-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.1541
          Multiple vulnerabilities in IBM Java Runtime affect IBM
         Cloud Orchestrator and IBM Cloud Orchestrator Enterprise
                                3 May 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Cloud Orchestrator
                   IBM Cloud Orchestrator Enterprise
Publisher:         IBM
Operating System:  AIX
Impact/Access:     Modify Arbitrary Files   -- Remote/Unauthenticated
                   Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-3180 CVE-2018-3139 

Reference:         ESB-2018.3482
                   ESB-2018.3164

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10796092

- --------------------------BEGIN INCLUDED TEXT--------------------

Multiple vulnerabilities in IBM Java Runtime affect IBM Cloud Orchestrator and
IBM Cloud Orchestrator Enterprise

Product:             IBM Cloud Orchestrator
Software version:    2.4, 2.4.0.1, 2.4.0.2, 2.4.0.3, 2.4.0.4, 2.4.0.5, 2.5,
                     2.5.0.1, 2.5.0.2, 2.5.0.3, 2.5.0.4, 2.5.0.5,
Operating system(s): AIX
Reference #:         0796092

Security Bulletin

Summary

There are multiple vulnerabilities in IBM SDK Java Technology Edition that is
used by IBM WebSphere Application Server shipped with IBM Cloud Orchestrator
and IBM Cloud Orchestrator Enterprise. These issues were disclosed as part of
the IBM SDK, Java Technology Edition Quarterly CPU - Oct 2018 - Includes Oracle
Oct 2018 CPU.

These issues were also addressed by IBM WebSphere Application Server shipped
with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise.

Vulnerability Details

CVEID: CVE-2018-3180
DESCRIPTION: An unspecified vulnerability related to the Java SE JSSE component
could allow an unauthenticated attacker to cause low confidentiality impact,
low integrity impact, and low availability impact.
CVSS Base Score: 5.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151497 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2018-3139
DESCRIPTION: An unspecified vulnerability related to the Java SE Networking
component could allow an unauthenticated attacker to obtain sensitive
information resulting in a low confidentiality impact using unknown attack
vectors.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151455 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)

Affected Products and Versions

+---------------------------+------------------------------------------------------------+
|Principal Product and      |Affected Supporting Product and Version                     |
|Version(s)                 |                                                            |
+---------------------------+------------------------------------------------------------+
|IBM Cloud Orchestrator and |  o WebSphere Application Server V8.5.5 through V8.5.5.13   |
|IBM Cloud Orchestrator     |  o IBM Tivoli System Automation Application Manager 4.1    |
|Enterprise Edition V2.5,   |                                                            |
|V2.5.0.1, V2.5.02.         |                                                            |
|V2.5.0.3, V2.5.0.4,        |                                                            |
|V2.5.0.5, V2.5.0.6,        |                                                            |
|V2.5.0.7                   |                                                            |
+---------------------------+------------------------------------------------------------+
|IBM Cloud Orchestrator and |  o WebSphere Application Server V8.5.0.1 through V8.5.5.12 |
|IBM Cloud Orchestrator     |  o IBM Tivoli System Automation Application Manager 4.1    |
|Enterprise V2.4, V2.4.0.1, |                                                            |
|V2.4.0.2, V2.4.0.3,        |                                                            |
|V2.4.0.4, V2.4.0.5         |                                                            |
+---------------------------+------------------------------------------------------------+

Remediation/Fixes

These issues were addressed by IBM Cloud Orchestrator and IBM Cloud
Orchestrator Enterprise through the bundled products IBM WebSphere Application
Server.

+------------------------+----------------+--------------------------------------------------+
|Product                 |VRMF            |Remediation/First Fix                             |
+------------------------+----------------+--------------------------------------------------+
|  o IBM Cloud           |V2.5, V2.5.0.1, |Upgrade to IBM Cloud Orchestrator 2.5 Fix Pack 8: |
|    Orchestrator and    |V2.5.0.2,       |https://www-01.ibm.com/support/docview.wssuid=    |
|    Cloud Orchestrator  |V2.5.0.4,       |ibm10739511                                       |
|    Enterprise          |V2.5.0.5,       |                                                  |
|                        |V2.5.0.6,       |                                                  |
|                        |V2.5.0.7        |                                                  |
+------------------------+----------------+--------------------------------------------------+
|  o IBM Cloud           |V2.4, V2.4.0.1, |To remediate, do the following steps, upgrade to  |
|    Orchestrator and    |V2.4.0.2,       |minimal fix pack level as required by interim fix |
|    Cloud Orchestrator  |V2.4.0.4,       |and apply the appropriate Interim to your         |
|    Enterprise          |V2.4.0.5        |environment as soon as practical. For details, see|
|                        |                |Security Bulletin: Multiple Vulnerabilities in IBM|
|                        |                |Java SDK affect WebSphere Application Server      |
|                        |                |October 2018 CPU.                                 |
+------------------------+----------------+--------------------------------------------------+

