Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.1524
IBM API Connect security updates
3 May 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM API Connect
Publisher: IBM
Operating System: Windows
Linux variants
Virtualisation
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Unauthorised Access -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-9741 CVE-2018-3721 CVE-2018-2015
CVE-2016-10531
Reference: ESB-2019.1130
ESB-2019.1121
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=ibm10882596
http://www.ibm.com/support/docview.wss?uid=ibm10882756
http://www.ibm.com/support/docview.wss?uid=ibm10882762
Comment: This bulletin contains three (3) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
API Connect V2018 is impacted by a vulnerability in Golang (CVE-2019-9741)
Product: IBM API Connect
Software version: 2018.1-2018.4.1.4
Operating system(s): Platform Independent
Reference #: 0882596
Security Bulletin
Summary
IBM API Connect has addressed the following vulnerability.
Vulnerability Details
CVEID: CVE-2019-9741
DESCRIPTION: Golang GO is vulnerable to HTTP header injection, caused by
improper validation of input in the http.NewRequest. By sending a
specially-crafted request, a remote attacker could exploit this vulnerability
to inject arbitrary HTTP headers, which will allow the attacker to conduct
various attacks against the vulnerable system, including cross-site scripting,
cache poisoning or session hijacking.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
158137 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
+---------------------------+-----------------+
|Affected IBM API Management|Affected Versions|
+---------------------------+-----------------+
|IBM API Connect |2018.1-2018.4.1.4|
+---------------------------+-----------------+
Remediation/Fixes
+------------------+----------+-------+---------------------------------------+
|Affected releases | Fixed in | APAR | Remediation / First Fix |
| | VRMF | | |
+------------------+----------+-------+---------------------------------------+
| | | |Addressed in IBM API Connect |
| | | |v2018.4.1.5fixpack. |
| | | |All components are impacted. |
| | | | |
| | | |Follow this link and find the |
| | | |appropriate form factor for your |
|IBM API Connect |2018.4.1.5|LI80814|installation: "management" , "portal", |
|V2018.1-2018.4.1.4|fixpack | |"analytics" or apicup* or *ICP* for |
| | | |2018.4.1.5. |
| | | |http://www.ibm.com/support/fixcentral/ |
| | | |swg/quickorderparent=ibm%7EWebSphere& |
| | | |product=ibm/WebSphere/IBM+API+Connect& |
| | | |release=2018.4.1.4&platform=All& |
| | | |function=all&source=fc |
+------------------+----------+-------+---------------------------------------+
Workarounds and Mitigations
None
IBM API Connect Support Lifecycle Policy
Change History
April 29, 2019: Original bulletin published
- --------------------------------------------------------------------------------
IBM API Connect is affected by a clickjacking vulnerability (CVE-2018-2015)
Product: IBM API Connect
Component: Management Server
Software version: 2018.1-2018.4.1.4
Operating system(s): Platform Independent
Reference #: 0882756
Security Bulletin
Summary
IBM API Connect has addressed the following vulnerability.
Vulnerability Details
CVEID: CVE-2018-2015
DESCRIPTION: IBM API Connect could allow a remote attacker to hijack the
clicking action of the victim. By persuading a victim to visit a malicious Web
site, a remote attacker could exploit this vulnerability to hijack the victim's
click actions and possibly launch further attacks against the victim.
CVSS Base Score: 6.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
155195 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)
Affected Products and Versions
+---------------------------+-----------------+
|Affected IBM API Management|Affected Versions|
+---------------------------+-----------------+
|IBM API Connect |2018.1-2018.4.1.4|
+---------------------------+-----------------+
Remediation/Fixes
+------------------+----------+-------+---------------------------------------+
| Affected Product | Fixed in | APAR | Remediation / First Fix |
| | VRMF | | |
+------------------+----------+-------+---------------------------------------+
| | | |Addressed in IBM API Connect |
| | | |v2018.4.1.5fixpack. |
| | | | |
| | | |Management server is impacted. |
| | | | |
|IBM API Connect |2018.4.1.5| |Follow this link and find the |
|V2018.1-2018.4.1.4|fixpack |LI80817|appropriate form factor for your |
| | | |installationfor 2018.4.1.5. |
| | | |http://www.ibm.com/support/fixcentral/ |
| | | |swg/quickorderparent=ibm%7EWebSphere& |
| | | |product=ibm/WebSphere/IBM+API+Connect& |
| | | |release=2018.4.1.4&platform=All& |
| | | |function=all&source=fc |
+------------------+----------+-------+---------------------------------------+
Workarounds and Mitigations
None
Change History
April 29, 2019: Original bulletin published
Product Alias/Synonym
API Connect
APIC
- --------------------------------------------------------------------------------
IBM API Connect is affected by vulnerabilities in Node JS modules
(CVE-2018-3721 CVE-2016-10531)
Product: IBM API Connect
Component: Management Server
Software version: 2018.1-2018.4.1.4
Operating system(s): Platform Independent
Reference #: 0882762
Security Bulletin
Summary
IBM API Connect has addressed the following vulnerabilities.
