-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.2187
         IBM Symphony products update jackson-databind dependency
                               19 June 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Platform Symphony
                   IBM Spectrum Symphony
Publisher:         IBM
Operating System:  Linux variants
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-14721 CVE-2018-14720 CVE-2018-14719
                   CVE-2018-14718  

Reference:         ESB-2019.1988
                   ESB-2019.1878
                   ESB-2019.1350
                   ESB-2019.0674

Original Bulletin: 
   https://www.ibm.com/support/docview.wss?uid=ibm10888039

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Multiple vulnerabilities in jackson-databind affect IBM
Platform Symphony and IBM Spectrum Symphony

Document information
Software version: 7.1.2, 7.2.0.2, 7.2.1
Operating system(s): Linux
Reference #: 0888039
Modified date: 18 June 2019

Summary

Multiple vulnerabilities exist in the Jackson databind, core, and annotations
version used by IBM Spectrum Symphony 7.2.1, 7.2.0.2, and 7.1.2, and IBM
Platform Symphony 7.1.1 and 7.1 Fix Pack 1. Interim fixes that provide
instructions on upgrading Jackson databind, core, and annotations to version
2.9.8 are available on IBM Fix Central.

Vulnerability Details

CVEID: CVE-2018-14721
DESCRIPTION: FasterXML jackson-databind is vulnerable to server-side request
forgery, caused by the failure to block the axis2-jaxws class from polymorphic
deserialization. A remote authenticated attacker could exploit this
vulnerability to obtain sensitive data.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
155136 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-14720
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to obtain
sensitive information, caused by an XML external entity (XXE) error when
processing XML data by JDK classes. By sending a specially-crafted XML data. A
remote attacker could exploit this vulnerability to obtain sensitive
information.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
155137 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-14718
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by the failure to block the
slf4j-ext class from polymorphic deserialization. An attacker could exploit
this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
155139 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-14719
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by the failure to block the
blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. An
attacker could exploit this vulnerability to execute arbitrary code on the
system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
155138 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Spectrum Symphony 7.2.1, 7.2.0.2, and 7.1.2

IBM Platform Symphony 7.1.1 and 7.1 Fix Pack 1

Remediation/Fixes

Download the interim fixes that correspond to your product version from IBM Fix
Central, then follow the steps in the accompanying readme to apply the interim
fix on Linux x86_64 hosts in your cluster:

+-----------------------------------------------------------------------------+
|IBM Spectrum Symphony 7.2.1 (x86_64)  |sym-7.2.1-build521112                 |
|--------------------------------------+--------------------------------------|
|IBM Spectrum Symphony 7.2.0.2 (x86_64)|sym-7.2.0.2-build521104               |
|--------------------------------------+--------------------------------------|
|IBM Spectrum Symphony 7.1.2 (x86_64)  |sym-7.1.2-build521103                 |
|--------------------------------------+--------------------------------------|
|IBM Platform Symphony 7.1.1 (x86_64)  |sym-7.1.1-build521102                 |
|--------------------------------------+--------------------------------------|
|IBM Platform Symphony 7.1 Fix Pack 1  |sym-7.1-build521096                   |
|(x86_64)                              |                                      |
+-----------------------------------------------------------------------------+

Workarounds and Mitigations

None.

Change History

June 18, 2019: Original version.

                   Cross reference information
     Product      Component Platform        Version        Edition
Platform Symphony           Linux    7.1 Fix Pack 1, 7.1.1

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXQnX62aOgq3Tt24GAQgPMhAAhq4lMo/k8NXQ4Lqq5gWec9RcipO8ccvE
gY9905W+zEVpbZhnoVNt0QXXkWhYoSi7xOJiebUFTMRGdklt0bsQTIybvdwbGuW4
ul5fpv3u/jQiWYOxbVpylc0a3sK07GmIrA5X0u2DC5pEv+EIME2yCiU9J6pvko9T
JouIeGXBzS910i8pR9g3wvqUdHWYEx5w5yBTHNKQaW1GEu6koCUjjY+fyHtdcvNw
jJP7+OG/wErMeoZZzp+B1gcKF3r8GYtNtilY63KkhIBvhDp3dcUquM7lnpNEe1wA
p3rnYh++rlGPcDYPuVjnztgV0OxpgX7BsbsNQV8kArRAqe0TrgVvW1WkzxYygceP
zMGE4ofuGbY4uxO8I4hQkjOcF0hqI9mvoHH22da5KIMeeCVU6jkzf9hfngiIK9qp
HZkWukgU4u1r/yWFFyXgXn3VBXsBrPulooPCndt7tkPeuSiVnyuStCn8nvaupwKy
BoK3E9f/+wtcp8lotorbF/Wpqw3c4nN3pbcYWJjeuQoCv58vKCN3VudsOVj8ROK0
ks3p+Y/ZMl/n1wT644dpmjsPLhRqnYRccgC2kxFunEQdyCOEeMg69arOWmFdVRXA
3IVbcQ5b2s3DmMc6c/DdqwhodEwi4vT875N3CYO4if7awJQWP88j9J+1FFHPej2i
lCymlSqepvo=
=6n0z
-----END PGP SIGNATURE-----