Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.1884
Multiple vulnerabilities in IBM Spectrum Control (formerly
Tivoli Storage Productivity Center)
27 May 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Spectrum Control Standard Edition
Publisher: IBM
Operating System: AIX
Linux variants
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-4138 CVE-2019-4137 CVE-2019-4046
CVE-2019-2426 CVE-2019-1559 CVE-2018-12547
CVE-2018-1902 CVE-2018-1890
Reference: ASB-2019.0147
ASB-2019.0128
ASB-2019.0120
ASB-2019.0088
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=ibm10883086
http://www.ibm.com/support/docview.wss?uid=ibm10880905
http://www.ibm.com/support/docview.wss?uid=ibm10881003
http://www.ibm.com/support/docview.wss?uid=ibm10879903
http://www.ibm.com/support/docview.wss?uid=ibm10880375
Comment: This bulletin contains five (5) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Product: IBM Spectrum Control Standard Edition
Software version: 5.2.17.1, 5.2.17.2, 5.2.8, 5.2.10.1, 5.2.11, 5.2.12,
5.2.13, 5.2.14, 5.2.15, 5.2.15.2, 5.2.16, 5.2.17.0, 5.3.0,
5.3.1, 5.3.2
Operating system(s): AIX, Linux, Windows
Reference #: 0883086
Security Bulletin
Summary
There are multiple vulnerabilities in IBM SDK Java Technology Edition that is
shipped and used by IBM Spectrum Control (formerly Tivoli Storage Productivity
Center). These issues were disclosed as part of the IBM Java SDK updates for
January 2019.
Vulnerability Details
CVEID: CVE-2019-2426
DESCRIPTION: An unspecified vulnerability related to the Java SE Networking
component could allow an unauthenticated attacker to obtain sensitive
information resulting in a low confidentiality impact using unknown attack
vectors.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
155744 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2018-12547
DESCRIPTION: Eclipse OpenJ9 is vulnerable to a buffer overflow, caused by
improper bounds checking by the jio_snprintf()and jio_vsnprintf() functions. By
sending an overly long argument, a remote attacker could overflow a buffer and
execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
157512 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2018-1890
DESCRIPTION: IBM SDK, Java Technology Edition Version 8 on the AIX platform
uses absolute RPATHs which may facilitate code injection and privilege
elevation by local users.
CVSS Base Score: 5.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
152081 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L)
Affected Products and Versions
+--------------------------------------+-----------------+
|Affected Product |Affected Versions|
+--------------------------------------+-----------------+
|IBM Tivoli Storage Productivity Center|5.2.0 - 5.2.7.1 |
+--------------------------------------+-----------------+
|IBM Spectrum Control |5.2.8 - 5.2.17.2 |
+--------------------------------------+-----------------+
|IBM Spectrum Control |5.3.0 - 5.3.2 |
+--------------------------------------+-----------------+
The versions listed above apply to all licensed offerings of IBM Spectrum
Control.
Remediation/Fixes
The solution is to apply an appropriate IBM Spectrum Control fix. Click on the
download link and follow the Installation Instructions. The solution should be
implemented as soon as practicable.
Starting with 5.2.8, Tivoli Storage Productivity Center has been renamed to IBM
Spectrum Control.
+-----------+------------------+------------------------------------------------------------------------------------------+
|Release |First Fixing |Link to Fix/Fix Availability Target |
| |VRM Level | |
+-----------+------------------+------------------------------------------------------------------------------------------+
|5.2 |5.2.17.3 |http://www.ibm.com/support/docview.wssuid=swg21320822#53_0 |
+-----------+------------------+------------------------------------------------------------------------------------------+
|5.3 |5.3.3 |http://www.ibm.com/support/docview.wssuid=swg21320822#53_0 |
+-----------+------------------+------------------------------------------------------------------------------------------+
Note: It is always recommended to have a current backup before applying any
update procedure.