Vulnerability Details
CVEID: CVE-2018-3721
DESCRIPTION: Node.js lodash module could allow a remote attacker to bypass
security restrictions, caused by a flaw in the defaultsDeep, 'merge, and
mergeWith functions. By modifing the prototype of Object, an attacker could
exploit this vulnerability to add or modify existing property that will exist
on all objects.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
144603 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2016-10531
DESCRIPTION: Node.js marked module is vulnerable to cross-site scripting,
caused by improper validation of user-supplied input by the link components. A
remote attacker could exploit this vulnerability to inject malicious script
into a Web page which would be executed in a victim's Web browser within the
security context of the hosting Web site, once the page is viewed. An attacker
could use this vulnerability to steal the victim's cookie-based authentication
credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
149101 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
+---------------------------+-----------------+
|Affected IBM API Management|Affected Versions|
+---------------------------+-----------------+
|IBM API Connect |2018.1-2018.4.1.4|
+---------------------------+-----------------+
Remediation/Fixes
+------------------+----------+-------+---------------------------------------+
| Affected Product | Fixed in | APAR | Remediation / First Fix |
| | VRMF | | |
+------------------+----------+-------+---------------------------------------+
| | | |Addressed in IBM API Connect |
| | | |v2018.4.1.5fixpack. |
| | | | |
| | | |Management server is impacted. |
| | | | |
|IBM API Connect |2018.4.1.5| |Follow this link and find the |
|V2018.1-2018.4.1.4|fixpack |LI80819|appropriate form factor for your |
| | | |installation. |
| | | |http://www.ibm.com/support/fixcentral/ |
| | | |swg/quickorderparent=ibm%7EWebSphere& |
| | | |product=ibm/WebSphere/IBM+API+Connect& |
| | | |release=2018.4.1.4&platform=All& |
| | | |function=all&source=fc |
+------------------+----------+-------+---------------------------------------+
Workarounds and Mitigations
None
Change History
April 29, 2019: Original bulletin published
Product Alias/Synonym
API Connect
APIC
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXMuYdGaOgq3Tt24GAQjkmg//YHUr8+MqawsGH/dKO2UVt6hYZHoiqfbz
OLSab++Vl3CE1kYH+67Vr6jX00hTKdb+HNFKSDSYx85pIFtcUwFY19h3onZoGODE
BAZtKYH5GMgdXSVNrBHxu4fe2Nq3u5rnwoD3YDO4TmX+jKC16W8O/71oXlx0uT9R
gsWdm3z02b43kAjztLrHE61t78d+I5BmNO7II2lpkirVMo7pfttq4R8y+rwUpdno
QnHfQ8InBk/nRY48UkA0K8XWnTUFdh4GY6zO8Yt/wLaWkcVTU2grvQ1NeWqFFPlW
4rHDs72LZdKf1SXaEVpQlbS2zZSks9xgWtpCPy/oz4StYyZE7bXMmSdAL3IOWOrw
7jVE4NwZp0sxxXqtDSuQhIw+M363kSUzyfTu4mE+OtiRid7uJwJpgcwVDvORPmFt
HjK2J4ELJwqbWUs1qHI+B7O+cnZUKzryaZ4DzddVzA6usWsF2I63C6sEa/Ndzzaf
qL3NGfhqsPm5S4xB9xKzwrbd8mawjqWYkSCvF1WiABy2R5c6+fCCUFrN9D6KGC0d
91I7onULPJzjFQCbmdhP/34r/UYtkuBEtdRkPrI+/mNroaFMoMykJWuLjQpfBePR
DHzKgoSgBy7kGfm2z/W1yEfEyHyJ5MIfaim4qjlZSaNMi2/jP6Z0EvxKoG08vSR1
b7I6oCrA/AA=
=4MfM
-----END PGP SIGNATURE-----