Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3174 API Connect V2018 (ova) is impacted by vulnerabilities in Ubuntu OS (CVE-2019-4504) 20 August 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM API Connect Publisher: IBM Operating System: Linux variants Virtualisation Impact/Access: Create Arbitrary Files -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-11246 CVE-2019-4504 CVE-2019-4437 Reference: ESB-2019.2781 ESB-2019.2707 ESB-2019.2328 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10961550 http://www.ibm.com/support/docview.wss?uid=ibm10960606 http://www.ibm.com/support/docview.wss?uid=ibm10960876 http://www.ibm.com/support/docview.wss?uid=ibm10960880 Comment: This bulletin contains four (4) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- IBM API Connect's Developer Portal is impacted by a path traversal vulnerability. Product: IBM API Connect Component: Developer Portal Software version: 5.0.0.0-5.0.8.6 Operating system(s): Platform Independent Reference #: 0960880 Security Bulletin Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: Not Applicable DESCRIPTION: Advanced Forum module for Drupal is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base Score: 6.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 163056 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions +---------------+----------------+ |IBM API Connect|v5.0.0.0-5.0.8.6| +---------------+----------------+ Remediation/Fixes +----------------+-------------+-------+-----------------------------------------------------------------------------------------------------+ |Affected Product|Addressed in |APAR |Remediation/First Fix | | |VRMF | | | +----------------+-------------+-------+-----------------------------------------------------------------------------------------------------+ | | | |Addressed in IBM API Connect 5.0.8.7fixpack. | | | | | | | | | |Developer Portal is impacted. | | | | | | |IBM API Connect |5.0.8.7 | |Follow this link and find the "portal" package suitable for the form factor | |V5.0.0.0-5.0.8.6|fixpack |LI81013|ofyour installation for 5.0.8.7ora later fixpack. | | | | | | | | | | | | | | |http://www.ibm.com/support/fixcentral/swg/quickorderparent=ibm%7EWebSphere& | | | | |product=ibm/WebSphere/IBM+API+Connect&release=5.0.8.6&platform=All&function=all | | | | |&source=fc | +----------------+-------------+-------+-----------------------------------------------------------------------------------------------------+ Workarounds and Mitigations None https://www.drupal.org/sa-contrib-2019-054 Acknowledgement Drew Webber of the Drupal Security Team Change History August 13, 2019: Original bulletin published Product Alias/Synonym APIC API Connect Developer Portal - ------------------------------------------------------------------------------- API Connect V2018 is impacted by a information disclosure vulnerability (CVE-2019-4437) Product: IBM API Connect Software version: 2018.1-2018.4.1.6 Operating system(s): Platform Independent Reference #: 0960876 Security Bulletin Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-4437 DESCRIPTION: IBM API Connect Developer Portal may inadvertently leak sensitive details about internal servers and network via API swagger. CVSS Base Score: 8.2 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 162947 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L) Affected Products and Versions +---------------------------+-----------------+ |Affected IBM API Management|Affected Versions| +---------------------------+-----------------+ |IBM API Connect |2018.1-2018.4.1.6| +---------------------------+-----------------+ Remediation/Fixes +------------------+----------+-------+---------------------------------------+ |Affected releases | Fixed in | APAR | Remediation / First Fix | | | VRMF | | | +------------------+----------+-------+---------------------------------------+ | | | |Addressed in IBM API Connect | | | | |v2018.4.1.7fixpack. | | | | |Management server is impacted. | | | | | | | | | |Follow this link and find the | | | | |"management" package appropriate for | | | | |form factor for your installationfor | | | | |2018.4.1.7. | |IBM API Connect |2018.4.1.7| | | |V2018.1-2018.4.1.6|fixpack |LI81014|http://www.ibm.com/support/fixcentral/ | | | | |swg/quickorderparent=ibm%7EWebSphere& | | | | |product=ibm/WebSphere/IBM+API+Connect& | | | | |release=2018.4.1.6&platform=All& | | | | |function=all&source=fc | | | | | | | | | |Note: Even though the vulnerability is | | | | |exposed via Developer Portal, the root | | | | |cause is fixed in the management | | | | |server. | +------------------+----------+-------+---------------------------------------+ Workarounds and Mitigations None IBM API Connect Support Lifecycle Policy Change History August 14, 2019: Original bulletin published - ------------------------------------------------------------------------------- API Connect V2018 is impacted by a Kubernetes vulnerability(CVE-2019-11246) Product: IBM API Connect Software version: 2018.1-2018.4.1.6 Operating system(s): Platform Independent Reference #: 0960606 Security Bulletin Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-11246 DESCRIPTION: Kubernetes could allow a remote attacker to traverse directories on the system. By persuading a victim to use the kubectl cp command with a malicious container, an attacker could replace or create arbitrary files on a users workstation. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 162892 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N) Affected Products and Versions +---------------------------+-----------------+ |Affected IBM API Management|Affected Versions| +---------------------------+-----------------+ |IBM API Connect |2018.1-2018.4.1.6| +---------------------------+-----------------+ Remediation/Fixes +------------------+----------+-------+---------------------------------------+ |Affected releases | Fixed in | APAR | Remediation / First Fix | | | VRMF | | | +------------------+----------+-------+---------------------------------------+ | | | |Addressed in IBM API Connect | | | | |v2018.4.1.7fixpack. | | | | |All components areimpacted. | | | | | | | | | |Follow this link and find thepackage | |IBM API Connect |2018.4.1.7| |appropriate for form factor for your | |V2018.1-2018.4.1.6|fixpack |LI81017|installationfor 2018.4.1.7. | | | | | | | | | |http://www.ibm.com/support/fixcentral/ | | | | |swg/quickorderparent=ibm%7EWebSphere& | | | | |product=ibm/WebSphere/IBM+API+Connect& | | | | |release=2018.4.1.6&platform=All& | | | | |function=all&source=fc | +------------------+----------+-------+---------------------------------------+ Workarounds and Mitigations None IBM API Connect Support Lifecycle Policy Change History August 14, 2019: Original bulletin published - ------------------------------------------------------------------------------ API Connect V2018 (ova) is impacted by vulnerabilities in Ubuntu OS (CVE-2019-4504) Product: IBM API Connect Software version: 2018.1-2018.4.1.6 Operating system(s): VM Reference #: 0961550 Security Bulletin Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-4504 DESCRIPTION: A vulnerability in API Connect could inadvertently remove some security patches which could open the machine up to additional attacks. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 164363 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) Affected Products and Versions +---------------------------+-----------------+ |Affected IBM API Management|Affected Versions| +---------------------------+-----------------+ |IBM API Connect |2018.1-2018.4.1.6| +---------------------------+-----------------+ Remediation/Fixes +------------------+----------+-------+---------------------------------------+ |Affected releases | Fixed in | APAR | Remediation / First Fix | | | VRMF | | | +------------------+----------+-------+---------------------------------------+ | | | |Addressed in IBM API Connect | | | | |v2018.4.1.7fixpack. | | | | |All components are impacted. | | | | | | | | | |Follow this link and find the.OVA | |IBM API Connect |2018.4.1.7| |packages for your installationfor | |V2018.1-2018.4.1.6|fixpack |LI81011|2018.4.1.7. | | | | | | | | | |http://www.ibm.com/support/fixcentral/ | | | | |swg/quickorderparent=ibm%7EWebSphere& | | | | |product=ibm/WebSphere/IBM+API+Connect& | | | | |release=2018.4.1.6&platform=All& | | | | |function=all&source=fc | +------------------+----------+-------+---------------------------------------+ Workarounds and Mitigations None IBM API Connect Support Lifecycle Policy Change History August 13, 2019: Original bulletin published - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXVsw7WaOgq3Tt24GAQgvzxAAlhw38/hUksLoTnoTDASzsdNlCufjayQM 2cjp/JyUSa0P/SlIFHMgnHhzBtdzuLerML3wiiqjc6UB8Q8SEvdkq9H2vQmxqRAZ R/qDO73EaXTYjTNwD8mFISGdbuq/zCtWMZ8ivNByiKbjoHD7tdyektuKY9uqNlKf Hf1YmwftHwDhotMuX7wwTjoFFE85g3gWcAfNwk3nkJ1gS7YzOFdvVxyyHQBfkYmZ leuDvuMRIWh4EFNFBnsSzlpdC6Teo5zAvnOZlwGKlt0YkBj3oKjo3IHg06pX05ke X3wLp0FPQRYCukcF78LoqE+MJyOsVzk6cwxJgpbe7B+uL/beqY0JFyKrp8RxWK0J wJbQo6cxZz6XQrWofBB1F+4vlpmVmImFYVuCjVVK2A32majYrZNm/svkxF6g6X8i K1DJO5VRINljiporudwkrVN/8tigrmef3hfmmAQXi0AkmAZhF4EAZJEFK2FbPibs 6fMHGPR9EJoMrVwtW3MNCr4RwThpJrSknVgr4cvBp39kniAx1Gi7joS8KQDpnlZB myyd+fGJZn5mW9FqJ6CEQOOycEGCdNCc2Rgv3N+orhLDGDvzIb8YqSRpx9kUud1u zqWdfRiVqoiut4wg63R7ip7FyApXyKvacSRkv667wYn30qtiqOYfyQph8YgLp3Po R6iDeCPQ5is= =TH/b -----END PGP SIGNATURE-----