Workarounds and Mitigations
None
Change History
23 May 2019 - original version published
Cross reference information
Product Component Platform Version Edition
Tivoli Storage AIX, 5.2.0, 5.2.1, 5.2.2, 5.2.3,
Productivity Linux, 5.2.4, 5.2.4.1, 5.2.6, 5.2.7.1
Center Windows
- --------------------------------------------------------------------------------------
OpenSSL vulnerability affects IBM Spectrum Control (formerly Tivoli Storage
Productivity Center) (CVE-2019-1559)
Product: IBM Spectrum Control Standard Edition
Software version: 5.2.8, 5.2.10.1, 5.2.11, 5.2.12, 5.2.13, 5.2.14, 5.2.15,
5.2.15.2, 5.2.16, 5.2.17.0, 5.2.17.1, 5.2.1
Operating system(s): AIX, Linux, Windows
Reference #: 0880905
Security Bulletin
Summary
An OpenSSL vulnerability was disclosed on February 26, 2019 by the OpenSSL
Project. OpenSSL, used by IBM Spectrum Control (formerly Tivoli Storage
Productivity Center), has addressed the applicable CVE.
Vulnerability Details
CVE-ID: CVE-2019-1559
Description: OpenSSL could allow a remote attacker to obtain sensitive
information, caused by the failure to immediately close the TCP connection
after the hosts encounter a zero-length record with valid padding. An attacker
could exploit this vulnerability using a 0-byte record padding-oracle attack to
decrypt traffic.
CVSS Base Score: 5.8
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/
157514 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)
Affected Products and Versions
+--------------------------------------+-----------------+
|Affected Product |Affected Versions|
+--------------------------------------+-----------------+
|IBM Tivoli Storage Productivity Center|5.2.0 - 5.2.7.1 |
+--------------------------------------+-----------------+
|IBM Spectrum Control |5.2.8 - 5.2.17.2 |
+--------------------------------------+-----------------+
|IBM Spectrum Control |5.3.0 - 5.3.2 |
+--------------------------------------+-----------------+
Remediation/Fixes
The solution is to apply an appropriate IBM Spectrum Control fix. Click on the
download link and follow the Installation Instructions. The solution should be
implemented as soon as practicable.
Starting with 5.2.8, Tivoli Storage Productivity Center has been renamed to IBM
Spectrum Control.
+----------+-----------------+------------------------------------------------------------------------------------+
|Release |First Fixing |Link to Fix/Fix Availability Target |
| |VRM Level | |
+----------+-----------------+------------------------------------------------------------------------------------+
|5.2 |5.2.17.3 |http://www.ibm.com/support/docview.wssuid=swg21320822#53_0 |
+----------+-----------------+------------------------------------------------------------------------------------+
|5.3 |5.3.3 |http://www.ibm.com/support/docview.wssuid=swg21320822#53_0 |
+----------+-----------------+------------------------------------------------------------------------------------+
Note: It is always recommended to have a current backup before applying any
update procedure.
Workarounds and Mitigations
None.
Change History
23 May 2019 - original version published.
Cross reference information
Product Component Platform Version Edition
Tivoli Storage AIX, 5.2.0, 5.2.1, 5.2.2, 5.2.3,
Productivity Linux, 5.2.4, 5.2.4.1, 5.2.6, 5.2.7.1
Center Windows
- --------------------------------------------------------------------------------------
Potential Spoofing vulnerability in WebSphere Application Server affects IBM
Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2018-1902)
Product: IBM Spectrum Control Standard Edition
Software version: 5.2.8, 5.2.10.1, 5.2.11, 5.2.12, 5.2.13, 5.2.14, 5.2.15,
5.2.15.2, 5.2.16, 5.2.17.0, 5.2.17.1, 5.2.1
Operating system(s): AIX, Linux, Windows
Reference #: 0881003
Security Bulletin
Summary
There is a potential spoofing vulnerability in IBM WebSphere Application Server
which affects IBM Spectrum Control (formerly Tivoli Storage Productivity
Center).
