Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3236 IBM Db2 Mirror for i is affected by CVE-2019-4536 26 August 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Db2 Mirror for i Publisher: IBM Operating System: IBM i Impact/Access: Increased Privileges -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-4536 Original Bulletin: https://www.ibm.com/support/docview.wss?uid=ibm11071586 - --------------------------BEGIN INCLUDED TEXT-------------------- IBM Db2 Mirror for i is affected by CVE-2019-4536 Product: IBM i Software version: 7.4 Operating system(s): IBM i Reference #: 1071586 Summary IBM Db2 Mirror for i configurations may be subject to this security vulnerability. A PTF for IBM i 7.4 and remediation steps are available. Vulnerability Details CVEID: CVE-2019-4536 DESCRIPTION: IBM i 7.4 users who have done a Restore User Profile (RSTUSRPRF) on a system which has been configured with Db2 Mirror for i might have user profiles with elevated privileges caused by incorrect processing during a restore of multiple user profiles. A user with restore privileges could exploit this vulnerability to obtain elevated privileges on the restored system. CVSS Base Score: 6.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 165592 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) Affected Products and Versions IBM i 7.4 with Db2 Mirror for i might be affected. Remediation/Fixes Take the following steps: 1. apply the PTF to IBM i 7.4, and 2. on systems with Db2 Mirror configured, review the scenarios below and take the steps if needed. The IBM i PTF number is: Release 7.4 - SI70767 https://www-945.ibm.com/support/fixcentral/ If a Restore User Profile (RSTUSRPRF) has been done on an IBM i 7.4 system with Db2 Mirror configured prior to applying the PTF, remediation is required after applying the PTF for the following issues. Issue #1: After the re-sync, there may be error entries on the Object Tracking List (OTL) for some system user profiles. Issue #2: User profiles that were restored may have been given elevated privileges on both the source and target systems during the re-sync processing. Remediation steps for both issues: 1. Delete any user profile error entries on the OTL that contain 'RSTUSRPRF user_name' in the Description field. Use the GUI to delete the entries. 2. Resume Db2 Mirror using the GUI. 3. Redo the RSTUSRPRF. You MUST use the same Save Security Data (SAVSECDTA) media as the original RSTUSRPRF. Do not use a SAVSECDTA media that was created after doing a RSTUSRPRF with Db2 Mirror configured and without the PTF applied. There is no issue with RSTUSRPRF on a system that does not have Db2 Mirror configured. Important note: IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products. Workarounds and Mitigations None Change History 23 August 2019: Original Version Published Cross reference information Product Component Platform Version Edition IBM i 7.4 IBM i 7.4 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXWNaQWaOgq3Tt24GAQiWOQ//aGBtcqojdxUMEBCF+t4OHLAxnq7+MyK8 aTdusCU1aSmYqTaiasIhhz9lq51WTTSv9i636TnhkeimirrJMVkamnCzhIPcKIUZ WkeVUYXnvLtm3UnEegjesXoJfDwK5ar4kyyiwNjfviLtbQXRNUEmQZmeukIOuRQs ZKSn1JHwlU3Hvbtas3kWdOh5mjYL17ZCUcPBbkto8GtPV+YHyyPZ1XNvfMr4dUb8 Tiz9KMl9lMb+vNApm7DcwBYz998kyDP6zSx6d+ac1T6rnCtoV/k4ksdzMkT9oTov ovFE4S9a0AwB3DnfyyzGmhWwmsEoJut3gkS5y/a7WEnu2sbi9Ugpm6Lp0cdVvXTx ivcUsG+7u3u8NHAz0kVd+f2uz3JlrAxH3i4UnSO4CT79yXs76tD84FQw5rOWxF+H 5ycKZyLMyNJvBL2kYmMIjoCj75evMqEzMvEJH+ZdodzVoK+1YpF6y3mN73Eu4RaJ k/257xJTma0J4LCeyIv+YvmphEREGuM3ZOcSe0d5zSOIdKfrBb8mZDKQA1N30/OT dgHEjw7QOsSZ2ogKGGPRm7teKsZ7iM5WzZzJ9rA6tJ4WBK1ATjTYVIkxMvIBRgmS pT++GsHvN5FTeoMywtrM8/ANDV8WsFa0LcVVre9qzNg//zCrjwnAEndEKN6DL4ZW 9dnqcrgn3NA= =QCZG -----END PGP SIGNATURE-----