Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1559 Java Vulnerability Affects IBM Sterling Connect:Direct Browser User Interface (CVE-2018-1890, CVE-2018-3180) 6 May 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Sterling Connect:Direct Browser User Interface Publisher: IBM Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Increased Privileges -- Existing Account Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-3180 CVE-2018-1890 Reference: ESB-2019.1547 ESB-2019.1541 ASB-2018.0290 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10881526 - --------------------------BEGIN INCLUDED TEXT-------------------- Java Vulnerability Affects IBM Sterling Connect:Direct Browser User Interface (CVE-2018-1890, CVE-2018-3180) Product: Sterling Connect:Direct Browser User Interface Software version: 1.5.0.2 Operating system(s): Platform Independent Reference #: 0881526 Security Bulletin Summary There is a vulnerability in IBM Runtime Environment Java Technology Edition, Version 8 that is used by IBM Sterling Connect:Direct Browser User Interface. These issues were disclosed as part of the IBM Java SDK updates in Nov 2018 and March 2019 Vulnerability Details CVE-ID: CVE-2018-3180 Description:A flaw in the JSSE component means that TLS connections do not always check the validity of the hostname on the server-side certificate. The fix ensures that server-side certificates are checked correctly. CVSS Base Score: 5.6 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151497 for more information CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) CVE-ID: CVE-2018-1890 Description:On the AIX platform, the IBM Java 8 executable contains inappropriate absolute RPATHs, which may allow local users to inject code into JVM processes launched by other users with higher privileges CVSS Base Score: 5.6 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/152081 for more information CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H ) Affected Products and Versions Connect:Direct Browser User Interface 1.5.0.2 through 1.5.0.2 iFix23 Remediation/Fixes Sterling Connect:Direct Browser User Interface 1.5.0.2 iFix24 Fix Central - 1.5.0.2 Workarounds and Mitigations None Change History 18 April 2019: Original document published - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXM+S1maOgq3Tt24GAQgvPxAA2uDm+omWouLQW2qN0Sss52v+RyaPtPJJ haPNrBYKHxMfMu+MOcInqCD/grT9qmE/o1fZmmxOznJJSdc4E8lCg21Qa28Bfcme 9k6KhMejPCHRWVgnY9XO0ql4VB/ZJPEyyDwGLuHzuV1t8ucy/KC4bv54dM8/nIXJ vYVDIKPv73Db+EbAUWwcX+0koH17uCUYPZ3l4riAFFdwkzyhbgu/CGDcVdzxHyUl qBn4VNZU9xz9YYi9yl6tqyzFmGzYo03kPYJyUsiI+bjdouGtW0AuEpr/TqZ7Sqyd QbhoRy4s/fqqvPw08IGiHryGGItZKRFNqhWxKl5np47TGpIx7koMhAnTAV8pIu+p oS0hQxCjoMoDeRkMrQjV0JdbHmcyZdoI+MgR/U06wUls1nd6OhMfhZ/r+hBHcYo2 wpgHs8N048Fu4O8zFX2NmcP3B/KkTvAlMKeKDLvF1zwjqtpzlcDdTMjdwiCqNdrt W45FqyXkPS5JTU5of56QJKeHeFSjgDFqI467+i73WID6rdQCkJdjJvqN8uUZkRJY iNNaQYWx8MzJPHGGGFSgrzmU6uDXGRqyTTb/iIcAJ544UkhR1m9EpLdU2kn/0B8Y 86mvH8VPC9HlOeib9M4W48jXegr8bSaN5lak6ok+YmZnYLO9NthF0xl1XWXvvrYD 8h0qo/J5cc8= =5nXg -----END PGP SIGNATURE-----