-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2019.1365.4
           Multiple vulnerabilities have been identified in IBM
                          Sterling B2B Integrator
                               5 August 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Sterling B2B Integrator
Publisher:         IBM
Operating System:  AIX
                   Linux variants
                   Windows
Impact/Access:     Access Privileged Data   -- Remote/Unauthenticated
                   Cross-site Scripting     -- Existing Account      
                   Access Confidential Data -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-4377 CVE-2019-4258 CVE-2019-4222
                   CVE-2019-4148 CVE-2019-4146 CVE-2019-4077
                   CVE-2019-4076 CVE-2019-4075 CVE-2019-4074
                   CVE-2019-4073 CVE-2018-1720 

Reference:         ESB-2019.1365
                   ESB-2019.0275
                   ESB-2019.0147
                   ESB-2018.3882
                   ESB-2018.3464

Original Bulletin: 
   https://www.ibm.com/support/docview.wss?uid=ibm10880595
   https://www.ibm.com/support/docview.wss?uid=ibm10880591
   https://www.ibm.com/support/docview.wss?uid=ibm10880601
   https://www.ibm.com/support/docview.wss?uid=ibm10887853

Comment: This bulletin contains four (4) IBM security advisories.

Revision History:  August  5 2019: Added more vulnerable versions in #10887853,
                                   and #10880591
                   June   19 2019: Added vendor advisory #0887853.
                   April  30 2019: Vendor updated Security Bulletin Reference 
                                   #0880591 - Added APAR for newly added CVE
                   April  23 2019: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Information Disclosure Vulnerabilities Affect IBM Sterling
B2B Integrator (CVE-2019-4146, CVE-2019-4222)

Security Bulletin

Document information

More support for: Sterling B2B Integrator

Software version: 6.0.0.0 - 6.0.0.1

Operating system(s): AIX, Linux, Windows

Reference #: 0880595

Modified date: 20 April 2019

Summary

IBM Sterling B2B Integrator Standard Edition has addressed the information
disclosure vulnerabilities

Vulnerability Details

CVEID:  CVE-2019-4146
DESCRIPTION: IBM Sterling B2B Integrator Standard Edition could allow an
authenticated user to obtain sensitive document information under unusual
circumstances.
CVSS Base Score: 3.1
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
158401 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID:  CVE-2019-4222
DESCRIPTION: IBM Sterling B2B Integrator Standard Edition could allow an
authenticated user to view process definition of a business process without
permission.
CVSS Base Score: 4.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
159231 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)


Affected Products and Versions

IBM Sterling B2B Integrator 6.0.0.0 - 6.0.0.1


Remediation/Fixes

+-----------------+-----------------------------+-----------------------------+
|PRODUCT & Version|APAR                         |Remediation/Fix              |
+-----------------+-----------------------------+-----------------------------+
|IBM Sterling B2B |IT28176, IT28467,            |Apply IBM Sterling B2B       |
|Integrator       |IT28468, and IT28177         |Integrator version 6.0.1.0 on|
|6.0.0.0 - 6.0.0.1|                             |Fix Central                  |
+-----------------+-----------------------------+-----------------------------+


Workarounds and Mitigations

None


Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

19 April 2019: Original document published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: Multiple Cross-Site Scripting Vulnerabilities Affect IBM
Sterling B2B Integrator

Document information

More support for: Sterling B2B Integrator

Software version: 5.2.0.0 - 6.0.0.1

Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows

Reference #: 0880591

Modified date: 02 August 2019

Summary

IBM Sterling B2B Integrator Standard Edition has addressed the cross-site
scripting vulnerabilities

Vulnerability Details

CVEID:  CVE-2019-4073
DESCRIPTION: IBM Sterling B2B Integrator Standard Edition is vulnerable to
cross-site scripting. This vulnerability allows users to embed arbitrary
JavaScript code in the Web UI thus altering the intended functionality
potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities
/157107 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID:  CVE-2019-4074
DESCRIPTION: IBM Sterling B2B Integrator Standard Edition is vulnerable to
cross-site scripting. This vulnerability allows users to embed arbitrary
JavaScript code in the Web UI thus altering the intended functionality
potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities
/157108 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID:  CVE-2019-4075
DESCRIPTION: IBM Sterling B2B Integrator Standard Edition is vulnerable to
cross-site scripting. This vulnerability allows users to embed arbitrary
JavaScript code in the Web UI thus altering the intended functionality
potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities
/157109 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID:  CVE-2019-4076
DESCRIPTION: IBM Sterling B2B Integrator Standard Edition is vulnerable to
cross-site scripting. This vulnerability allows users to embed arbitrary
JavaScript code in the Web UI thus altering the intended functionality
potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities
/157110 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID:  CVE-2019-4077
DESCRIPTION: IBM Sterling B2B Integrator Standard Edition is vulnerable to
cross-site scripting. This vulnerability allows users to embed arbitrary
JavaScript code in the Web UI thus altering the intended functionality
potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities
/157111 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID:  CVE-2019-4148
DESCRIPTION: IBM Sterling B2B Integrator Standard Edition is vulnerable to
cross-site scripting. This vulnerability allows users to embed arbitrary
JavaScript code in the Web UI thus altering the intended functionality
potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 4
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities
/158414 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N)

CVEID:  CVE-2019-4258
DESCRIPTION: IBM Sterling B2B Integrator Standard Edition is vulnerable to
cross-site scripting. This vulnerability allows users to embed arbitrary
JavaScript code in the Web UI thus altering the intended functionality
potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities
/159946 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

