Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2030 IBM Security Information Queue vulnerabilities 6 June 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Security Information Queue Publisher: IBM Operating System: Linux variants Impact/Access: Access Confidential Data -- Remote/Unauthenticated Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-4219 CVE-2019-4218 CVE-2019-4217 CVE-2019-4162 CVE-2019-4161 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10885959 http://www.ibm.com/support/docview.wss?uid=ibm10886061 http://www.ibm.com/support/docview.wss?uid=ibm10886065 http://www.ibm.com/support/docview.wss?uid=ibm10886051 http://www.ibm.com/support/docview.wss?uid=ibm10885963 Comment: This bulletin contains five (5) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- IBM Security Information Queue discloses internal data left over from the product development phases Product: IBM Security Information Queue Software version: All Versions Operating system(s): Linux Reference #: 0885959 Security Bulletin Summary The initial versions of IBM Security Information Queue (ISIQ) disclose internal data left over from the product development and Beta phases. In most cases, the data is specific to ISIQ's development environment and not useful to an attacker. Some of it, however, such as ISIQ's exact HTTP server level, could be useful. This internal data has been removed as of the 1.0.3 GA version. Vulnerability Details CVEID: CVE-2019-4161 DESCRIPTION: IBM Security Information Queue (ISIQ) discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. CVSS Base Score: 4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158660 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions IBM Security Information Queue v1.0.0, v1.0.1, and v1.0.2 Remediation/Fixes Download and install the latest IBM Security Information Queue images ( tagged at 1.0.3 or greater) from the Docker Hub repository, "i bmcorp / security_information_queue" : https://cloud.docker.com/u/ibmcorp/repository/docker/ibmcorp/ security_information_queue Acknowledgement IBM X-Force Ethical Hacking Team: Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza, Matt McCarty, Vincent Dragnea, Troy Fisher, Nathan Roane Product Alias/Synonym ISIQ - ------------------------------------------------------------------------------- IBM Security Information Queue does not prevent caching of sensitive pages Product: IBM Security Information Queue Operating system(s): Linux Reference #: 0886061 Security Bulletin Summary IBM Security Information Queue (ISIQ) allows web pages containing sensitive content to be cached by a browser and thus become vulnerable to attackers or malware. As of v1.0.3, the ISIQ web server instructs the browser to not cache the content. Vulnerability Details CVEID: CVE-2019-4218 DESCRIPTION: IBM Security Information Queue (ISIQ) allows web pages to be stored locally which can be read by another user on the system. CVSS Base Score: 4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 159227 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions IBM Security Information Queue v1.0.0, v1.0.1, and v1.0.2 Remediation/Fixes Download and install the latest IBM Security Information Queue images ( tagged at 1.0.3 or greater) from the Docker Hub repository, "i bmcorp / security_information_queue" : https://cloud.docker.com/u/ibmcorp/repository/docker/ibmcorp/ security_information_queue Acknowledgement IBM X-Force Ethical Hacking Team: Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza, Matt McCarty, Vincent Dragnea, Troy Fisher, Nathan Roane Product Alias/Synonym ISIQ - ------------------------------------------------------------------------------- IBM Security Information Queue reveals internal data in application error messages Product: IBM Security Information Queue Operating system(s): Linux Reference #: 0886065 Security Bulletin Summary IBM Security Information Queue (ISIQ) reveals too much internal data when displaying application error messages. This data could be used by an attacker. As of v1.0.3, ISIQ's displayed errors are more terse. Detailed diagnostic data is only written to ISIQ log files. Vulnerability Details CVEID: CVE-2019-4219 DESCRIPTION: IBM Security Information Queue (ISIQ) generates an error message that includes sensitive information that could be used in further attacks against the system. