Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1982 Cross-site scripting vulnerability in IBM Intelligent Operations Center (CVE-2019-4070) 3 June 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Intelligent Operations Center Publisher: IBM Operating System: Linux variants Windows Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Cross-site Scripting -- Remote with User Interaction Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-4070 CVE-2019-4069 CVE-2019-4068 CVE-2019-4067 CVE-2019-4066 Original Bulletin: https://www.ibm.com/support/docview.wss?uid=ibm10879943 https://www.ibm.com/support/docview.wss?uid=ibm10879381 https://www.ibm.com/support/docview.wss?uid=ibm10880229 https://www.ibm.com/support/docview.wss?uid=ibm10879953 https://www.ibm.com/support/docview.wss?uid=ibm10880213 Comment: This bulletin contains five (5) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Cross-site scripting vulnerability in IBM Intelligent Operations Center (CVE-2019-4070) Security Bulletin Document information More support for: IBM Intelligent Operations Center Component: Not Applicable Software version: 5.1.0, 5.1.0.1, 5.1.0.2, 5.1.0.3, 5.1.0.4, 5.1.0.5, 5.1.0.6, 5.1.0.7, 5.1.0.8, 5.1.0.9, 5.1.0.10, 5.1.0.11, 5.1.0.12, 5.1.0.13, 5.1.0.14, 5.2.0 Operating system(s): Linux, Windows Reference #: 0879943 Modified date: 31 May 2019 Summary IBM(R) Intelligent Operations Center does not sanitize all user-controlled inputs and so it is possible to inject malicious code into the application. Vulnerability Details CVEID: CVE-2019-4070 DESCRIPTION: IBM Intelligent Operations Center (IOC) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base Score: 5.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 157015 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions This vulnerability affects the following products and versions: o IBM(R) Intelligent Operations Center V5.1.0 - V5.2.0 o IBM(R) Intelligent Operations Center for Emergency Management V5.1.0 - V5.1.0.6 o IBM(R) Water Operations for Waternamics V5.1.0 - V5.2.1.1 Remediation/Fixes The recommended solution is to apply an interim fix that contains the fix for this issue as soon as practical. +------------------------------+--------------+-------+-----------------------+ | Product | VRMF | APAR | Remediation/First Fix | +------------------------------+--------------+-------+-----------------------+ |IBM(R) Intelligent Operations |V5.2.0 |PO08061|Interim fix PO08061, or| |Center | | |later | +------------------------------+--------------+-------+-----------------------+ |IBM(R) Intelligent Operations |V5.1.0 - |PO08131|Interim fix PO08131, or| |Center |V5.1.0.14 | |later | +------------------------------+--------------+-------+-----------------------+ |IBM(R) Water Operations for |V5.1.0 - |PO08061|Interim fix PO08061, or| |Waternamics |V5.2.1.1 | |later | +------------------------------+--------------+-------+-----------------------+ For information about the latest available updates, see IBM Intelligent Operations Center V5.2 installation updates. Workarounds and Mitigations None. Reference Complete CVSS v3 Guide On-line Calculator v3 Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 31 May 2019: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Product Component Platform Version Edition IBM Intelligent Linux, 5.1.0, 5.1.0.2, 5.1.0.3, Operations Center for Windows 5.1.0.4, 5.1.0.5, 5.1.0.6 Emergency Management 5.1.0, 5.2.0, 5.2.0.1, IBM Water Operations Linux 5.2.0.2, 5.2.0.3, 5.2.0.4, for Waternamics 5.2.0.5, 5.2.0.6, 5.2.1, 5.2.1.1 - ---------------------------------------------------------------------------------- Security Bulletin: IBM(R) Intelligent Operations Center has a weak user-creation policy (CVE-2019-4066) Security Bulletin Document information More support for: IBM Intelligent Operations Center