Operating System:

[LINUX]

Published:

06 June 2019

Protect yourself against future threats.

//Service

Phishing Take-Down

Drawing on our strong international CERT relationships we have a high success rate in delivering phishing take-downs.

Read more
Resources > Security Bulletins > ESB-2019.2030 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.2030
              IBM Security Information Queue vulnerabilities
                                6 June 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Security Information Queue
Publisher:         IBM
Operating System:  Linux variants
Impact/Access:     Access Confidential Data       -- Remote/Unauthenticated      
                   Provide Misleading Information -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-4219 CVE-2019-4218 CVE-2019-4217
                   CVE-2019-4162 CVE-2019-4161 

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10885959
   http://www.ibm.com/support/docview.wss?uid=ibm10886061
   http://www.ibm.com/support/docview.wss?uid=ibm10886065
   http://www.ibm.com/support/docview.wss?uid=ibm10886051
   http://www.ibm.com/support/docview.wss?uid=ibm10885963

Comment: This bulletin contains five (5) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

IBM Security Information Queue discloses internal data left over from the
product development phases

Product:             IBM Security Information Queue
Software version:    All Versions
Operating system(s): Linux
Reference #:         0885959

Security Bulletin

Summary

The initial versions of IBM Security Information Queue (ISIQ) disclose internal
data left over from the product development and Beta phases. In most cases, the
data is specific to ISIQ's development environment and not useful to an
attacker. Some of it, however, such as ISIQ's exact HTTP server level, could be
useful. This internal data has been removed as of the 1.0.3 GA version.

Vulnerability Details

CVEID: CVE-2019-4161
DESCRIPTION: IBM Security Information Queue (ISIQ) discloses sensitive
information to unauthorized users. The information can be used to mount further
attacks on the system.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
158660 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Security Information Queue v1.0.0, v1.0.1, and v1.0.2

Remediation/Fixes

Download and install the latest IBM Security Information Queue images ( tagged
at 1.0.3 or greater) from the Docker Hub repository, "i bmcorp / 
security_information_queue" :
https://cloud.docker.com/u/ibmcorp/repository/docker/ibmcorp/
security_information_queue

Acknowledgement

IBM X-Force Ethical Hacking Team: Warren Moynihan, Jonathan Fitz-Gerald, John
Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza, Matt McCarty, Vincent
Dragnea, Troy Fisher, Nathan Roane

Product Alias/Synonym

ISIQ

- -------------------------------------------------------------------------------

IBM Security Information Queue does not prevent caching of sensitive pages

Product:             IBM Security Information Queue
Operating system(s): Linux
Reference #:         0886061

Security Bulletin

Summary

IBM Security Information Queue (ISIQ) allows web pages containing sensitive
content to be cached by a browser and thus become vulnerable to attackers or
malware. As of v1.0.3, the ISIQ web server instructs the browser to not cache
the content.

Vulnerability Details

CVEID: CVE-2019-4218
DESCRIPTION: IBM Security Information Queue (ISIQ) allows web pages to be
stored locally which can be read by another user on the system.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
159227 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Security Information Queue v1.0.0, v1.0.1, and v1.0.2

Remediation/Fixes

Download and install the latest IBM Security Information Queue images ( tagged
at 1.0.3 or greater) from the Docker Hub repository, "i bmcorp / 
security_information_queue" :
https://cloud.docker.com/u/ibmcorp/repository/docker/ibmcorp/
security_information_queue

Acknowledgement

IBM X-Force Ethical Hacking Team: Warren Moynihan, Jonathan Fitz-Gerald, John
Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza, Matt McCarty, Vincent
Dragnea, Troy Fisher, Nathan Roane

Product Alias/Synonym

ISIQ

- -------------------------------------------------------------------------------

IBM Security Information Queue reveals internal data in application error
messages

Product:             IBM Security Information Queue
Operating system(s): Linux
Reference #:         0886065

Security Bulletin

Summary

IBM Security Information Queue (ISIQ) reveals too much internal data when
displaying application error messages. This data could be used by an attacker.
As of v1.0.3, ISIQ's displayed errors are more terse. Detailed diagnostic data
is only written to ISIQ log files.

Vulnerability Details

CVEID: CVE-2019-4219
DESCRIPTION: IBM Security Information Queue (ISIQ) generates an error message
that includes sensitive information that could be used in further attacks
against the system.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
159228 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Security Information Queue v1.0.0, v1.0.1, and v1.0.2

Remediation/Fixes

Download and install the latest IBM Security Information Queue images ( tagged
at 1.0.3 or greater) from the Docker Hub repository, "i bmcorp / 
security_information_queue" :
https://cloud.docker.com/u/ibmcorp/repository/docker/ibmcorp/
security_information_queue

Acknowledgement

IBM X-Force Ethical Hacking Team: Warren Moynihan, Jonathan Fitz-Gerald, John
Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza, Matt McCarty, Vincent
Dragnea, Troy Fisher, Nathan Roane

Product Alias/Synonym

ISIQ

- -------------------------------------------------------------------------------

IBM Security Information Queue web application is vulnerable to clickjacking
attack

Product:             IBM Security Information Queue
Operating system(s): Linux
Reference #:         0886051

Security Bulletin

Summary

The IBM Security Information Queue (ISIQ) web application is vulnerable to a
clickjacking attack in which an untrusted page could get embedded into another
frame or object. As of v1.0.3, the ISIQ web server disallows browsers from
embedding content.

