmIlYUwSmYUqa 3i96igkRckvgI5Ik2c6rGwU4h+8tptFlOjC5BdYuha0uNWoOHuhD0TKw0cQ6pFXi gREMA2GxK0GbQzWGyCpyr3/Vu2ik2G+ztw5VIFk2zey8oQnhncWGBIfpleHMZmvK TbL78LhE5UEU7L4hIbc0ynggTm8T3NPTyVIopAmXqo4Bg8SDz2m1WF1kDMPNcRbc sYUTZITVo52Dk/T3u8Bd/uMfjTL1lqRRpZevp1A1Jky8mMoqtHT33eFLc/bVXxkp AQ3r4JTdwv16clIJCokMDS+0f6MQd0yTKn7A5RzyHVb0M60pIyg4aRSLS/OfKldY 40O3Q2pcxqtfgKR9UWOUxRB+7xV0ppPIIkNuHlFbbznNPYGrW5i+CNkVgFiU+xS6 JNt7DRIs6+4= =3QA7 -----END PGP SIGNATURE-----