Component: Not Applicable Software version: 5.1.0, 5.1.0.1, 5.1.0.2, 5.1.0.3, 5.1.0.4, 5.1.0.5, 5.1.0.6, 5.1.0.7, 5.1.0.8, 5.1.0.9, 5.1.0.10, 5.1.0.11, 5.1.0.12, 5.1.0.13, 5.1.0.14, 5.2.0 Operating system(s): Linux, Windows Reference #: 0879381 Modified date: 31 May 2019 Summary An authenticated user can create users with malformed user IDs in IBM(R) Intelligent Operations Center so that these new users cannot be deleted later from the system. Because the malformed users cannot be deleted at the application level, this is a denial of service issue. Vulnerability Details CVEID: CVE-2019-4066 DESCRIPTION: IBM Intelligent Operations Center (IOC) could allow an authenticated user to create arbitrary users which could cause ID management issues and result in code execution. CVSS Base Score: 8.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 157011 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Affected Products and Versions This vulnerability affects the following products and versions: o IBM(R) Intelligent Operations Center V5.1.0 - V5.2.0 o IBM(R) Intelligent Operations Center for Emergency Management V5.1.0 - V5.1.0.6 o IBM(R) Water Operations for Waternamics V5.1.0 - V5.2.1.1 Remediation/Fixes The recommended solution is to apply an interim fix that contains the fix for this issue as soon as practical. +------------------------------+--------------+-------+-----------------------+ | Product | VRMF | APAR | Remediation/First Fix | +------------------------------+--------------+-------+-----------------------+ |IBM(R) Intelligent Operations |V5.2.0 |PO08061|Interim fix PO08061, or| |Center | | |later | +------------------------------+--------------+-------+-----------------------+ |IBM(R) Intelligent Operations |V5.1.0 - |PO08131|Interim fix PO08131, or| |Center |V5.1.0.14 | |later | +------------------------------+--------------+-------+-----------------------+ |IBM(R) Water Operations for |V5.1.0 - |PO08061|Interim fix PO08061, or| |Waternamics |V5.2.1.1 | |later | +------------------------------+--------------+-------+-----------------------+ For information about the latest available updates for IBM(R) Intelligent Operations Center see IBM Intelligent Operations Center V5.2 installation updates. Workarounds and Mitigations None. Reference Complete CVSS v3 Guide On-line Calculator v3 Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 31 May 2019: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Product Component Platform Version Edition IBM Intelligent Linux, 5.1.0, 5.1.0.2, 5.1.0.3, Operations Center for Windows 5.1.0.4, 5.1.0.5, 5.1.0.6 Emergency Management 5.1.0, 5.2.0, 5.2.0.1, IBM Water Operations Linux, 5.2.0.2, 5.2.0.3, 5.2.0.4, for Waternamics Windows 5.2.0.5, 5.2.0.6, 5.2.1, 5.2.1.1 - ---------------------------------------------------------------------------------- Security Bulletin: IBM(R) Intelligent Operations Center is vulnerable to user enumeration (CVE-2019-4068) Security Bulletin Document information More support for: IBM Intelligent Operations Center Component: Not Applicable Software version: 5.1.0, 5.1.0.1, 5.1.0.2, 5.1.0.3, 5.1.0.4, 5.1.0.5, 5.1.0.6, 5.1.0.7, 5.1.0.8, 5.1.0.9, 5.1.0.10, 5.1.0.11, 5.1.0.12, 5.1.0.13, 5.1.0.14, 5.2.0 Operating system(s): Linux, Windows Reference #: 0880229 Modified date: 31 May 2019 Summary IBM(R) Intelligent Operations Center is vulnerable to user enumeration, allowing an attacker to brute force into the system. Vulnerability Details CVEID: CVE-2019-4068 DESCRIPTION: IBM Intelligent Operations Center is vulnerable to user enumeration, allowing an attacker to brute force into the system. