Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1957 Vulnerabilities in IBM Runtime Environments Java Technology Edition, Versions 7 & 8, IBM SDK, Java Technology Edition Version 8 and Eclipse OpenJ9 Affect Transformation Extender 31 May 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Transformation Extender Publisher: IBM Operating System: AIX Windows Linux variants z/OS Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Increased Privileges -- Existing Account Denial of Service -- Existing Account Access Confidential Data -- Existing Account Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-2684 CVE-2019-2602 CVE-2019-2426 CVE-2018-12547 CVE-2018-1890 Reference: ASB-2019.0018 ESB-2019.1953 ESB-2019.1937 ESB-2019.1928 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10882278 - --------------------------BEGIN INCLUDED TEXT-------------------- Vulnerabilities in IBM Runtime Environments Java Technology Edition, Versions 7 & 8, IBM SDK, Java Technology Edition Version 8 and Eclipse OpenJ9 Affect Transformation Extender Product: Transformation Extender Software version: All Versions Operating system(s): AIX, Linux, Windows, z/OS Reference #: 0882278 Security Bulletin Summary There are vulnerabilities in IBM Runtime Environments Java Technology Edition, Versions 7 and 8, IBM SDK, Java Technology Edition Version 8 and Eclipse Open J9 that affect IBM Transformation Extender. Vulnerability Details CVEID: CVE-2018-1890 Description: On the AIX platform, the IBM Java 8 executable contains inappropriate absolute RPATHS, which might allow local users to inject code into JVM processes launched by other users with higher privileges. The fix removes the unsafe RPATHs. CVSS Base Score: 5.6 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 152081 for more information. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2019-2426 Description: The transparent NTLM authentication implementation in java.net.HttpURLConnection exposes the user's NTLM credentials to any server that requests them.The fix disables transparent NTLM authentication by default. A new system property ( jdk.http.ntlm.transparentAuth ) allows the user to enable transparent NTLM authentication for all hosts or trusted hosts only. CVSS Base Score: 3.7 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 155744 for more information CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2018-12547 Description: A widely used function in the OpenJ9 JVM is vulnerable to buffer overflows. Multiple Java Runtime components use the vulnerable code, so the issue can manifest in a number of different ways. The fix ensures that the buffer cannot overflow. CVSS Base Score: 9.8 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 157512 for more information CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2019-2602 Description: A flaw in the java.math.BigDecimal API causes hangs when parsing certain String values. This potentially allows an attacker to inflict a denial-of-service. The fix ensures that all Strings are parsed promptly. CVSS Base Score: 7.5 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 159698 for more information CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2019-2684 Description: The Java runtime's java.rmi.Registry implementation does not check access privileges correctly for some remote calls. This allows an attacker to effectively replace a number of predefined static skeleton classes with dynamic malicious skeletons. The fix ensures that access checks on remote calls are conducted correctly. CVSS Base Score: 5.9 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 159776 for more information CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) Affected Products and Versions IBM Transformation Extender V10.0.0 IBM Transformation Extender V9.0.0 through V9.0.0.3 IBM Transformation Extender V8.4.1.0 through V8.4.1.5 Remediation/Fixes All IBM Transformation Extender versions: Download and install the fix for APAR PH11548 . Workarounds and Mitigations None. Change History 23 May 2019: Original version published - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXPBfimaOgq3Tt24GAQjD2g/9F7cKmyWase+iOdUGzn9G46yC0GvosvJr uNDfAEeMTac4mGhnG/ibYKdwbVAx/YWsFefk8Ggq+to4LvuyLdrVJTHmjciXRzMW TyrfN/Q86Y91dp+FVrUmRGOxk5ufbd4JqSob4A7jERU1bchCLoOUkNeB5nofPzGl 04bTPU3sE6mPpQ4QptAuzOHhsH8yn3BWiG0ICWj4lFDLrki5e3y+K5yD9VzT3IOC Q4Kmj8B0oiCmWwIP8Qewm5Pcz3rS6I9XuzxIzNMw/+fnHQhl5EyKIVn94qOK0mMu 9b61VatEJbAS4i2GYiPuTXdbmqjjdleA0YzCMsnpiKZRmY4fb/D3JuLbNZhNbB5G +fGk9gLK23PCFsKIAWcce0nMAbMQbS9be6toW3cE5bcttNQS+aZhFXXQp11I48zb c7aAgZOo4XdWx0RdZKkKez9iX7YVlzepn1Tci/GheUY+T0pf1jZp11Rnxw0UImGB HvyNoi28CMM+2gwDkq69wKX1LacKyhY/Ng+A78zstl3YMKGNoAaO4h+qFvttmz94 rhG3AtDnYEf1D6Ok/vRihkoiTk8HYuT0RBGIpmuLVOC/JV8ETmjM204pZ+vBsK7n BstFtdLiLVWvDrCbwuG5Wye92PKh3kpzBiJTGJpuVDJZoKzr3TrW7yG3BWumWfUU buTCb7YtJ4Y= =j/R4 -----END PGP SIGNATURE-----