Vulnerability Details
CVEID: CVE-2018-1902
DESCRIPTION: IBM WebSphere Application Server could allow a remote attacker to
spoof connection information which could be used to launch further attacks
against the system.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
152531 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)
Affected Products and Versions
+--------------------------------------+-----------------+
|Affected Product |Affected Versions|
+--------------------------------------+-----------------+
|IBM Tivoli Storage Productivity Center|5.2.0 - 5.2.7.1 |
+--------------------------------------+-----------------+
|IBM Spectrum Control |5.2.8 - 5.2.17.2 |
+--------------------------------------+-----------------+
|IBM Spectrum Control |5.3.0 - 5.3.2 |
+--------------------------------------+-----------------+
The versions listed above apply to all licensed offerings of IBM Spectrum
Control.
Remediation/Fixes
The solution is to apply an appropriate IBM Spectrum Control fix. Click on the
download link and follow the Installation Instructions. The solution should be
implemented as soon as practicable.
Starting with 5.2.8, Tivoli Storage Productivity Center has been renamed to IBM
Spectrum Control.
+----------+-----------------+------------------------------------------------------------------------------------+
|Release |First Fixing |Link to Fix/Fix Availability Target |
| |VRM Level | |
+----------+-----------------+------------------------------------------------------------------------------------+
|5.2 |5.2.17.3 |http://www.ibm.com/support/docview.wssuid=swg21320822#53_0 |
+----------+-----------------+------------------------------------------------------------------------------------+
|5.3 |5.3.3 |http://www.ibm.com/support/docview.wssuid=swg21320822#53_0 |
+----------+-----------------+------------------------------------------------------------------------------------+
Note: It is always recommended to have a current backup before applying any
update procedure.
Workarounds and Mitigations
None
Change History
23 May 2019 - original version published
Cross reference information
Product Component Platform Version Edition
Tivoli Storage AIX, 5.2.0, 5.2.1, 5.2.2, 5.2.3,
Productivity Linux, 5.2.4, 5.2.4.1, 5.2.6, 5.2.7.1
Center Windows
- --------------------------------------------------------------------------------------
Potential Spoofing vulnerability in WebSphere Application Server affects IBM
Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2018-1902)
Product: IBM Spectrum Control Standard Edition
Software version: 5.2.8, 5.2.10.1, 5.2.11, 5.2.12, 5.2.13, 5.2.14, 5.2.15,
5.2.15.2, 5.2.16, 5.2.17.0, 5.2.17.1, 5.2.1
Operating system(s): AIX, Linux, Windows
Reference #: 0881003
Security Bulletin
Summary
There is a potential spoofing vulnerability in IBM WebSphere Application Server
which affects IBM Spectrum Control (formerly Tivoli Storage Productivity
Center).
Vulnerability Details
CVEID: CVE-2018-1902
DESCRIPTION: IBM WebSphere Application Server could allow a remote attacker to
spoof connection information which could be used to launch further attacks
against the system.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
152531 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)
Affected Products and Versions
+--------------------------------------+-----------------+
|Affected Product |Affected Versions|
+--------------------------------------+-----------------+
|IBM Tivoli Storage Productivity Center|5.2.0 - 5.2.7.1 |
+--------------------------------------+-----------------+
|IBM Spectrum Control |5.2.8 - 5.2.17.2 |
+--------------------------------------+-----------------+
|IBM Spectrum Control |5.3.0 - 5.3.2 |
+--------------------------------------+-----------------+
The versions listed above apply to all licensed offerings of IBM Spectrum
Control.
Remediation/Fixes
The solution is to apply an appropriate IBM Spectrum Control fix. Click on the
download link and follow the Installation Instructions. The solution should be
implemented as soon as practicable.
Starting with 5.2.8, Tivoli Storage Productivity Center has been renamed to IBM
Spectrum Control.
