Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2187 IBM Symphony products update jackson-databind dependency 19 June 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Platform Symphony IBM Spectrum Symphony Publisher: IBM Operating System: Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-14721 CVE-2018-14720 CVE-2018-14719 CVE-2018-14718 Reference: ESB-2019.1988 ESB-2019.1878 ESB-2019.1350 ESB-2019.0674 Original Bulletin: https://www.ibm.com/support/docview.wss?uid=ibm10888039 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Multiple vulnerabilities in jackson-databind affect IBM Platform Symphony and IBM Spectrum Symphony Document information Software version: 7.1.2, 7.2.0.2, 7.2.1 Operating system(s): Linux Reference #: 0888039 Modified date: 18 June 2019 Summary Multiple vulnerabilities exist in the Jackson databind, core, and annotations version used by IBM Spectrum Symphony 7.2.1, 7.2.0.2, and 7.1.2, and IBM Platform Symphony 7.1.1 and 7.1 Fix Pack 1. Interim fixes that provide instructions on upgrading Jackson databind, core, and annotations to version 2.9.8 are available on IBM Fix Central. Vulnerability Details CVEID: CVE-2018-14721 DESCRIPTION: FasterXML jackson-databind is vulnerable to server-side request forgery, caused by the failure to block the axis2-jaxws class from polymorphic deserialization. A remote authenticated attacker could exploit this vulnerability to obtain sensitive data. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 155136 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2018-14720 DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data by JDK classes. By sending a specially-crafted XML data. A remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 155137 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2018-14718 DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the failure to block the slf4j-ext class from polymorphic deserialization. An attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base Score: 9.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 155139 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2018-14719 DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. An attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base Score: 9.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 155138 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Affected Products and Versions IBM Spectrum Symphony 7.2.1, 7.2.0.2, and 7.1.2 IBM Platform Symphony 7.1.1 and 7.1 Fix Pack 1 Remediation/Fixes Download the interim fixes that correspond to your product version from IBM Fix Central, then follow the steps in the accompanying readme to apply the interim fix on Linux x86_64 hosts in your cluster: +-----------------------------------------------------------------------------+ |IBM Spectrum Symphony 7.2.1 (x86_64) |sym-7.2.1-build521112 | |--------------------------------------+--------------------------------------| |IBM Spectrum Symphony 7.2.0.2 (x86_64)|sym-7.2.0.2-build521104 | |--------------------------------------+--------------------------------------| |IBM Spectrum Symphony 7.1.2 (x86_64) |sym-7.1.2-build521103 | |--------------------------------------+--------------------------------------| |IBM Platform Symphony 7.1.1 (x86_64) |sym-7.1.1-build521102 | |--------------------------------------+--------------------------------------| |IBM Platform Symphony 7.1 Fix Pack 1 |sym-7.1-build521096 | |(x86_64) | | +-----------------------------------------------------------------------------+ Workarounds and Mitigations None. Change History June 18, 2019: Original version. Cross reference information Product Component Platform Version Edition Platform Symphony Linux 7.1 Fix Pack 1, 7.1.1 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXQnX62aOgq3Tt24GAQgPMhAAhq4lMo/k8NXQ4Lqq5gWec9RcipO8ccvE gY9905W+zEVpbZhnoVNt0QXXkWhYoSi7xOJiebUFTMRGdklt0bsQTIybvdwbGuW4 ul5fpv3u/jQiWYOxbVpylc0a3sK07GmIrA5X0u2DC5pEv+EIME2yCiU9J6pvko9T JouIeGXBzS910i8pR9g3wvqUdHWYEx5w5yBTHNKQaW1GEu6koCUjjY+fyHtdcvNw jJP7+OG/wErMeoZZzp+B1gcKF3r8GYtNtilY63KkhIBvhDp3dcUquM7lnpNEe1wA p3rnYh++rlGPcDYPuVjnztgV0OxpgX7BsbsNQV8kArRAqe0TrgVvW1WkzxYygceP zMGE4ofuGbY4uxO8I4hQkjOcF0hqI9mvoHH22da5KIMeeCVU6jkzf9hfngiIK9qp HZkWukgU4u1r/yWFFyXgXn3VBXsBrPulooPCndt7tkPeuSiVnyuStCn8nvaupwKy BoK3E9f/+wtcp8lotorbF/Wpqw3c4nN3pbcYWJjeuQoCv58vKCN3VudsOVj8ROK0 ks3p+Y/ZMl/n1wT644dpmjsPLhRqnYRccgC2kxFunEQdyCOEeMg69arOWmFdVRXA 3IVbcQ5b2s3DmMc6c/DdqwhodEwi4vT875N3CYO4if7awJQWP88j9J+1FFHPej2i lCymlSqepvo= =6n0z -----END PGP SIGNATURE-----