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 157013 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) Affected Products and Versions This vulnerability affects the following products and versions: o IBM(R) Intelligent Operations Center V5.1.0 - V5.2.0 o IBM(R) Intelligent Operations Center for Emergency Management V5.1.0 - V5.1.0.6 o IBM(R) Water Operations for Waternamics V5.1.0 - V5.2.1.1 Remediation/Fixes The recommended solution is to apply an interim fix that contains the fix for this issue as soon as practical. +------------------------------+--------------+-------+-----------------------+ | Product | VRMF | APAR | Remediation/First Fix | +------------------------------+--------------+-------+-----------------------+ |IBM(R) Intelligent Operations |V5.2.0 |PO08061|Interim fix PO08061, or| |Center | | |later | +------------------------------+--------------+-------+-----------------------+ |IBM(R) Intelligent Operations |V5.1.0 - |PO08131|Interim fix PO08131, or| |Center |V5.1.0.14 | |later | +------------------------------+--------------+-------+-----------------------+ |IBM(R) Water Operations for |V5.1.0 - |PO08061|Interim fix PO08061, or| |Waternamics |V5.2.1.1 | |later | +------------------------------+--------------+-------+-----------------------+ For information about the latest available updates, see IBM Intelligent Operations Center V5.2 installation updates. Workarounds and Mitigations None. Reference Complete CVSS v3 Guide On-line Calculator v3 Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 31 May 2019: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Product Component Platform Version Edition IBM Intelligent 5.1.0, 5.1.0.2, 5.1.0.3, Operations Center for Windows 5.1.0.4, 5.1.0.5, 5.1.0.6 Emergency Management 5.1.0, 5.2.0, 5.2.0.1, IBM Water Operations Linux 5.2.0.2, 5.2.0.3, 5.2.0.4, for Waternamics 5.2.0.5, 5.2.0.6, 5.2.1, 5.2.1.1 - ---------------------------------------------------------------------------------- Security Bulletin: IBM(R) Intelligent Operations Center does not correctly validate file types before uploading files (CVE-2019-4069) Security Bulletin Document information More support for: IBM Intelligent Operations Center Component: Not Applicable Software version: 5.1.0, 5.1.0.1, 5.1.0.2, 5.1.0.3, 5.1.0.4, 5.1.0.5, 5.1.0.6, 5.1.0.7, 5.1.0.8, 5.1.0.9, 5.1.0.10, 5.1.0.11, 5.1.0.12, 5.1.0.13, 5.1.0.14, 5.2.0 Operating system(s): Linux, Windows Reference #: 0879953 Modified date: 31 May 2019 Summary IBM(R) Intelligent Operations Center does not validate the content of CSV files that are uploaded by authenticated users. The upload of unvalidated CSV files by authenticated users might be a starting point for further attacks if it is combined with file renaming or other inclusion techniques. Vulnerability Details CVEID: CVE-2019-4069 DESCRIPTION: IBM Intelligent Operations Center (IOC) does not properly validate file types, allowing an attacker to upload malicious content. CVSS Base Score: 8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 157014 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) Affected Products and Versions This vulnerability affects the following products and versions: o IBM(R) Intelligent Operations Center V5.1.0 - V5.2.0 o IBM(R) Intelligent Operations Center for Emergency Management V5.1.0 - V5.1.0.6 o IBM(R) Water Operations for Waternamics V5.1.0 - V5.2.1.1 Remediation/Fixes The recommended solution is to apply an interim fix that contains the fix for this issue as soon as practical. +------------------------------+--------------+-------+-----------------------+ | Product | VRMF | APAR | Remediation/First Fix | +------------------------------+--------------+-------+-----------------------+ |IBM(R) Intelligent Operations |V5.2.0 |PO08061|Interim fix PO08061, or| |Center | | |later | +------------------------------+--------------+-------+-----------------------+ |IBM(R) Intelligent Operations |V5.1.0 - |PO08131|Interim fix PO08131, or| |Center |V5.1.0.14 | |later | +------------------------------+--------------+-------+-----------------------+ |IBM(R) Water Operations for |V5.1.0 - |PO08061|Interim fix PO08061, or| |Waternamics |V5.2.1.1 | |later | +------------------------------+--------------+-------+-----------------------+ For information about the latest available updates, see IBM Intelligent Operations Center V5.2 installation updates. Workarounds and Mitigations None. Reference Complete CVSS v3 Guide On-line Calculator v3 Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 31 May 2019: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Product Component Platform Version Edition IBM Intelligent 5.1.0, 5.1.0.2, 5.1.0.3, Operations Center for Windows 5.1.0.4, 5.1.0.5, 5.1.0.6 Emergency Management 5.1.0, 5.2.0, 5.2.0.1, IBM Water Operations Linux 5.2.0.2, 5.2.0.3, 5.2.0.4, for Waternamics 5.2.0.5, 5.2.0.6, 5.2.1, 5.2.1.1 - ------------------------------------------------------------------------------- Security Bulletin: User passwords might be obtained by a brute force attack on IBM(R) Intelligent Operations Center (CVE-2019-4067) Security Bulletin Document information More support for: IBM Intelligent Operations Center Component: Not Applicable Software version: 5.1.0, 5.1.0.1, 5.1.0.2, 5.1.0.3, 5.1.0.4, 5.1.0.5, 5.1.0.6, 5.1.0.7, 5.1.0.8, 5.1.0.9, 5.1.0.10, 5.1.0.11, 5.1.0.12, 5.1.0.13, 5.1.0.14, 5.2.0 Operating system(s): Linux, Windows Reference #: 0880213 Modified date: 31 May 2019 Summary If your IBM(R) Intelligent Operations Center system is configured to use a Lightweight Directory Access Protocol (LDAP) user registry, user passwords might be obtained by a brute force attack that uses HTTP basic authentication requests to IBM Intelligent Operations Center. Vulnerability Details CVEID: CVE-2019-4067 DESCRIPTION: IBM Intelligent Operations Center does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 157012 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) Affected Products and Versions This vulnerability affects the following products and versions: o IBM(R) Intelligent Operations Center V5.1.0 - V5.2.0 o IBM(R) Intelligent Operations Center for Emergency Management V5.1.0 - V5.1.0.6 o IBM(R) Water Operations for Waternamics V5.1.0 - V5.2.1.1 Remediation/Fixes Workarounds and Mitigations Ensure that your LDAP server is configured with a suitable Password Policy. For more information, see the troubleshooting document: User passwords might be obtained by a brute force attack on IBM(R) Intelligent Operations Center if your LDAP server does not have a secure Password Policy. Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. Reference Complete CVSS v3 Guide On-line Calculator v3 Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 31 May 2019: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Product Component Platform Version Edition IBM Intelligent 5.1.0, 5.1.0.2, 5.1.0.3, Operations Center for Windows 5.1.0.4, 5.1.0.5, 5.1.0.6 Emergency Management 5.1.0, 5.2.0, 5.2.0.1, IBM Water Operations Linux 5.2.0.2, 5.2.0.3, 5.2.0.4, for Waternamics 5.2.0.5, 5.2.0.6, 5.2.1, 5.2.1.1 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXPS3tWaOgq3Tt24GAQgBwhAAuGmvJNgmn3tlI2ARY3KuQqNjMipeAc/M FJiU2zDIWUKPEjgWeOwywBn90LVLyCFNt4ggJ8jXAvNaEvU+6uHoyuN4Rg8jvEIC jQiUh1ZWwqj5MineNtr1SuKFFEcSW9wmtCv37tIaUhuFysZ/XGHooy2M0248h2tB iXyenk1p8HZi51LGiYR6t7QeDDHLwZKjK8/wJ+kY5P0BZuh+qSg2rteCc2Riho9q Z3vFpn4s7OYCKV4WJ3555bOty8BXlGnMHmJNnB7x+ZeIo081ibG+xZ1a+WetPYj3 IOjxPKXJ3uXRBY0QYR4PnvSWVdjt65jET/4y69bVihq1VaFvYzA+vqeehVO4hU0Q D4foL9zBAf/iXxHmBaqcPfKLT1jRqJDSnJiFJMhlZWl7UEgrjsU+T0RVpQ+nNfzC NABKRVv3j0p2SeGbSY4oowigUZyPfD3KRlV03pxrFzTwFnPtmOYKkc+P+u/qgvvh l1vtRWWnoPTnp4fvZixSnxpc7Kapl/rL+Q+3ZTcHW8H2VA05zIgRQpoxP/7kgMsU 5f3wAmWUW395wXOej96PtZLtG7iQzmMX4Ndqfttjme2iw1+TbxFi5uPV8v9SoChz 4C1kfoN0aOHit+y1zkNgpRmmCtc5X0gEhhEApgm1cJDp8VwvnwOnLZCnIxLPuvJz oLB6EXJKZzs= =8blT -----END PGP SIGNATURE-----