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 159228 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions IBM Security Information Queue v1.0.0, v1.0.1, and v1.0.2 Remediation/Fixes Download and install the latest IBM Security Information Queue images ( tagged at 1.0.3 or greater) from the Docker Hub repository, "i bmcorp / security_information_queue" : https://cloud.docker.com/u/ibmcorp/repository/docker/ibmcorp/ security_information_queue Acknowledgement IBM X-Force Ethical Hacking Team: Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza, Matt McCarty, Vincent Dragnea, Troy Fisher, Nathan Roane Product Alias/Synonym ISIQ - ------------------------------------------------------------------------------- IBM Security Information Queue web application is vulnerable to clickjacking attack Product: IBM Security Information Queue Operating system(s): Linux Reference #: 0886051 Security Bulletin Summary The IBM Security Information Queue (ISIQ) web application is vulnerable to a clickjacking attack in which an untrusted page could get embedded into another frame or object. As of v1.0.3, the ISIQ web server disallows browsers from embedding content. Vulnerability Details CVEID: CVE-2019-4217 DESCRIPTION: IBM Security Information Queue (ISIQ) could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. CVSS Base Score: 6.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 159226 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions IBM Security Information Queue v1.0.0, v1.0.1, and v1.0.2 Remediation/Fixes Download and install the latest IBM Security Information Queue images ( tagged at 1.0.3 or greater) from the Docker Hub repository, "i bmcorp / security_information_queue" : https://cloud.docker.com/u/ibmcorp/repository/docker/ibmcorp/ security_information_queue Acknowledgement IBM X-Force Ethical Hacking Team: Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza, Matt McCarty, Vincent Dragnea, Troy Fisher, Nathan Roane Product Alias/Synonym ISIQ - ------------------------------------------------------------------------------- IBM Security Information Queue web server allows downgrading to non-secure HTTP Product: IBM Security Information Queue Software version: All Versions Operating system(s): Linux Reference #: 0885963 Security Bulletin Summary The IBM Security Information Queue (ISIQ) web server defaults to HTTPS, but does not enforce it. This could result in users navigating to an unencrypted version of ISIQ's web application. As of ISIQ v1.0.3, HTTPS is now enforced. Vulnerability Details CVEID: CVE-2019-4162 DESCRIPTION: IBM Security Information Queue (ISIQ) is missing the HTTP Strict Transport Security header. Users can navigate by mistake to the unencrypted version of the web application or accept invalid certificates. This leads to sensitive data being sent unencrypted over the wire. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158661 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) Affected Products and Versions IBM Security Information Queue v1.0.0, v1.0.1, and v1.0.2 Remediation/Fixes Download and install the latest IBM Security Information Queue images ( tagged at 1.0.3 or greater) from the Docker Hub repository, "i bmcorp / security_information_queue" : https://cloud.docker.com/u/ibmcorp/repository/docker/ibmcorp/ security_information_queue Acknowledgement IBM X-Force Ethical Hacking Team: Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza, Matt McCarty, Vincent Dragnea, Troy Fisher, Nathan Roane Product Alias/Synonym ISIQ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXPhfOmaOgq3Tt24GAQi9HxAAr86aQKwAHbxa9yUWYLgkDF+BDWB1FB8s erTGL09HDElwwaLmP6JIcrt2ojVt3dgw7qnZmcvctC/g0Cn9fxizqo8slUxUOZD+ q/tlhrmEy0un/RSZ2g4S2YOTFJ9CVztFtBM/puqvLkr7ePwMFwJbz/llvjSOmjpz OyydIXild9Fvnd2Z8a5vmYy93AjtMAJLUb7BXG95stGqMyjJWQCooWxd8znlr6Cq Bq/QCJD3hCY1IhLHb+5jFyesUtlVt0rotNTcAqx+YGIs8m15ljop4d4+ztceOvgF Tit1VZ3LkQwdfWtrG0TguDLB3RzVjI6HthONnzxDNjCd5J68p8xnNoCB1nCKcD+z mUSjSvf9pbXS3S8wvbfC1GqV25G/zxv4BGi9J5spMprfgyo4Bak/kZcCvypQk/WE 15SXk/RUJ+xiae2DfDYZNaKVcfmARPAI+L6+5uat3r4daHIYbC8s0xePSvGf/XJ1 9K5lGYYFNxlOA5DiaIOoUGRvVT/HNX9TYmi/ZYDifRkNcpCZe/JpeTRoaU4kV847 h5Q6afgkc6uxXfn3ohNZM4vgFmDd8zPb9g5NVZ8T6iEnNS4Oph9WXObKfLaReVA0 pPy8qTNKVTluCsr65yrUjPNVcQRm/efb4mA2EN6nFnBEykAW4yvmCs+cIQGxuqOJ AliHCsdsULI= =zTRA -----END PGP SIGNATURE-----