Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1558 IBM TRIRIGA Application Platform could disclose sensitive information (CVE-2018-2008) 6 May 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM TRIRIGA Application Platform Publisher: IBM Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-4208 CVE-2019-4207 CVE-2018-15786 CVE-2018-15756 CVE-2018-2018 CVE-2018-2008 Reference: ASB-2019.0122 ESB-2019.1437 ESB-2019.1052 ESB-2019.0755 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10879463 http://www.ibm.com/support/docview.wss?uid=ibm10880261 http://www.ibm.com/support/docview.wss?uid=ibm10880263 http://www.ibm.com/support/docview.wss?uid=ibm10879449 Comment: This bulletin contains four (4) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- IBM TRIRIGA Application Platform could disclose sensitive information (CVE-2018-2008) Product: IBM TRIRIGA Application Platform Component: IBM TRIRIGA Application Platform Runtime Engine Software version: 3.5.3, 3.6.0 Operating system(s): Platform Independent Reference #: 0879463 Security Bulletin Summary IBM TRIRIGA Application Platform has addressed the following vulnerability: CVE-2018-2018, IBM TRIRIGA Application Platform could disclose sensitive information to an authenticated user that could aid in further attacks against the system. Vulnerability Details CVEID: CVE-2018-2008 DESCRIPTION: IBM TRIRIGA Application Platform could disclose sensitive information to an authenticated user that could aid in further attacks against the system. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/155146 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions +---------------------------------------------------+---------------------------+ | Affected Tririga | Affected Versions | +---------------------------------------------------+---------------------------+ |IBM TRIRIGA Application Platform |3.5.3 | +---------------------------------------------------+---------------------------+ |IBM TRIRIGA Application Platform |3.6.0 | +---------------------------------------------------+---------------------------+ Remediation/Fixes +----------------------+-----------+-----------+ |Product |VRMF |Remediation| | | |/First Fix | +----------------------+-----------+-----------+ | | |The fix is | |IBM TRIRIGA | |available | |Application Platform |3.5.3.6 |for | | | |download on| | | |FixCentral.| +----------------------+-----------+-----------+ | | |The fix is | | | |available | |IBM TRIRIGA |3.6.0.3 |for | |Application Platform | |download on| | | |FixCentral | | | |. | +----------------------+-----------+-----------+ Workarounds and Mitigations None Change History 03 May 2019: Original version published - ------------------------------------------------------------------------------- IBM TRIRIGA Application Platform may disclose sensitive information (CVE-2019-4207) Product: IBM TRIRIGA Application Platform Software version: 3.5.3, 3.6.0 Operating system(s): Platform Independent Reference #: 0880261 Security Bulletin Summary IBM TRIRIGA Application Platform may disclose sensitive information only available to a local user that could be used in further attacks against the system. Vulnerability Details CVEID: CVE-2019-4207 DESCRIPTION: IBM TRIRIGA Application Platform may disclose sensitive information only available to a local user that could be used in further attacks against the system. CVSS Base Score: 4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/159128 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions +---------------------------------------------------+---------------------------+ | Affected Tririga | Affected Versions | +---------------------------------------------------+---------------------------+ |IBM TRIRIGA Application Platform |3.5.3 | +---------------------------------------------------+---------------------------+ |IBM TRIRIGA Application Platform |3.6.0 | +---------------------------------------------------+---------------------------+ Remediation/Fixes +---------------------+-----------+---------------------------------------+ |Product |VRMF | Remediation/First Fix | +---------------------+-----------+---------------------------------------+ |IBM TRIRIGA |3.5.3.6 |The fix is available for download on | |Application Platform | |FixCentral . | +---------------------+-----------+---------------------------------------+ |IBM TRIRIGA |3.6.0.3 |The fix is available for download on | |Application Platform | |FixCentral . | +---------------------+-----------+---------------------------------------+ Workarounds and Mitigations None Change History 03 May 