Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.2923
IBM Intelligent Operations Center multiple vulnerabilities
5 August 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Intelligent Operations Center
Publisher: IBM
Operating System: Linux variants
Windows
Impact/Access: Denial of Service -- Existing Account
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-4420 CVE-2019-4419
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=ibm10956429
http://www.ibm.com/support/docview.wss?uid=ibm10956433
Comment: This bulletin contains two (2) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: IBM(R) Intelligent Operations Center might disclose sensitive
information in error messages (CVE-2019-4420)
Document information
More support for: IBM Intelligent Operations Center
Component: Not Applicable
Software version: 5.1.0, 5.1.0.1, 5.1.0.2, 5.1.0.3, 5.1.0.4, 5.1.0.5, 5.1.0.6,
5.1.0.7, 5.1.0.8, 5.1.0.9, 5.1.0.10, 5.1.0.11, 5.1.0.12, 5.1.0.13, 5.1.0.14,
5.2.0
Operating system(s): Linux, Windows
Reference #: 0956429
Modified date: 05 August 2019
Summary
IBM(R) Intelligent Operations Center might generate detailed error messages that
include sensitive information and so might aid attacks on the system.
Vulnerability Details
CVEID: CVE-2019-4420
DESCRIPTION: IBM Intelligent Operations Center (IOC) could disclose detailed
error messages, revealing sensitive information that could aid in further
attacks against the system.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
162738 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
This vulnerability affects the following products and versions:
o IBM(R) Intelligent Operations Center V5.1.0 - V5.2.0
o IBM(R) Intelligent Operations Center for Emergency Management V5.1.0 -
V5.1.0.6
o IBM(R) Water Operations for Waternamics V5.1.0 - V5.2.1.1
Remediation/Fixes
The recommended solution is to apply an interim fix that contains the fix for
this issue as soon as practical.
+-------------------------------+--------------+-------+-----------------------+
| Product | VRMF | APAR | Remediation/First Fix |
+-------------------------------+--------------+-------+-----------------------+
|IBM(R) Intelligent Operations |V5.2.0 |PO08144|Interim fix PO08144, or|
|Center | | |later |
+-------------------------------+--------------+-------+-----------------------+
|IBM(R) Intelligent Operations |V5.1.0 - |PO08148|Interim fix PO08148, or|
|Center |V5.1.0.14 | |later |
+-------------------------------+--------------+-------+-----------------------+
|IBM(R) Water Operations for |V5.1.0 - |PO08144|Interim fix PO08144, or|
|Waternamics |V5.2.1.1 | |later |
+-------------------------------+--------------+-------+-----------------------+
For information about the latest available updates for IBM(R) Intelligent
Operations Center see IBM Intelligent Operations Center V5.2 installation
updates.
Workarounds and Mitigations
None.
Change History
05 August 2019: Original version published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Product Component Platform Version Edition
IBM Intelligent Linux, 5.1.0, 5.1.0.2, 5.1.0.3,
Operations Center for Windows 5.1.0.4, 5.1.0.5, 5.1.0.6
Emergency Management
5.1.0, 5.2.0, 5.2.0.1,
IBM Water Operations Linux, 5.2.0.2, 5.2.0.3, 5.2.0.4,
for Waternamics Windows 5.2.0.5, 5.2.0.6, 5.2.1,
5.2.1.1
==============================================================================
Security Bulletin: IBM(R) Intelligent Operations Center is vulnerable to an XML
External Entity Injection (XXE) attack when processing XML data
(CVE-2019-4419)
Document information
More support for: IBM Intelligent Operations Center
Component: Not Applicable
Software version: 5.1.0, 5.1.0.1, 5.1.0.2, 5.1.0.3, 5.1.0.4, 5.1.0.5, 5.1.0.6,
5.1.0.7, 5.1.0.8, 5.1.0.9, 5.1.0.10, 5.1.0.11, 5.1.0.12, 5.1.0.13, 5.1.0.14,
5.2.0
Operating system(s): Linux, Windows
Reference #: 0956433
Modified date: 05 August 2019
Summary
IBM(R) Intelligent Operations Center is vulnerable to an XML External Entity
Injection (XXE) attack when processing XML data. A remote attacker could
exploit this vulnerability to expose sensitive information or consume memory
resources.