Vulnerability Details

CVEID: CVE-2019-4217
DESCRIPTION: IBM Security Information Queue (ISIQ) could allow a remote
attacker to hijack the clicking action of the victim. By persuading a victim to
visit a malicious Web site, a remote attacker could exploit this vulnerability
to hijack the victim's click actions and possibly launch further attacks
against the victim.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
159226 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

IBM Security Information Queue v1.0.0, v1.0.1, and v1.0.2

Remediation/Fixes

Download and install the latest IBM Security Information Queue images ( tagged
at 1.0.3 or greater) from the Docker Hub repository, "i bmcorp / 
security_information_queue" :
https://cloud.docker.com/u/ibmcorp/repository/docker/ibmcorp/
security_information_queue

Acknowledgement

IBM X-Force Ethical Hacking Team: Warren Moynihan, Jonathan Fitz-Gerald, John
Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza, Matt McCarty, Vincent
Dragnea, Troy Fisher, Nathan Roane

Product Alias/Synonym

ISIQ

- -------------------------------------------------------------------------------

IBM Security Information Queue web server allows downgrading to non-secure HTTP

Product:             IBM Security Information Queue
Software version:    All Versions
Operating system(s): Linux
Reference #:         0885963

Security Bulletin

Summary

The IBM Security Information Queue (ISIQ) web server defaults to HTTPS, but
does not enforce it. This could result in users navigating to an unencrypted
version of ISIQ's web application. As of ISIQ v1.0.3, HTTPS is now enforced.

Vulnerability Details

CVEID: CVE-2019-4162
DESCRIPTION: IBM Security Information Queue (ISIQ) is missing the HTTP Strict
Transport Security header. Users can navigate by mistake to the unencrypted
version of the web application or accept invalid certificates. This leads to
sensitive data being sent unencrypted over the wire.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
158661 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM Security Information Queue v1.0.0, v1.0.1, and v1.0.2

Remediation/Fixes

Download and install the latest IBM Security Information Queue images ( tagged
at 1.0.3 or greater) from the Docker Hub repository, "i bmcorp / 
security_information_queue" :
https://cloud.docker.com/u/ibmcorp/repository/docker/ibmcorp/
security_information_queue

Acknowledgement

IBM X-Force Ethical Hacking Team: Warren Moynihan, Jonathan Fitz-Gerald, John
Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza, Matt McCarty, Vincent
Dragnea, Troy Fisher, Nathan Roane

Product Alias/Synonym

ISIQ

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXPhfOmaOgq3Tt24GAQi9HxAAr86aQKwAHbxa9yUWYLgkDF+BDWB1FB8s
erTGL09HDElwwaLmP6JIcrt2ojVt3dgw7qnZmcvctC/g0Cn9fxizqo8slUxUOZD+
q/tlhrmEy0un/RSZ2g4S2YOTFJ9CVztFtBM/puqvLkr7ePwMFwJbz/llvjSOmjpz
OyydIXild9Fvnd2Z8a5vmYy93AjtMAJLUb7BXG95stGqMyjJWQCooWxd8znlr6Cq
Bq/QCJD3hCY1IhLHb+5jFyesUtlVt0rotNTcAqx+YGIs8m15ljop4d4+ztceOvgF
Tit1VZ3LkQwdfWtrG0TguDLB3RzVjI6HthONnzxDNjCd5J68p8xnNoCB1nCKcD+z
mUSjSvf9pbXS3S8wvbfC1GqV25G/zxv4BGi9J5spMprfgyo4Bak/kZcCvypQk/WE
15SXk/RUJ+xiae2DfDYZNaKVcfmARPAI+L6+5uat3r4daHIYbC8s0xePSvGf/XJ1
9K5lGYYFNxlOA5DiaIOoUGRvVT/HNX9TYmi/ZYDifRkNcpCZe/JpeTRoaU4kV847
h5Q6afgkc6uxXfn3ohNZM4vgFmDd8zPb9g5NVZ8T6iEnNS4Oph9WXObKfLaReVA0
pPy8qTNKVTluCsr65yrUjPNVcQRm/efb4mA2EN6nFnBEykAW4yvmCs+cIQGxuqOJ
AliHCsdsULI=
=zTRA
-----END PGP SIGNATURE-----