+----------+-----------------+------------------------------------------------------------------------------------+
|Release |First Fixing |Link to Fix/Fix Availability Target |
| |VRM Level | |
+----------+-----------------+------------------------------------------------------------------------------------+
|5.2 |5.2.17.3 |http://www.ibm.com/support/docview.wssuid=swg21320822#53_0 |
+----------+-----------------+------------------------------------------------------------------------------------+
|5.3 |5.3.3 |http://www.ibm.com/support/docview.wssuid=swg21320822#53_0 |
+----------+-----------------+------------------------------------------------------------------------------------+
Note: It is always recommended to have a current backup before applying any
update procedure.
Workarounds and Mitigations
None
Change History
23 May 2019 - original version published
Cross reference information
Product Component Platform Version Edition
Tivoli Storage AIX, 5.2.0, 5.2.1, 5.2.2, 5.2.3,
Productivity Linux, 5.2.4, 5.2.4.1, 5.2.6, 5.2.7.1
Center Windows
- --------------------------------------------------------------------------------------
Potential denial of service vulnerability in WebSphere Application Server which
affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center)
(CVE-2019-4046)
Product: IBM Spectrum Control Standard Edition
Software version: 5.2.8, 5.2.10.1, 5.2.11, 5.2.12, 5.2.13, 5.2.14, 5.2.15,
5.2.15.2, 5.2.16, 5.2.17.0, 5.2.17.1, 5.2.1
Operating system(s): AIX, Linux, Windows
Reference #: 0879903
Security Bulletin
Summary
There is a potential denial of service in WebSphere Application Server which
affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center)
Vulnerability Details
CVEID: CVE-2019-4046
DESCRIPTION: IBM WebSphere Application Server is vulnerable to a denial of
service, caused by improper handling of request headers. A remote attacker
could exploit this vulnerability to cause the consumption of Memory.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
156242 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
+--------------------------------------+-----------------+
|Affected Product |Affected Versions|
+--------------------------------------+-----------------+
|IBM Tivoli Storage Productivity Center|5.2.0 - 5.2.7.1 |
+--------------------------------------+-----------------+
|IBM Spectrum Control |5.2.8 - 5.2.17.2 |
+--------------------------------------+-----------------+
|IBM Spectrum Control |5.3.0 - 5.3.2 |
+--------------------------------------+-----------------+
The versions listed above apply to all licensed offerings of IBM Spectrum
Control.
Remediation/Fixes
The solution is to apply an appropriate IBM Spectrum Control fix. Click on the
download link and follow the Installation Instructions. The solution should be
implemented as soon as practicable.
Starting with 5.2.8, Tivoli Storage Productivity Center has been renamed to IBM
Spectrum Control.
+----------+-----------------+------------------------------------------------------------------------------------+
|Release |First Fixing |Link to Fix/Fix Availability Target |
| |VRM Level | |
+----------+-----------------+------------------------------------------------------------------------------------+
|5.2 |5.2.17.3 |http://www.ibm.com/support/docview.wssuid=swg21320822#53_0 |
+----------+-----------------+------------------------------------------------------------------------------------+
|5.3 |5.3.3 |http://www.ibm.com/support/docview.wssuid=swg21320822#53_0 |
+----------+-----------------+------------------------------------------------------------------------------------+
Note: It is always recommended to have a current backup before applying any
update procedure.
Workarounds and Mitigations
None
Change History
23 May 2019 - original version published
Cross reference information
Product Component Platform Version Edition
Tivoli Storage AIX, 5.2.0, 5.2.1, 5.2.2, 5.2.3,
Productivity Linux, 5.2.4, 5.2.4.1, 5.2.6, 5.2.7.1
Center Windows
- --------------------------------------------------------------------------------------
Cross-site scripting and failure to enforce HTTP Strict Transport Security
vulnerabilities in IBM Spectrum Control (formerly Tivoli Storage Productivity
Center) (CVE-2019-4137, CVE-2019-4138)
Product: IBM Spectrum Control Standard Edition
Software version: 5.2.13, 5.2.14, 5.2.15, 5.2.15.2, 5.2.16, 5.2.17.0,
5.2.17.1, 5.2.17.2, 5.3.0.1, 5.3.1,5.3.2
Operating system(s): AIX, Linux, Windows
Reference #: 0880375
Security Bulletin
Summary
IBM Spectrum Control (formerly Tivoli Storage Productivity Center) is
vulnerable to cross-site scripting and failure to enforce HTTP Strict Transport
Security.
