Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1524 IBM API Connect security updates 3 May 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM API Connect Publisher: IBM Operating System: Windows Linux variants Virtualisation Impact/Access: Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Unauthorised Access -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-9741 CVE-2018-3721 CVE-2018-2015 CVE-2016-10531 Reference: ESB-2019.1130 ESB-2019.1121 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10882596 http://www.ibm.com/support/docview.wss?uid=ibm10882756 http://www.ibm.com/support/docview.wss?uid=ibm10882762 Comment: This bulletin contains three (3) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- API Connect V2018 is impacted by a vulnerability in Golang (CVE-2019-9741) Product: IBM API Connect Software version: 2018.1-2018.4.1.4 Operating system(s): Platform Independent Reference #: 0882596 Security Bulletin Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-9741 DESCRIPTION: Golang GO is vulnerable to HTTP header injection, caused by improper validation of input in the http.NewRequest. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to inject arbitrary HTTP headers, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. CVSS Base Score: 6.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158137 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions +---------------------------+-----------------+ |Affected IBM API Management|Affected Versions| +---------------------------+-----------------+ |IBM API Connect |2018.1-2018.4.1.4| +---------------------------+-----------------+ Remediation/Fixes +------------------+----------+-------+---------------------------------------+ |Affected releases | Fixed in | APAR | Remediation / First Fix | | | VRMF | | | +------------------+----------+-------+---------------------------------------+ | | | |Addressed in IBM API Connect | | | | |v2018.4.1.5fixpack. | | | | |All components are impacted. | | | | | | | | | |Follow this link and find the | | | | |appropriate form factor for your | |IBM API Connect |2018.4.1.5|LI80814|installation: "management" , "portal", | |V2018.1-2018.4.1.4|fixpack | |"analytics" or apicup* or *ICP* for | | | | |2018.4.1.5. | | | | |http://www.ibm.com/support/fixcentral/ | | | | |swg/quickorderparent=ibm%7EWebSphere& | | | | |product=ibm/WebSphere/IBM+API+Connect& | | | | |release=2018.4.1.4&platform=All& | | | | |function=all&source=fc | +------------------+----------+-------+---------------------------------------+ Workarounds and Mitigations None IBM API Connect Support Lifecycle Policy Change History April 29, 2019: Original bulletin published - -------------------------------------------------------------------------------- IBM API Connect is affected by a clickjacking vulnerability (CVE-2018-2015) Product: IBM API Connect Component: Management Server Software version: 2018.1-2018.4.1.4 Operating system(s): Platform Independent Reference #: 0882756 Security Bulletin Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2018-2015 DESCRIPTION: IBM API Connect could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. CVSS Base Score: 6.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 155195 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) Affected Products and Versions +---------------------------+-----------------+ |Affected IBM API Management|Affected Versions| +---------------------------+-----------------+ |IBM API Connect |2018.1-2018.4.1.4| +---------------------------+-----------------+ Remediation/Fixes +------------------+----------+-------+---------------------------------------+ | Affected Product | Fixed in | APAR | Remediation / First Fix | | | VRMF | | | +------------------+----------+-------+---------------------------------------+ | | | |Addressed in IBM API Connect | | | | |v2018.4.1.5fixpack. | | | | | | | | | |Management server is impacted. | | | | | | |IBM API Connect |2018.4.1.5| |Follow this link and find the | |V2018.1-2018.4.1.4|fixpack |LI80817|appropriate form factor for your | | | | |installationfor 2018.4.1.5. | | | | |http://www.ibm.com/support/fixcentral/ | | | | |swg/quickorderparent=ibm%7EWebSphere& | | | | |product=ibm/WebSphere/IBM+API+Connect& | | | | |release=2018.4.1.4&platform=All& | | | | |function=all&source=fc | +------------------+----------+-------+---------------------------------------+ Workarounds and Mitigations None Change History April 29, 2019: Original bulletin published Product Alias/Synonym API Connect APIC - -------------------------------------------------------------------------------- IBM API Connect is affected by vulnerabilities in Node JS modules (CVE-2018-3721 CVE-2016-10531) Product: IBM API Connect Component: Management Server Software version: 2018.1-2018.4.1.4 Operating system(s): Platform Independent Reference #: 0882762 Security Bulletin Summary IBM API Connect has addressed the following vulnerabilities. Vulnerability Details CVEID: CVE-2018-3721 DESCRIPTION: Node.js lodash module could allow a remote attacker to bypass security restrictions, caused by a flaw in the defaultsDeep, 'merge, and mergeWith functions. By modifing the prototype of Object, an attacker could exploit this vulnerability to add or modify existing property that will exist on all objects. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 144603 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) CVEID: CVE-2016-10531 DESCRIPTION: Node.js marked module is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the link components. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base Score: 6.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 149101 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions +---------------------------+-----------------+ |Affected IBM API Management|Affected Versions| +---------------------------+-----------------+ |IBM API Connect |2018.1-2018.4.1.4| +---------------------------+-----------------+ Remediation/Fixes +------------------+----------+-------+---------------------------------------+ | Affected Product | Fixed in | APAR | Remediation / First Fix | | | VRMF | | | +------------------+----------+-------+---------------------------------------+ | | | |Addressed in IBM API Connect | | | | |v2018.4.1.5fixpack. | | | | | | | | | |Management server is impacted. | | | | | | |IBM API Connect |2018.4.1.5| |Follow this link and find the | |V2018.1-2018.4.1.4|fixpack |LI80819|appropriate form factor for your | | | | |installation. | | | | |http://www.ibm.com/support/fixcentral/ | | | | |swg/quickorderparent=ibm%7EWebSphere& | | | | |product=ibm/WebSphere/IBM+API+Connect& | | | | |release=2018.4.1.4&platform=All& | | | | |function=all&source=fc | +------------------+----------+-------+---------------------------------------+ Workarounds and Mitigations None Change History April 29, 2019: Original bulletin published Product Alias/Synonym API Connect APIC - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXMuYdGaOgq3Tt24GAQjkmg//YHUr8+MqawsGH/dKO2UVt6hYZHoiqfbz OLSab++Vl3CE1kYH+67Vr6jX00hTKdb+HNFKSDSYx85pIFtcUwFY19h3onZoGODE BAZtKYH5GMgdXSVNrBHxu4fe2Nq3u5rnwoD3YDO4TmX+jKC16W8O/71oXlx0uT9R gsWdm3z02b43kAjztLrHE61t78d+I5BmNO7II2lpkirVMo7pfttq4R8y+rwUpdno QnHfQ8InBk/nRY48UkA0K8XWnTUFdh4GY6zO8Yt/wLaWkcVTU2grvQ1NeWqFFPlW 4rHDs72LZdKf1SXaEVpQlbS2zZSks9xgWtpCPy/oz4StYyZE7bXMmSdAL3IOWOrw 7jVE4NwZp0sxxXqtDSuQhIw+M363kSUzyfTu4mE+OtiRid7uJwJpgcwVDvORPmFt HjK2J4ELJwqbWUs1qHI+B7O+cnZUKzryaZ4DzddVzA6usWsF2I63C6sEa/Ndzzaf qL3NGfhqsPm5S4xB9xKzwrbd8mawjqWYkSCvF1WiABy2R5c6+fCCUFrN9D6KGC0d 91I7onULPJzjFQCbmdhP/34r/UYtkuBEtdRkPrI+/mNroaFMoMykJWuLjQpfBePR DHzKgoSgBy7kGfm2z/W1yEfEyHyJ5MIfaim4qjlZSaNMi2/jP6Z0EvxKoG08vSR1 b7I6oCrA/AA= =4MfM -----END PGP SIGNATURE-----