Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1541 Multiple vulnerabilities in IBM Java Runtime affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise 3 May 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Cloud Orchestrator IBM Cloud Orchestrator Enterprise Publisher: IBM Operating System: AIX Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-3180 CVE-2018-3139 Reference: ESB-2018.3482 ESB-2018.3164 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10796092 - --------------------------BEGIN INCLUDED TEXT-------------------- Multiple vulnerabilities in IBM Java Runtime affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Product: IBM Cloud Orchestrator Software version: 2.4, 2.4.0.1, 2.4.0.2, 2.4.0.3, 2.4.0.4, 2.4.0.5, 2.5, 2.5.0.1, 2.5.0.2, 2.5.0.3, 2.5.0.4, 2.5.0.5, Operating system(s): AIX Reference #: 0796092 Security Bulletin Summary There are multiple vulnerabilities in IBM SDK Java Technology Edition that is used by IBM WebSphere Application Server shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise. These issues were disclosed as part of the IBM SDK, Java Technology Edition Quarterly CPU - Oct 2018 - Includes Oracle Oct 2018 CPU. These issues were also addressed by IBM WebSphere Application Server shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise. Vulnerability Details CVEID: CVE-2018-3180 DESCRIPTION: An unspecified vulnerability related to the Java SE JSSE component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and low availability impact. CVSS Base Score: 5.6 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 151497 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2018-3139 DESCRIPTION: An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base Score: 3.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 151455 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N) Affected Products and Versions +---------------------------+------------------------------------------------------------+ |Principal Product and |Affected Supporting Product and Version | |Version(s) | | +---------------------------+------------------------------------------------------------+ |IBM Cloud Orchestrator and | o WebSphere Application Server V8.5.5 through V8.5.5.13 | |IBM Cloud Orchestrator | o IBM Tivoli System Automation Application Manager 4.1 | |Enterprise Edition V2.5, | | |V2.5.0.1, V2.5.02. | | |V2.5.0.3, V2.5.0.4, | | |V2.5.0.5, V2.5.0.6, | | |V2.5.0.7 | | +---------------------------+------------------------------------------------------------+ |IBM Cloud Orchestrator and | o WebSphere Application Server V8.5.0.1 through V8.5.5.12 | |IBM Cloud Orchestrator | o IBM Tivoli System Automation Application Manager 4.1 | |Enterprise V2.4, V2.4.0.1, | | |V2.4.0.2, V2.4.0.3, | | |V2.4.0.4, V2.4.0.5 | | +---------------------------+------------------------------------------------------------+ Remediation/Fixes These issues were addressed by IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise through the bundled products IBM WebSphere Application Server. +------------------------+----------------+--------------------------------------------------+ |Product |VRMF |Remediation/First Fix | +------------------------+----------------+--------------------------------------------------+ | o IBM Cloud |V2.5, V2.5.0.1, |Upgrade to IBM Cloud Orchestrator 2.5 Fix Pack 8: | | Orchestrator and |V2.5.0.2, |https://www-01.ibm.com/support/docview.wssuid= | | Cloud Orchestrator |V2.5.0.4, |ibm10739511 | | Enterprise |V2.5.0.5, | | | |V2.5.0.6, | | | |V2.5.0.7 | | +------------------------+----------------+--------------------------------------------------+ | o IBM Cloud |V2.4, V2.4.0.1, |To remediate, do the following steps, upgrade to | | Orchestrator and |V2.4.0.2, |minimal fix pack level as required by interim fix | | Cloud Orchestrator |V2.4.0.4, |and apply the appropriate Interim to your | | Enterprise |V2.4.0.5 |environment as soon as practical. For details, see| | | |Security Bulletin: Multiple Vulnerabilities in IBM| | | |Java SDK affect WebSphere Application Server | | | |October 2018 CPU. | +------------------------+----------------+--------------------------------------------------+ Refer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server and IBM Tivoli System Automation Application Manager shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise. Principal Product and Version(s) Affected Supporting Product and Affected Supporting Product Version Security Bulletin IBM Cloud Orchestrator and IBM Cloud WebSphere Application Server V8.5.5 Security Bulletin: Multiple Orchestrator Enterprise Edition through V8.5.5.13 Vulnerabilities in IBM Java SDK V2.5, V2.5.0.1, V2.5.02. V2.5.0.3, affect WebSphere Application V2.5.0.4, V2.5.0.5, V2.5.0.6, IBM Tivoli System Automation Server October 2018 CPU V2.5.0.7 Application Manager 4.1 Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager (CVE-2018-3180, CVE-2018-3139) IBM Cloud Orchestrator and IBM Cloud WebSphere Application Server Security Bulletin: Multiple Orchestrator Enterprise V2.4, V8.5.0.1 through V8.5.5.12 Vulnerabilities in IBM Java SDK V2.4.0.1, V2.4.0.2, V2.4.0.3, affect WebSphere Application V2.4.0.4, V2.4.0.5 IBM Tivoli System Automation Server October 2018 CPU Application Manager 4.1 Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager (CVE-2018-3180, CVE-2018-3139) Workarounds and Mitigations None IBM Java SDK Security Bulletin Change History 02 May 2019: Original Version Published - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXMvMm2aOgq3Tt24GAQimCxAAyyF5bqlcIBCJn937Sl6kUVuY7oLUeFim 8KoKsX3F47RJ2MmTLtsnwbd/NMR7hGJ00RYPVXfxQFkT28qIO92SjkLyQTmvpEws 1QSQLGL7Ojz/lbbZrca8CKaY7WeqyMg2nOoXthQIetKyq/qezhEqriWl4ByV2K3g 4PNF4vnFwtdTsUkuRCzw7EY7xSYWO0FcqtR3rUaVL5gAHKIKLKoHGXrTn6iXl8Rw Yg0P3mVnNQXeeYQRu7Ukq6Zr/mGqJE8jGyxwmiWIwBKcHGf6K6rP8sNnaR4PjK5/ lfq0y4H/q6T1sJVu9vEBG3B4aSYhuIM6prgUpgUb/aEA1/e12HNDQE9EIH1hX5EF LW8dMwPM78t8AwwjCgla6CaQ32ZfgzZHhMI6bi/p+Nx8QliZRh4Po26IpVe7DJIB m/Kwe4a6Pq6yff6kSzMxUWcFysxw2To4Uy6bKdmiv5+hNpgTm9ipPYB+CaIKTQ1H ukMgpxbgq9wBDoYAaPzKk+eF4+I6YF74Di5yID8SoUEiuASoQ5HIQjAWI/Eoq1IP yeA7AU0jQf0PlC3VJZgTT2rfZWHEbuPei5FmY9cfIoVAZEG+62TwXlaoIbHhBxbn u+So+4OxQqRMIMR2z6GiyjsJO7r/cwhuZVDo6dFyESJLEeVRAd5JiJzgor4j27eM Kk2fw9fU844= =8ItI -----END PGP SIGNATURE-----