Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.2583
Mozilla Firefox vulnerability in IBM SONAS (CVE-2019-11707)
12 July 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Scale Out Network Attached Storage
Publisher: IBM
Operating System: Linux variants
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-11708 CVE-2019-11707
Reference: ASB-2019.0166
ESB-2019.2487
ESB-2019.2388
ESB-2019.2215
ESB-2019.2195
ESB-2019.2158
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=ibm10958147
http://www.ibm.com/support/docview.wss?uid=ibm10958151
Comment: This bulletin contains two (2) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Mozilla Firefox vulnerability in IBM SONAS (CVE-2019-11707)
Product: Scale Out Network Attached Storage
Component: 1.5
Operating system(s): Linux
Reference #: 0958147
Security Bulletin
Summary
There is a security vulnerability in versions of Mozilla Firefox that are
shipped with versions 1.5.1.0 to 1.5.2.11 of IBM SONAS
Vulnerability Details
IBM SONAS is shipped with Mozilla Firefox. There are vulnerabilities in certain
versions of Mozilla Firefox shipped in certain versions of IBM SONAS. These
vulnerabilities concern the potential ability of a remote attacker to execute
arbitrary code on a vulnerable system or cause a denial of service.
CVEID: CVE-2019-11707
DESCRIPTION: Mozilla Firefox and Firefox ESR are vulnerable to a denial of
service, caused by a type confusion when manipulating JavaScript objects in
Array.pop. By persuading a victim to open a specially-crafted web page, an
attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
162711 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Affected Products and Versions
IBM SONAS
The product is affected when running code releases 1.5.1.0 to 1.5.2.11
Remediation/Fixes
A fix for these issues is in version 1.5.2.12of IBM SONAS. Customers running an
affected version of IBM SONAS should upgrade to 1.5.2.12, so that the fix gets
applied.
Workarounds and Mitigations
Workaround(s) :
Normal operation of IBM SONAS does not require or call for customers to use
Firefox to access the Internet. Although IBM recommends that you install a
level of IBM SONAS code with a fix, you can avoid these vulnerabilities by not
using Mozilla Firefox within your IBM SONAS system to access the Internet.
Mitigation: None
- ---
Mozilla Firefox vulnerability in IBM SONAS (CVE-2019-11708)
Product: Scale Out Network Attached Storage
Component: 1.5
Operating system(s): Linux
Reference #: 0958151
Security Bulletin
Summary
There is a security vulnerability in versions of Mozilla Firefox that are
shipped with versions 1.5.1.0 to 1.5.2.11 of IBM SONAS
Vulnerability Details
IBM SONAS is shipped with Mozilla Firefox. There are vulnerabilities in certain
versions of Mozilla Firefox shipped in certain versions of IBM SONAS. These
vulnerabilities concern the potential ability of a remote attacker to execute
arbitrary code on a vulnerable system or cause a denial of service.
CVEID: CVE-2019-11708
DESCRIPTION: Mozilla Firefox could allow a remote attacker to bypass security
restrictions, caused by improper validation of user-supplied parameters. By
persuading a victim to visit a specially-crafted Web site, a remote attacker
could exploit this vulnerability using the Prompt:Open IPC message to open
arbitrary content from a sandboxed child process to the non-sandboxed parent.
CVSS Base Score: 3.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
162774 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N)
Affected Products and Versions
IBM SONAS
The product is affected when running code releases 1.5.1.0 to 1.5.2.11
Remediation/Fixes
A fix for these issues is in version 1.5.2.12of IBM SONAS. Customers running an
affected version of IBM SONAS should upgrade to 1.5.2.12, so that the fix gets
applied.
Workarounds and Mitigations
Workaround(s) :
Normal operation of IBM SONAS does not require or call for customers to use
Firefox to access the Internet. Although IBM recommends that you install a
level of IBM SONAS code with a fix, you can avoid these vulnerabilities by not
using Mozilla Firefox within your IBM SONAS system to access the Internet.
Mitigation: None
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXSgZZmaOgq3Tt24GAQh9pg/+LSIru/TeujHR9oDZGGHK5uvjC1hvK6ng
MdBrsRAOA7ZHnUk5QmFiyIKBj7dJeazUwy+RbugxsnPxkkSYQn4ekWcXjurFLpe5
RIn9FWtJ7NabJDfKx/d22CxBv788AmIXUyvcE4YG1aHONrqPenDMd0iS0/fMc3A8
G6QZiU7j1hc9+AjB0bbcLD/yt7/htSiU3oGbuEtGzlISIdqEQWQw+SMO04QO4I73
DpmlBZPo7dfK97z32le2Sd2ySLtKG79OYQqH+fu23h9+5vkN6rEesxJ8PnDuTDlG
BY9MTLn77kBtFHCIu4oUvO71gLDfqJR1B7YAN3Nzt8X3w+q2E1xZ7TFwYcmThapf
QFAkOFASBD8AkbS/ag6on1wjkVI+vHbes+w2paZ+7Yb15WYyZmAzgorFn+Sn+v2I
QuonJ6yAmakKm+70Q+duQQhMk5rPSKeAlz0C8wMNhjNCKcnMeuEjiSJ3Egt9iM/5
Bn3/Iz5/QIPCBMbJY1fFWZcPqO9GTSfILxllqy3swydKFjtMr0/sNBycE7+zMkSQ
KGjKsYhwyMOMEp3pg1XvFI01bACOiJCGMbNruJ0y5oyhjYfF7RaDVEGrco1u/u+B
lokcXK7Fs1FghXbXwN5n4FyvSCAjsn5mPm3unoTbfX7jccH+21wNXSlJOT+ip5nT
gUgQmY4tKsE=
=dDt7
-----END PGP SIGNATURE-----