IBM Sterling B2B Integrator 5.2.0.0 - 6.0.0.1

Remediation/Fixes

+--------------+----------------------------------------------------------------+-----------------------+
|PRODUCT &     |APAR                                                            |Remediation/Fix        |
|Version       |                                                                |                       |
+--------------+----------------------------------------------------------------+-----------------------+
|IBM Sterling  |IT28063, IT28292, IT28300, IT28310,  IT28306,  IT28166,  IT28698|Apply IBM Sterling B2B |
|B2B Integrator|                                                                |Integrator version     |
|5.2.0.0 -     |                                                                |5.2.6.4_2 or 6.0.1.0 on|
|6.0.0.1       |                                                                |Fix Central            |
+--------------+----------------------------------------------------------------+-----------------------+

Workarounds and Mitigations

None


Change History

19 April 2019: Original document published
29 April 2019: Added APAR for newly added CVE
02 August 2019: Added new version numbers

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: Weak Cryptographic Algorithm Vulnerability Affects IBM
Sterling B2B Integrator (CVE-2018-1720)

Security Bulletin

Document information

More support for: Sterling B2B Integrator

Software version: 5.2.0.1 - 6.0.0.1

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Reference #: 0880601

Modified date: 20 April 2019

Summary

IBM Sterling B2B Integrator Standard Edition has addressed the weak
cryptographic algorithm vulnerability.

Vulnerability Details

CVEID:  CVE-2018-1720
DESCRIPTION: IBM Sterling B2B Integrator Standard Edition uses weaker than
expected cryptographic algorithms that could allow an attacker to decrypt
highly sensitive information.
CVSS Base Score: 5.9
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/
147294 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)


Affected Products and Versions

IBM Sterling B2B Integrator 5.2.0.1 - 5.2.6.3_6 and 6.0.0.0


Remediation/Fixes

+----------------------------+------------------------------------------------+
|Product & Version           |Remediation/Fix                                 |
+----------------------------+------------------------------------------------+
|IBM Sterling B2B Integrator |Apply IBM Sterling B2B Integrator version       |
|5.2.0.1 - 5.2.6.3_6         |5.2.6.3_9, 5.2.6.4_1, 6.0.0.1 or 6.0.1.0 on Fix |
|                            |Central                                         |
+----------------------------+------------------------------------------------+
|IBM Sterling B2B Integrator |Apply IBM Sterling B2B Integrator version       |
|6.0.0.0                     |6.0.0.1 or 6.0.1.0 on Fix Central               |
+----------------------------+------------------------------------------------+


Workarounds and Mitigations

None


Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

19 April 2019: Original document published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: Information Disclosure Vulnerability Affects IBM Sterling
B2B Integrator (CVE-2019-4377)

Document information

More support for: Sterling B2B Integrator

Software version: 5.2.0.0 - 6.0.0.1

Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows

Reference #: 0887853

Modified date: 02 August 2019

Summary

IBM Sterling B2B Integrator Standard Edition has addressed the information
disclosure vulnerability

Vulnerability Details

CVEID:  CVE-2019-4377
DESCRIPTION: IBM Sterling B2B Integrator Standard Edition reveals sensitive
information from a stack trace that could be used in further attacks against
the system.
CVSS Base Score: 4.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities
/162083 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Sterling B2B Integrator 5.2.0.0 - 6.0.0.1

Remediation/Fixes

+-----------------+----------------------------+-----------------------------+
|PRODUCT & Version|APAR                        |Remediation/Fix              |
+-----------------+----------------------------+-----------------------------+
|IBM Sterling B2B |IT28113                     |Apply IBM Sterling B2B       |
|Integrator       |                            |Integrator version 5.2.6.4_2 |
|5.2.0.0 - 6.0.0.1|                            |or 6.0.1.0 on Fix Central    |
+-----------------+----------------------------+-----------------------------+

Workarounds and Mitigations

None


Change History

17 June 2019: Original document published
02 August 2019: Added more vulnerable versions
26 June 2019: Republish original document

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXUevg2aOgq3Tt24GAQgKoA//TlERvicUgsCoK8dX15/fRvDlydtFSbO8
GAIFdZ2CvoAnzuOybGggLYY9lqO0sr8iAK+h+bEg1KkOVf3dEcOS2bd6N3r3blJp
xchQTwGMfqmdgCOAEoe8EMJltVNpFa4/mruYdwQCS21fax2p4bo5zhFjopGMpT4W
mYBRwVYARgCoOpEx05aFo1RQIkfXOQ+rF/jcQyiEhcfvwhU9Y7B4f9bE7TXCEGD0
wdXf7tKZLxfbF+2+op6CdZnnKkvtG7c6QVK84IpvatikyChjHk88ROeme/SPInh5
lTCcTyHVpcB62/ffgSFioHk4QDN83MbIZF5+ZGEiSv7CKci+zN9Qfxy5ofaBgx0R
e0xSpxCUxkNh2aC/fuW32kExj9qHDCvXzCIST8xxaXN9vzHGO+D0HOaJUklw3whd
uC/P/7AqgtDsNGOGDk5VG9csqdCTPupFF1HvjTWA0LICNdasq6lzitgVwxFQ5h6s
iC21/G6nnN9C3AzS6laSUW9I7IhxnK7iuxkedJQV7kmsYp2FSAcbaVH5/pOOIlx3
+KIGQcUzzOoLybwlbCFAsSNYY+1NDr46a4PDcH+lKfxYPpISXjO2ItdmtwlXZSO5
Mq+2jDY6iRerrGEAUVsDIC/3CErX+4xmehql8lfPbzuFNQecE6BDwrzhz/34zvdV
wqIegSGWL94=
=CUCg
-----END PGP SIGNATURE-----