Vulnerability Details
CVEID: CVE-2019-4137
DESCRIPTION: IBM Tivoli Storage Productivity Center is vulnerable to cross-site
scripting. This vulnerability allows users to embed arbitrary JavaScript code
in the Web UI thus altering the intended functionality potentially leading to
credentials disclosure within a trusted session.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
158333 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2019-4138
DESCRIPTION: IBM Tivoli Storage Productivity Center could allow a remote
attacker to obtain sensitive information, caused by the failure to properly
enable HTTP Strict Transport Security. An attacker could exploit this
vulnerability to obtain sensitive information using man in the middle
techniques.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
158334 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
+--------------------+-----------------+
|IBM Spectrum Control|5.2.13 - 5.2.17.2|
+--------------------+-----------------+
|IBM Spectrum Control|5.3.0 - 5.3.2 |
+--------------------+-----------------+
The versions listed above apply to all licensed offerings of IBM Spectrum
Control.
Remediation/Fixes
The solution is to apply an appropriate IBM Spectrum Control fix. Click on the
download link and follow the Installation Instructions. The solution should be
implemented as soon as practicable.
+----------+-----------------+------------------------------------------------------------------------------------+
|Release |First Fixing |Link to Fix/Fix Availability Target |
| |VRM Level | |
+----------+-----------------+------------------------------------------------------------------------------------+
|5.2 |5.2.17.3 |http://www.ibm.com/support/docview.wssuid=swg21320822#53_0 |
+----------+-----------------+------------------------------------------------------------------------------------+
|5.3 |5.3.3 |http://www.ibm.com/support/docview.wssuid=swg21320822#53_0 |
+----------+-----------------+------------------------------------------------------------------------------------+
Note: It is always recommended to have a current backup before applying any
update procedure.
Workarounds and Mitigations
None
Change History
23 May 2019 - original version published
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXOtfOGaOgq3Tt24GAQiuvBAAxu4d34a9RzeRizLKFTWz/APuNPC5lOxd
SnWKiFKRwQPvKWPVlTS13N8NqdBGPoO3XN/+9H0jMyZv62TSL5XFyiq3Rv79WqLN
atCmP0Q6VAEQ4vaySc/srez6lPlDGqsPoKKm50G/OEm0SK+ibImT94DalZFGAWyX
sSgwfllShMPNRIlRgDJFdLHEaSLvgivSxV8ViQmreUyD+Fm1YMeE1l5YRxj8kPNH
R4fMjZV2+mQTbF7ueVug8Fv7uSJeoWNPPUSmUa5kQs5/WJBfmcWuG6pZy5uxySpN
bCyNDZF3XY7FiiMUFYgIBjwygOVhFQ49BVbcCXDTUDZiq3nzsl9YMOsGKT4zxkMA
KWhFZCJuvvYJinx9JlHuqzyNlzdTHWVzmei1+EamCuALIapW+55+UvDN/B4+2SCv
7D0dqWxjqadw6RJkTejIPZChB1Gm7CGkCTYJSlJ6OYhexQUW2R7eeWD0bArbgzLk
QSPA1RkEvMy8xdeWHp96VFD0QukRlVL2nKu83PlMwx7Af0k+nnE+Xu5exfwsBDa7
wplK42jid+HpmfAvkBwKDupZoSKVeTef/Z42UM1MUIo1fM5ZwNz0zOvwGIHi0y/O
u3yE9oZwcts+Brr51L+eHxivRASHAhhQ+UcaXv+TMF5C2cAVhD8kyIHuGy3kLfEq
QgfJvHovr0c=
=R/5X
-----END PGP SIGNATURE-----