Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.1558
IBM TRIRIGA Application Platform could disclose sensitive
information (CVE-2018-2008)
6 May 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM TRIRIGA Application Platform
Publisher: IBM
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-4208 CVE-2019-4207 CVE-2018-15786
CVE-2018-15756 CVE-2018-2018 CVE-2018-2008
Reference: ASB-2019.0122
ESB-2019.1437
ESB-2019.1052
ESB-2019.0755
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=ibm10879463
http://www.ibm.com/support/docview.wss?uid=ibm10880261
http://www.ibm.com/support/docview.wss?uid=ibm10880263
http://www.ibm.com/support/docview.wss?uid=ibm10879449
Comment: This bulletin contains four (4) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
IBM TRIRIGA Application Platform could disclose sensitive information
(CVE-2018-2008)
Product: IBM TRIRIGA Application Platform
Component: IBM TRIRIGA Application Platform Runtime Engine
Software version: 3.5.3, 3.6.0
Operating system(s): Platform Independent
Reference #: 0879463
Security Bulletin
Summary
IBM TRIRIGA Application Platform has addressed the following vulnerability:
CVE-2018-2018, IBM TRIRIGA Application Platform could disclose sensitive
information to an authenticated user that could aid in further attacks against
the system.
Vulnerability Details
CVEID: CVE-2018-2008
DESCRIPTION: IBM TRIRIGA Application Platform could disclose sensitive
information to an authenticated user that could aid in further attacks against
the system.
CVSS Base Score: 4.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/155146 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
+---------------------------------------------------+---------------------------+
| Affected Tririga | Affected Versions |
+---------------------------------------------------+---------------------------+
|IBM TRIRIGA Application Platform |3.5.3 |
+---------------------------------------------------+---------------------------+
|IBM TRIRIGA Application Platform |3.6.0 |
+---------------------------------------------------+---------------------------+
Remediation/Fixes
+----------------------+-----------+-----------+
|Product |VRMF |Remediation|
| | |/First Fix |
+----------------------+-----------+-----------+
| | |The fix is |
|IBM TRIRIGA | |available |
|Application Platform |3.5.3.6 |for |
| | |download on|
| | |FixCentral.|
+----------------------+-----------+-----------+
| | |The fix is |
| | |available |
|IBM TRIRIGA |3.6.0.3 |for |
|Application Platform | |download on|
| | |FixCentral |
| | |. |
+----------------------+-----------+-----------+
Workarounds and Mitigations
None
Change History
03 May 2019: Original version published
- -------------------------------------------------------------------------------
IBM TRIRIGA Application Platform may disclose sensitive information
(CVE-2019-4207)
Product: IBM TRIRIGA Application Platform
Software version: 3.5.3, 3.6.0
Operating system(s): Platform Independent
Reference #: 0880261
Security Bulletin
Summary
IBM TRIRIGA Application Platform may disclose sensitive information only
available to a local user that could be used in further attacks against the
system.
Vulnerability Details
CVEID: CVE-2019-4207
DESCRIPTION: IBM TRIRIGA Application Platform may disclose sensitive
information only available to a local user that could be used in further
attacks against the system.
CVSS Base Score: 4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/159128 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
+---------------------------------------------------+---------------------------+
| Affected Tririga | Affected Versions |
+---------------------------------------------------+---------------------------+
|IBM TRIRIGA Application Platform |3.5.3 |
+---------------------------------------------------+---------------------------+
|IBM TRIRIGA Application Platform |3.6.0 |
+---------------------------------------------------+---------------------------+
Remediation/Fixes
+---------------------+-----------+---------------------------------------+
|Product |VRMF | Remediation/First Fix |
+---------------------+-----------+---------------------------------------+
|IBM TRIRIGA |3.5.3.6 |The fix is available for download on |
|Application Platform | |FixCentral . |
+---------------------+-----------+---------------------------------------+
|IBM TRIRIGA |3.6.0.3 |The fix is available for download on |
|Application Platform | |FixCentral . |
+---------------------+-----------+---------------------------------------+
Workarounds and Mitigations
None
Change History
03 May 2019: Original version published
- -------------------------------------------------------------------------------
IBM TRIRIGA is vulnerable to an XML External Entity Injection (XXE) attack when
processing XML data (CVE-2019-4208)
Product: IBM TRIRIGA Application Platform
Software version: 3.5.3, 3.6.0
Operating system(s): Platform Independent
Reference #: 0880263
Security Bulletin
Summary
IBM TRIRIGA is vulnerable to an XML External Entity Injection (XXE) attack when
processing XML data. A remote attacker could exploit this vulnerability to
expose sensitive information or consume memory resources.
