Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2163 IBM Maximo Asset Management receives security updates 19 June 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Maximo Asset Management Publisher: IBM Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-4364 CVE-2019-4303 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10887563 http://www.ibm.com/support/docview.wss?uid=ibm10887557 Comment: This bulletin contains two (2) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2019-4303) Product: Maximo Asset Management Software version: 7.6 Operating system(s): Platform Independent Reference #: 0887563 Security Bulletin Summary IBM Maximo Asset Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. Vulnerability Details CVEID: CVE-2019-4303 DESCRIPTION: IBM Maximo Asset Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base Score: 5.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 160949 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions This vulnerability affects the following versions of the IBM Maximo Asset Management core product, and all other IBM Maximo Industry Solution and IBM Control Desk products, regardless of their own version, if they are currently installed on top of an affected IBM Maximo Asset Management. * Maximo Asset Management core product affected versions: Maximo Asset Management 7.6 Industry Solutions products affected if using an affected core version: Maximo for Aviation Maximo for Life Sciences Maximo for Nuclear Power Maximo for Oil and Gas Maximo for Transportation Maximo for Utilities IBM Control Desk products affected if using an affected core version: SmartCloud Control Desk IBM Control Desk Tivoli Integration Composer * To determine the core product version, log in and view System Information. The core product version is the "Tivoli's process automation engine" version. Please consult the Product Coexistence Matrix for a list of supported product combinations. Remediation/Fixes The recommended solution is to download the appropriate Interim Fix or Fix Pack from Fix Central ( What is Fix Central ) and apply for each affected product as soon as possible. Please see below for information on the fixes available for each product, version, and release. Follow the installation instructions in the 'readme' documentation provided with each fix pack or interim fix. For Maximo Asset Management 7.6: +--------+-------------------------------------------+---------------------------+ |VRM |Fix Pack, Feature Pack, or Interim Fix |Download | +--------+-------------------------------------------+---------------------------+ |7.6.1.1 |Maximo Asset Management 7.6.1.1 Feature |FixCentral | | |Pack: | | | |7.6.1.1-TIV-MAMMT-FP0001 or latest Interim | | | |Fix available | | +--------+-------------------------------------------+---------------------------+ | |Maximo Asset Management 7.6.0.10 iFix: | | |7.6.0.10|7.6.0.10-TIV-MBS-IFIX005 or latest Interim |FixCentral | | |Fix available | | +--------+-------------------------------------------+---------------------------+ | |Maximo Asset Management 7.6.1 iFix: | | |7.6.1 |7.6.1.0-TIV-MBS-IFIX009 or latest Interim |FixCentral | | |Fix available | | +--------+-------------------------------------------+---------------------------+ Change History 17 June 2019: Original version published Cross reference information Product Component Platform Version Edition Control Desk Platform 7.6.0, 7.6.0.1 Independent Maximo for Life Platform 7.6 Sciences Independent Maximo for Platform 7.6.0 Nuclear Power Independent Maximo for Oil Platform 7.6.0 and Gas Independent Maximo for Platform 7.6.1, 7.6.2, 7.6.2.1, Transportation Independent 7.6.2.2, 7.6.2.3, 7.6.2.4 Maximo for Platform 7.6 Utilities Independent IBM Maximo for Platform 7.6, 7.6.1, 7.6.2, 7.6.2.1, Aviation Independent 7.6.3 - -------------------------------------------------------------------------------- IBM Maximo Asset Management is vulnerable to CSV Injection (CVE-2019-4364) Product: Maximo Asset Management Software version: 7.6 Operating system(s): Platform Independent Reference #: 0887557 Security Bulletin Summary IBM Maximo Asset Management is vulnerable to CSV injection, which could allow a remote authenticated attacker to execute arbirary commands on the system. Vulnerability Details CVEID: CVE-2019-4364 DESCRIPTION: IBM Maximo Asset Management is vulnerable to CSV injection, which could allow a remote authenticated attacker to execute arbirary commands on the system. