Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1616 IBM MQ Advanced Cloud Pak is vulnerable to a buffer overflow in the curl command (CVE-2018-16842) 9 May 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM MQ Advanced Cloud Pak Publisher: IBM Operating System: Red Hat Impact/Access: Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-16842 Reference: ESB-2019.1426 ESB-2019.0473 ESB-2018.3476 ESB-2018.3472 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10744735 - --------------------------BEGIN INCLUDED TEXT-------------------- IBM MQ Advanced Cloud Pak is vulnerable to a buffer overflow in the curl command (CVE-2018-16842) Product: Application Integration and Connectivity Component: all Software version: 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1 Operating system(s): RedHat OpenShift Reference #: 0744735 Security Bulletin Summary A vulnerability was identified in cURL that could allow a remote attacker to obtain sensitive information. cURL is included in the IBM MQ Advanced CloudPak for IBM Cloud Private on RedHat OpenShift. Vulnerability Details CVEID: CVE-2018-16842 DESCRIPTION: cURL could allow a remote attacker to obtain sensitive information, caused by a heap-based buffer over-read in the display function in the command line tool. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service condition. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 152300 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L) Affected Products and Versions IBM MQ Advanced Cloud Pak (IBM Cloud Private on RedHat OpenShift) v2.1.0 - v 2.3.1 Remediation/Fixes IBM MQ Advanced Cloud Pak (RedHat OpenShift) Apply Fix IBM-MQ-Adv-Cloud-Pak-2.3.2-RHOS to upgrade to version v2.3.2 Workarounds and Mitigations none Support for IBM MQ CloudPak versions The support lifecycle for IBM MQ CloudPaks is tied directly to the support lifecycle of the IBM MQ version that runs within the CloudPak. When the underlying MQ version goes out of support then the CloudPak will automatically go out of support. IBM MQ CloudPaks are only available with Continous Delivery versions of IBM MQ and so follow the IBM MQ Continuous Delivery support lifecycle . The version number for the CloudPak provides an indication to customers on what kind of change has been made between different versions. The versioning system used in CloudPaks is the semver versioning system and does not correlate directly to the V.R.M.F version used by IBM MQ. For reference the table below shows which versions of IBM MQ are available with which version of CloudPak, this can be used to determine whether the version of CloudPak you are using is still in support: IBM MQ CloudPak and IBM MQ versions +---------+---------------------------+---------------------------------------+ | IBM MQ | IBM MQ CloudPak for IBM | IBM MQ CloudPak for IBM Cloud Private | | Version | Cloud Private Version | on RedHat OpenShift Version | +---------+---------------------------+---------------------------------------+ |9.1.2 |2.3.0 and later |2.3.0 and later | +---------+---------------------------+---------------------------------------+ |9.1.1 |2.2.0 - 2.2.3 |2.2.0 - 2.2.2 | +---------+---------------------------+---------------------------------------+ |9.1.0 |2.0.0 -2.1.0 |2.1.0 | +---------+---------------------------+---------------------------------------+ |9.0.5 |1.3.0 |N/A | +---------+---------------------------+---------------------------------------+ |9.0.4 |1.2.0 - 1.2.2 |N/A | +---------+---------------------------+---------------------------------------+ |9.0.3 |1.0.0 - 1.1.0 |N/A | +---------+---------------------------+---------------------------------------+ Change History 7 May 2019: Initial version created - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXNOLJ2aOgq3Tt24GAQguQA//QaG70EnXmBWcrwe+SfQfOkskePQQ8rRM zXZJlc3+zZHWnJrWv9joxMAp4g1kpMjXkoZhGEMTkpaz92WIEXXVg2ym4mbDgaGf eYplp4DON6HrFEXYywm2n0dHJdvx4mgkExxesAxmuzTx333saDXKroZWJTDS+Ytv lNBuC9ivvf1Gb6+zDPvJKwAJ0cwplI3Mw1ZoxRHM3kNWfJwaFibYrSyXnzuxcOuc 5lq+diO7/xaxCO4wdx0wbPbCBnrSwdz2Dc1nNsw4uPTrGq+GB1G+PUPTEmoZVhje ibfSSDXJ0G8HmNYnmSF+C0gXSGXmNp/0LA3C1ArIiIMNAy2R7YM4UlQ8rm0gEH76 hubiyXJuHsph1vbIBl4PaQBiVKu/Vcd2aj50iNeZgIP9cSeuXNfgjaVwyebi5+E4 QCb6slaVHMek/68IIEx5zttgiRyOxqs0ZG2QUNNkz9q0SiXgq/FJ1Of5E+nQzX8d A/X1n0SBpG9U5ditHcIkrNRB2oVYaxWhtrWSnxAq71flCEPgkrr/A8ccMmhLM8+0 ghzMWZ/UV1depxSYfEgi96go2SbXHxxh33s+OlnwNbxiPCJzhiaQ8ztrn3gxZGuk SfERk/+gzScAIaXPTPGN8cFfzFN5mDTMnemTuqnmJ1bpcbAzj1DO4KPTuwZyNWFn aeZnJ7iOGBc= =Unro -----END PGP SIGNATURE-----