Vulnerability Details
CVEID: CVE-2019-4208
DESCRIPTION: IBM TRIRIGA is vulnerable to an XML External Entity Injection
(XXE) attack when processing XML data. A remote attacker could exploit this
vulnerability to expose sensitive information or consume memory resources.
CVSS Base Score: 7.1
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/159129 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)
Affected Products and Versions
+---------------------------------------------------+---------------------------+
| Affected Tririga | Affected Versions |
+---------------------------------------------------+---------------------------+
|IBM TRIRIGA Application Platform |3.5.3 |
+---------------------------------------------------+---------------------------+
|IBM TRIRIGA Application Platform |3.6.0 |
+---------------------------------------------------+---------------------------+
Remediation/Fixes
+---------------------+-----------+---------------------------------------+
|Product |VRMF | Remediation/First Fix |
+---------------------+-----------+---------------------------------------+
|IBM TRIRIGA |3.5.3.6 |The fix is available for download on |
|Application Platform | |FixCentral . |
+---------------------+-----------+---------------------------------------+
|IBM TRIRIGA |3.6.0.3 |The fix is available for download on |
|Application Platform | |FixCentral . |
+---------------------+-----------+---------------------------------------+
Workarounds and Mitigations
None
Change History
03 May 2019: Original version published
- -------------------------------------------------------------------------------
Vulnerability in Pivotal Spring Framework affects IBM TRIRIGA Application
Platform (CVE-2018-15786)
Product: IBM TRIRIGA Application Platform
Software version: 3.5.3, 3.6.0
Operating system(s): Platform Independent
Reference #: 0879449
Security Bulletin
Summary
Pivotal Spring Framework, used by IBM TRIRIGA Application Platform, is
vulnerable to a denial of service, caused by improper handling of range request
by the ResourceHttpRequestHandler.
Vulnerability Details
CVEID: CVE-2018-15756
DESCRIPTION: Pivotal Spring Framework is vulnerable to a denial of service,
caused by improper handling of range request by the ResourceHttpRequestHandler.
By adding a range header with a high number of ranges, a remote attacker could
exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 7.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/151641 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
+---------------------------------------------------+---------------------------+
| Affected Tririga | Affected Versions |
+---------------------------------------------------+---------------------------+
|IBM TRIRIGA Application Platform |3.5.3 |
+---------------------------------------------------+---------------------------+
|IBM TRIRIGA Application Platform |3.6.0 |
+---------------------------------------------------+---------------------------+
Remediation/Fixes
+---------------------+-----------+---------------------------------------+
|Product |VRMF | Remediation/First Fix |
+---------------------+-----------+---------------------------------------+
|IBM TRIRIGA |3.5.3.6 |The fix is available for download on |
|Application Platform | |FixCentral . |
+---------------------+-----------+---------------------------------------+
|IBM TRIRIGA |3.6.0.3 |The fix is available for download on |
|Application Platform | |FixCentral . |
+---------------------+-----------+---------------------------------------+
Workarounds and Mitigations
None
Change History
03 May 2019: Original version published
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXM+SyWaOgq3Tt24GAQj3bQ/+MZdqwrwbR2MAUyqBXuoNfbYWFGMOm24E
v8KRONh5BcIAZSeZvS+0uZDVxP23Z7VHvtEKhDs2r80qfk54k8BEYXOb0767Z8Rv
wUjUcDtu402aCpfsEU7dh/l+29HWk0dV8cI9Ks7xRfLTPBbG+i5FCQoyofyvm83n
j/b3TN3U+6fg0q9L7wsHFh14+NdlYRbNklaZa/44JOVsQgisSsgbgfJHyxHAsd3q
UiFOJKJ4zoCnzju3KajAx/doosfp990jkwM2RoGnDC7tkp68RbHe/KusOJxRyoxl
jYPdDbme2tNYjZi4u7Y4woDWgitAo6j524JQnucC3uegjUFqDUj8DOQQcR279Tgj
687E3JFVwxOFnw23tYrs81cm+CYAzr2avYvpk4J0UFADtOc71UWKo+8d+X6LvjJX
pDtXVrR7USD+cppcqDHShLgD18kYKQdVNAdkF8CLo1EzH5Rj+S+Z+miosJ/vgczy
4pOQWxiImlMkDwTBedp7LonSIcPU0PgjgNviXQRdDXHcgnsigx6maZrXHVWTDojs
oV2qKgqbxqyZ+FwuIl6Wdq5aIjp8Mj0ts7rH8UxUnxW1K7jgi4RQr0wYLl0NluYD
xYXg9j0FquPgSbjdUggbPryH0OKnwnPA9z3Ukd1BDODGaLSVQ9gncunV+VNLo2ye
5YYemzhiy1E=
=H3j+
-----END PGP SIGNATURE-----