Refer to the following security bulletins for vulnerability details and
information about fixes addressed by WebSphere Application Server and IBM
Tivoli System Automation Application Manager shipped with IBM Cloud
Orchestrator and IBM Cloud Orchestrator Enterprise.

Principal Product and Version(s)     Affected Supporting Product and      Affected Supporting Product
                                     Version                              Security Bulletin

IBM Cloud Orchestrator and IBM Cloud WebSphere Application Server V8.5.5  Security Bulletin: Multiple
Orchestrator Enterprise Edition      through V8.5.5.13                    Vulnerabilities in IBM Java SDK
V2.5, V2.5.0.1, V2.5.02. V2.5.0.3,                                        affect WebSphere Application
V2.5.0.4, V2.5.0.5, V2.5.0.6,        IBM Tivoli System Automation         Server October 2018 CPU
V2.5.0.7                             Application Manager 4.1
                                                                          Security Bulletin: Multiple
                                                                          vulnerabilities in IBM Java SDK
                                                                          affect IBM Tivoli System
                                                                          Automation Application Manager
                                                                          (CVE-2018-3180, CVE-2018-3139)

IBM Cloud Orchestrator and IBM Cloud WebSphere Application Server         Security Bulletin: Multiple
Orchestrator Enterprise V2.4,        V8.5.0.1 through V8.5.5.12           Vulnerabilities in IBM Java SDK
V2.4.0.1, V2.4.0.2, V2.4.0.3,                                             affect WebSphere Application
V2.4.0.4, V2.4.0.5                   IBM Tivoli System Automation         Server October 2018 CPU
                                     Application Manager 4.1
                                                                          Security Bulletin: Multiple
                                                                          vulnerabilities in IBM Java SDK
                                                                          affect IBM Tivoli System
                                                                          Automation Application Manager
                                                                          (CVE-2018-3180, CVE-2018-3139)

Workarounds and Mitigations

None

IBM Java SDK Security Bulletin

Change History

02 May 2019: Original Version Published

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXMvMm2aOgq3Tt24GAQimCxAAyyF5bqlcIBCJn937Sl6kUVuY7oLUeFim
8KoKsX3F47RJ2MmTLtsnwbd/NMR7hGJ00RYPVXfxQFkT28qIO92SjkLyQTmvpEws
1QSQLGL7Ojz/lbbZrca8CKaY7WeqyMg2nOoXthQIetKyq/qezhEqriWl4ByV2K3g
4PNF4vnFwtdTsUkuRCzw7EY7xSYWO0FcqtR3rUaVL5gAHKIKLKoHGXrTn6iXl8Rw
Yg0P3mVnNQXeeYQRu7Ukq6Zr/mGqJE8jGyxwmiWIwBKcHGf6K6rP8sNnaR4PjK5/
lfq0y4H/q6T1sJVu9vEBG3B4aSYhuIM6prgUpgUb/aEA1/e12HNDQE9EIH1hX5EF
LW8dMwPM78t8AwwjCgla6CaQ32ZfgzZHhMI6bi/p+Nx8QliZRh4Po26IpVe7DJIB
m/Kwe4a6Pq6yff6kSzMxUWcFysxw2To4Uy6bKdmiv5+hNpgTm9ipPYB+CaIKTQ1H
ukMgpxbgq9wBDoYAaPzKk+eF4+I6YF74Di5yID8SoUEiuASoQ5HIQjAWI/Eoq1IP
yeA7AU0jQf0PlC3VJZgTT2rfZWHEbuPei5FmY9cfIoVAZEG+62TwXlaoIbHhBxbn
u+So+4OxQqRMIMR2z6GiyjsJO7r/cwhuZVDo6dFyESJLEeVRAd5JiJzgor4j27eM
Kk2fw9fU844=
=8ItI
-----END PGP SIGNATURE-----