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 161680 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L) Affected Products and Versions This vulnerability affects the following versions of the IBM Maximo Asset Management core product, and all other IBM Maximo Industry Solution and IBM Control Desk products, regardless of their own version, if they are currently installed on top of an affected IBM Maximo Asset Management. * Maximo Asset Management core product affected versions: Maximo Asset Management 7.6 Industry Solutions products affected if using an affected core version: Maximo for Aviation Maximo for Life Sciences Maximo for Nuclear Power Maximo for Oil and Gas Maximo for Transportation Maximo for Utilities IBM Control Desk products affected if using an affected core version: SmartCloud Control Desk IBM Control Desk Tivoli Integration Composer * To determine the core product version, log in and view System Information. The core product version is the "Tivoli's process automation engine" version. Please consult the Product Coexistence Matrix for a list of supported product combinations. Remediation/Fixes The recommended solution is to download the appropriate Interim Fix or Fix Pack from Fix Central ( What is Fix Central ) and apply for each affected product as soon as possible. Please see below for information on the fixes available for each product, version, and release. Follow the installation instructions in the 'readme' documentation provided with each fix pack or interim fix. For Maximo Asset Management 7.6: +--------+-------------------------------------------+---------------------------+ |VRM |Fix Pack, Feature Pack, or Interim Fix |Download | +--------+-------------------------------------------+---------------------------+ |7.6.1.1 |Maximo Asset Management 7.6.1.1 Feature |FixCentral | | |Pack: | | | |7.6.1.1-TIV-MAMMT-FP0001 or latest Interim | | | |Fix available | | +--------+-------------------------------------------+---------------------------+ | |Maximo Asset Management 7.6.0.10 iFix: | | |7.6.0.10|7.6.0.10-TIV-MBS-IFIX005 or latest Interim |FixCentral | | |Fix available | | +--------+-------------------------------------------+---------------------------+ | |Maximo Asset Management 7.6.1 iFix: | | |7.6.1 |7.6.1.0-TIV-MBS-IFIX009 or latest Interim |FixCentral | | |Fix available | | +--------+-------------------------------------------+---------------------------+ Change History 12 June 2019: Original version published Cross reference information Product Component Platform Version Edition Control Desk Platform 7.6.0, 7.6.0.1 Independent Maximo for Life Platform 7.6 Sciences Independent Maximo for Platform 7.6.0 Nuclear Power Independent Maximo for Oil Platform 7.6.0 and Gas Independent Maximo for Platform 7.6.1, 7.6.2, 7.6.2.1, Transportation Independent 7.6.2.2, 7.6.2.3, 7.6.2.4 Maximo for Platform 7.6 Utilities Independent IBM Maximo for Platform 7.6, 7.6.1, 7.6.2, 7.6.2.1, Aviation Independent 7.6.3 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXQlzLmaOgq3Tt24GAQjbiRAApyBKsYblv34I2uKj0DHmLlaWIm/3lE7Q JoL3pvA1TQ4wRJqro6b1wmXoih8pMI9S/pVmPF7FyPDVYhw0bSRuALl2x++Wl0TP maUXBfmvl3Ra2Ds0dnxQ84NVFuAo70C8b88nffd7uzzuzlY4lo7RU0r6eFUxUE/j fbhjaJoLfC2+lRcSaTxePdl899uYbHSq9evmIOpI7Mzhxt9ddSpCkboARPJpLbSf l4Xf3MTHRoxNFU64wMCYfgGm1j88C8ji+vV9nVwtLzirMNadQH29gmCIpCVuQ/m3 bPNIrNyoc5gzYWKqj6cBkJ6P9ysLWx5JjzwBqk3XnTHE68J/SA3b9jefjuQOoqMv jgzVFj+MZK73alQRahxjmXMgxBSCJnbcUGXY73Q9+FBZC/o72zABGCIS/9zw3Sor pUEIpnX7+d8fn4X/5HuA0JAW57Xns+hMt9AyM97La8Iy443GzMeO33/fXe+nPW6e kTWfVmebw9HhntEGCB6HoxYH6lkxmkqD9ZvxXpl4XltxoCNAFcbnthcqrsgkj5cs BMeROvkH9GRwdkVeTlbyMqOnIBAgxFtK7M8gWFVWGDt7DfFz1aAWW5pScQYjJr8U FkREGXKMvT3tYiLtCShFm52pdXG5Qpz+J0UMjnCNX7DY/Qi0H245lGlw6faP5I+H 14AUvAdxbAI= =QLk2 -----END PGP SIGNATURE-----