Vulnerability Details
CVEID: CVE-2019-4419
DESCRIPTION: IBM Intelligent Operations Center (IOC) is vulnerable to an XML
External Entity Injection (XXE) attack when processing XML data. A remote
attacker could exploit this vulnerability to expose sensitive information or
consume memory resources.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
162737 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)
Affected Products and Versions
This vulnerability affects the following products and versions:
o IBM(R) Intelligent Operations Center V5.1.0 - V5.2.0
o IBM(R) Intelligent Operations Center for Emergency Management V5.1.0 -
V5.1.0.6
o IBM(R) Water Operations for Waternamics V5.1.0 - V5.2.1.1
Remediation/Fixes
The recommended solution is to apply an interim fix that contains the fix for
this issue as soon as practical.
+-------------------------------+--------------+-------+-----------------------+
| Product | VRMF | APAR | Remediation/First Fix |
+-------------------------------+--------------+-------+-----------------------+
|IBM(R) Intelligent Operations |V5.2.0 |PO08144|Interim fix PO08144, or|
|Center | | |later |
+-------------------------------+--------------+-------+-----------------------+
|IBM(R) Intelligent Operations |V5.1.0 - |PO08148|Interim fix PO08148, or|
|Center |V5.1.0.14 | |later |
+-------------------------------+--------------+-------+-----------------------+
|IBM(R) Water Operations for |V5.1.0 - |PO08144|Interim fix PO08144, or|
|Waternamics |V5.2.1.1 | |later |
+-------------------------------+--------------+-------+-----------------------+
For information about the latest available updates for IBM(R) Intelligent
Operations Center see IBM Intelligent Operations Center V5.2 installation
updates.
Workarounds and Mitigations
None.
Change History
05 August 2019: Original version published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Product Component Platform Version Edition
IBM Intelligent Linux, 5.1.0, 5.1.0.2, 5.1.0.3,
Operations Center for Windows 5.1.0.4, 5.1.0.5, 5.1.0.6
Emergency Management
5.1.0, 5.2.0, 5.2.0.1,
IBM Water Operations Linux, 5.2.0.2, 5.2.0.3, 5.2.0.4,
for Waternamics Windows 5.2.0.5, 5.2.0.6, 5.2.1,
5.2.1.1
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXUe8D2aOgq3Tt24GAQhGeA//WPTkTDhRGdXlZD9KuHtMOHd7e1jqVcOI
oswEAAd6+MfvBJ0CFC+Cd7XhinjWQxnc4DIhb7O2tPELgQnMoR9pGCnwvDOcbwCC
ZHcjjy4Xv9bzTrTQx+wx7zPlwQtWdRTEFQbnVLReU6YRnXzLpRf1/FrmckZSTr4Q
j20Si9NbVhVOTr34ehXtYr1bdfxaKtKQ2/UYoPzRQpBo0KGS2p1FWV5FTia70b9s
KCQ7DZYdd7CIPsKahyF5H0friI0wQUUg1fqktQLaoFdQik29j0fAj75m/XVDfOjc
HTlCl1AZWhs4XQGsXXVPA89Wkh7fCEqTVTgiqoxBXoM40EvvPNyYYQNRLUkD5a6o
aVS2az5PydWAbFO7eqv4JZgLiqCZy6xKpEoQvtMHqoSK4J8Uu8y8T8Otp7nfb5xB
lls2ukvFlHiVAMFeNyMyE/oAR6Hij0qhzNGRgJAQQ1FAdRgPseAZZQIm5UfGtcqn
YOD+iWtbfzIM2YMO0mC4u7TPnK/M+AuE6AYkBZqxqniLm4ju3Il5Kevy5RIIn0oQ
5Vl29u/kS/RhuGa592XLTg0V8xzpP/fn9ZbI0D72AIiK7Dmv7rDHPSocWMe2k1PW
ddYWd/OomojLJLiLg9q7UaFbooAqucjvbNO1hEGuY9MUSGAM/CoIFKKd4RnQmb9u
Qlmo8IdZFSw=
=p6WO
-----END PGP SIGNATURE-----