-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.1957
   Vulnerabilities in IBM Runtime Environments Java Technology Edition,
        Versions 7 & 8, IBM SDK, Java Technology Edition Version 8
             and Eclipse OpenJ9 Affect Transformation Extender
                                31 May 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Transformation Extender
Publisher:         IBM
Operating System:  AIX
                   Windows
                   Linux variants
                   z/OS
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Increased Privileges            -- Existing Account
                   Denial of Service               -- Existing Account
                   Access Confidential Data        -- Existing Account
                   Reduced Security                -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-2684 CVE-2019-2602 CVE-2019-2426
                   CVE-2018-12547 CVE-2018-1890 

Reference:         ASB-2019.0018
                   ESB-2019.1953
                   ESB-2019.1937
                   ESB-2019.1928

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10882278

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerabilities in IBM Runtime Environments Java Technology Edition, Versions 7
& 8, IBM SDK, Java Technology Edition Version 8 and Eclipse OpenJ9 Affect
Transformation Extender

Product:             Transformation Extender
Software version:    All Versions
Operating system(s): AIX, Linux, Windows, z/OS
Reference #:         0882278

Security Bulletin

Summary

There are vulnerabilities in IBM Runtime Environments Java Technology Edition,
Versions 7 and 8, IBM SDK, Java Technology Edition Version 8 and Eclipse Open
J9 that affect IBM Transformation Extender.

Vulnerability Details

CVEID: CVE-2018-1890
Description: On the AIX platform, the IBM Java 8 executable contains
inappropriate absolute RPATHS, which might allow local users to inject code
into JVM processes launched by other users with higher privileges. The fix
removes the unsafe RPATHs.
CVSS Base Score: 5.6
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/
152081 for more information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID: CVE-2019-2426
Description: The transparent NTLM authentication implementation in
java.net.HttpURLConnection exposes the user's NTLM credentials to any server
that requests them.The fix disables transparent NTLM authentication by default.
A new system property ( jdk.http.ntlm.transparentAuth ) allows the user to
enable transparent NTLM authentication for all hosts or trusted hosts only.
CVSS Base Score: 3.7
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/
155744 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-12547
Description: A widely used function in the OpenJ9 JVM is vulnerable to buffer
overflows. Multiple Java Runtime components use the vulnerable code, so the
issue can manifest in a number of different ways. The fix ensures that the
buffer cannot overflow.
CVSS Base Score: 9.8
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/
157512 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID: CVE-2019-2602
Description: A flaw in the java.math.BigDecimal API causes hangs when parsing
certain String values. This potentially allows an attacker to inflict a
denial-of-service. The fix ensures that all Strings are parsed promptly.
CVSS Base Score: 7.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/
159698 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID: CVE-2019-2684
Description: The Java runtime's java.rmi.Registry implementation does not check
access privileges correctly for some remote calls. This allows an attacker to
effectively replace a number of predefined static skeleton classes with dynamic
malicious skeletons. The fix ensures that access checks on remote calls are
conducted correctly.
CVSS Base Score: 5.9
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/
159776 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM Transformation Extender V10.0.0
IBM Transformation Extender V9.0.0 through V9.0.0.3
IBM Transformation Extender V8.4.1.0 through V8.4.1.5

Remediation/Fixes

All IBM Transformation Extender versions: Download and install the fix for APAR
PH11548 .

Workarounds and Mitigations

None.

Change History

23 May 2019: Original version published

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXPBfimaOgq3Tt24GAQjD2g/9F7cKmyWase+iOdUGzn9G46yC0GvosvJr
uNDfAEeMTac4mGhnG/ibYKdwbVAx/YWsFefk8Ggq+to4LvuyLdrVJTHmjciXRzMW
TyrfN/Q86Y91dp+FVrUmRGOxk5ufbd4JqSob4A7jERU1bchCLoOUkNeB5nofPzGl
04bTPU3sE6mPpQ4QptAuzOHhsH8yn3BWiG0ICWj4lFDLrki5e3y+K5yD9VzT3IOC
Q4Kmj8B0oiCmWwIP8Qewm5Pcz3rS6I9XuzxIzNMw/+fnHQhl5EyKIVn94qOK0mMu
9b61VatEJbAS4i2GYiPuTXdbmqjjdleA0YzCMsnpiKZRmY4fb/D3JuLbNZhNbB5G
+fGk9gLK23PCFsKIAWcce0nMAbMQbS9be6toW3cE5bcttNQS+aZhFXXQp11I48zb
c7aAgZOo4XdWx0RdZKkKez9iX7YVlzepn1Tci/GheUY+T0pf1jZp11Rnxw0UImGB
HvyNoi28CMM+2gwDkq69wKX1LacKyhY/Ng+A78zstl3YMKGNoAaO4h+qFvttmz94
rhG3AtDnYEf1D6Ok/vRihkoiTk8HYuT0RBGIpmuLVOC/JV8ETmjM204pZ+vBsK7n
BstFtdLiLVWvDrCbwuG5Wye92PKh3kpzBiJTGJpuVDJZoKzr3TrW7yG3BWumWfUU
buTCb7YtJ4Y=
=j/R4
-----END PGP SIGNATURE-----