2019: Original version published - ------------------------------------------------------------------------------- IBM TRIRIGA is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data (CVE-2019-4208) Product: IBM TRIRIGA Application Platform Software version: 3.5.3, 3.6.0 Operating system(s): Platform Independent Reference #: 0880263 Security Bulletin Summary IBM TRIRIGA is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. Vulnerability Details CVEID: CVE-2019-4208 DESCRIPTION: IBM TRIRIGA is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/159129 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L) Affected Products and Versions +---------------------------------------------------+---------------------------+ | Affected Tririga | Affected Versions | +---------------------------------------------------+---------------------------+ |IBM TRIRIGA Application Platform |3.5.3 | +---------------------------------------------------+---------------------------+ |IBM TRIRIGA Application Platform |3.6.0 | +---------------------------------------------------+---------------------------+ Remediation/Fixes +---------------------+-----------+---------------------------------------+ |Product |VRMF | Remediation/First Fix | +---------------------+-----------+---------------------------------------+ |IBM TRIRIGA |3.5.3.6 |The fix is available for download on | |Application Platform | |FixCentral . | +---------------------+-----------+---------------------------------------+ |IBM TRIRIGA |3.6.0.3 |The fix is available for download on | |Application Platform | |FixCentral . | +---------------------+-----------+---------------------------------------+ Workarounds and Mitigations None Change History 03 May 2019: Original version published - ------------------------------------------------------------------------------- Vulnerability in Pivotal Spring Framework affects IBM TRIRIGA Application Platform (CVE-2018-15786) Product: IBM TRIRIGA Application Platform Software version: 3.5.3, 3.6.0 Operating system(s): Platform Independent Reference #: 0879449 Security Bulletin Summary Pivotal Spring Framework, used by IBM TRIRIGA Application Platform, is vulnerable to a denial of service, caused by improper handling of range request by the ResourceHttpRequestHandler. Vulnerability Details CVEID: CVE-2018-15756 DESCRIPTION: Pivotal Spring Framework is vulnerable to a denial of service, caused by improper handling of range request by the ResourceHttpRequestHandler. By adding a range header with a high number of ranges, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/151641 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Affected Products and Versions +---------------------------------------------------+---------------------------+ | Affected Tririga | Affected Versions | +---------------------------------------------------+---------------------------+ |IBM TRIRIGA Application Platform |3.5.3 | +---------------------------------------------------+---------------------------+ |IBM TRIRIGA Application Platform |3.6.0 | +---------------------------------------------------+---------------------------+ Remediation/Fixes +---------------------+-----------+---------------------------------------+ |Product |VRMF | Remediation/First Fix | +---------------------+-----------+---------------------------------------+ |IBM TRIRIGA |3.5.3.6 |The fix is available for download on | |Application Platform | |FixCentral . | +---------------------+-----------+---------------------------------------+ |IBM TRIRIGA |3.6.0.3 |The fix is available for download on | |Application Platform | |FixCentral . | +---------------------+-----------+---------------------------------------+ Workarounds and Mitigations None Change History 03 May 2019: Original version published - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXM+SyWaOgq3Tt24GAQj3bQ/+MZdqwrwbR2MAUyqBXuoNfbYWFGMOm24E v8KRONh5BcIAZSeZvS+0uZDVxP23Z7VHvtEKhDs2r80qfk54k8BEYXOb0767Z8Rv wUjUcDtu402aCpfsEU7dh/l+29HWk0dV8cI9Ks7xRfLTPBbG+i5FCQoyofyvm83n j/b3TN3U+6fg0q9L7wsHFh14+NdlYRbNklaZa/44JOVsQgisSsgbgfJHyxHAsd3q UiFOJKJ4zoCnzju3KajAx/doosfp990jkwM2RoGnDC7tkp68RbHe/KusOJxRyoxl jYPdDbme2tNYjZi4u7Y4woDWgitAo6j524JQnucC3uegjUFqDUj8DOQQcR279Tgj 687E3JFVwxOFnw23tYrs81cm+CYAzr2avYvpk4J0UFADtOc71UWKo+8d+X6LvjJX pDtXVrR7USD+cppcqDHShLgD18kYKQdVNAdkF8CLo1EzH5Rj+S+Z+miosJ/vgczy 4pOQWxiImlMkDwTBedp7LonSIcPU0PgjgNviXQRdDXHcgnsigx6maZrXHVWTDojs oV2qKgqbxqyZ+FwuIl6Wdq5aIjp8Mj0ts7rH8UxUnxW1K7jgi4RQr0wYLl0NluYD xYXg9j0FquPgSbjdUggbPryH0OKnwnPA9z3Ukd1BDODGaLSVQ9gncunV+VNLo2ye 5YYemzhiy1E= =H3j+ -----END PGP SIGNATURE-----