Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3976 Multiple vulnerabilities have been identified in IBM Security Guardium Big Data Intelligence (SonarG) 28 October 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Security Guardium Big Data Intelligence Publisher: IBM Operating System: Linux variants Impact/Access: Access Privileged Data -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Unauthorised Access -- Existing Account Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-4339 CVE-2019-4330 CVE-2019-4329 CVE-2019-4314 CVE-2019-4313 CVE-2019-4311 CVE-2019-4309 CVE-2019-4306 Original Bulletin: https://www.ibm.com/support/pages/node/1096912 https://www.ibm.com/support/pages/node/1096906 https://www.ibm.com/support/pages/node/1096396 https://www.ibm.com/support/pages/node/1096384 https://www.ibm.com/support/pages/node/1096348 https://www.ibm.com/support/pages/node/1096924 https://www.ibm.com/support/pages/node/1096918 https://www.ibm.com/support/pages/node/1098069 Comment: This bulletin contains eight (8) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Cleartext Transmission of Sensitive Information vulnerability Document Information More support for: IBM Security Guardium Big Data Intelligence Component: - -- Software version: 4.0 Operating system(s): Platform Independent Reference #: 1096912 Modified date: 23 October 2019 Security Bulletin Summary IBM Security Guardium Big Data Intelligence (SonarG) has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-4314 DESCRIPTION: IBM Security Guardium Big Data Intelligence (SonarG) stores sensitive information in cleartext within a resource that might be accessible to another control sphere. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 161041 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) Affected Products and Versions +--------------------------------------------------------------+-----------------+ |Affected IBM Security Guardium Big Data Intelligence (SonarG) |Affected Versions| +--------------------------------------------------------------+-----------------+ |IBM Security Guardium Big Data Intelligence (SonarG) |4.0 | +--------------------------------------------------------------+-----------------+ Remediation/Fixes +-----------------------------------+-------------+-------------------------------------------------------------+ | Product | VRMF | Remediation / First Fix | +-----------------------------------+-------------+-------------------------------------------------------------+ |IBM Security Guardium Big Data |4.0 |rhel7.x_IBM_Guardium_big_data_security_installer_4.1.0.tar.gz| |Intelligence (SonarG) | | | +-----------------------------------+-------------+-------------------------------------------------------------+ Workarounds and Mitigations None Get Notified about Future Security Bulletins References - --- IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Hazardous Input Validation vulnerability Document Information More support for: IBM Security Guardium Big Data Intelligence Component: - -- Software version: 4.0 Operating system(s): Platform Independent Reference #: 1096906 Modified date: 23 October 2019 Security Bulletin Summary IBM Security Guardium Big Data Intelligence (SonarG) has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-4329 DESCRIPTION: IBM Security Guardium Big Data Intelligence (SonarG) uses incomplete blacklisting for input validation which allows attackers to bypass application controls resulting in direct impact to the system and data integrity. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 161209 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) Affected Products and Versions +--------------------------------------------------------------+-----------------+ |Affected IBM Security Guardium Big Data Intelligence (SonarG) |Affected Versions| +--------------------------------------------------------------+-----------------+ |IBM Security Guardium Big Data Intelligence (SonarG) |4.0 | +--------------------------------------------------------------+-----------------+ Remediation/Fixes +-----------------------------------+-------------+-------------------------------------------------------------+ | Product | VRMF | Remediation / First Fix | +-----------------------------------+-------------+-------------------------------------------------------------+ |IBM Security Guardium Big Data |4.0 |rhel7.x_IBM_Guardium_big_data_security_installer_4.1.0.tar.gz| |Intelligence (SonarG) | | | +-----------------------------------+-------------+-------------------------------------------------------------+ Workarounds and Mitigations None Get Notified about Future Security Bulletins References - --- IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Missing Authentication for Critical Function vulnerability Document Information More support for: IBM Security Guardium Big Data Intelligence Component: - -- Software version: 4.0 Operating system(s): Platform Independent Reference #: 1096396 Modified date: 22 October 2019 Security Bulletin Summary IBM Security Guardium Big Data Intelligence (SonarG) has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-4306 DESCRIPTION: IBM Security Guardium Big Data Intelligence (SonarG) specifies permissions for a security-critical resource which could lead to the exposure of sensitive information or the modification of that resource by unintended parties. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 160986 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) Affected Products and Versions +--------------------------------------------------------------+-----------------+ |Affected IBM Security Guardium Big Data Intelligence (SonarG) |Affected Versions| +--------------------------------------------------------------+-----------------+ |IBM Security Guardium Big Data Intelligence (SonarG) |4.0 | +--------------------------------------------------------------+-----------------+ Remediation/Fixes +-----------------------------------+-------------+-------------------------------------------------------------+ | Product | VRMF | Remediation / First Fix | +-----------------------------------+-------------+-------------------------------------------------------------+ |IBM Security Guardium Big Data |4.0 |rhel7.x_IBM_Guardium_big_data_security_installer_4.1.0.tar.gz| |Intelligence (SonarG) | | | +-----------------------------------+-------------+-------------------------------------------------------------+ Workarounds and Mitigations None Get Notified about Future Security Bulletins References - --- IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Missing Cookie Secure Attribute vulnerability Document Information More support for: IBM Security Guardium Big Data Intelligence Component: - -- Software version: 4.0 Operating system(s): Platform Independent Reference #: 1096384 Modified date: 22 October 2019 Security Bulletin Summary IBM Security Guardium Big Data Intelligence (SonarG) has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-4330 DESCRIPTION: IBM Security Guardium Big Data Intelligence (SonarG) does not set the secure attribute for cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session. CVSS Base Score: 3.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 161210 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N) Affected Products and Versions +--------------------------------------------------------------+-----------------+ |Affected IBM Security Guardium Big Data Intelligence (SonarG) |Affected Versions| +--------------------------------------------------------------+-----------------+ |IBM Security Guardium Big Data Intelligence (SonarG) |4.0 | +--------------------------------------------------------------+-----------------+ Remediation/Fixes +-----------------------------------+-------------+-------------------------------------------------------------+ | Product | VRMF | Remediation / First Fix | +-----------------------------------+-------------+-------------------------------------------------------------+ |IBM Security Guardium Big Data |4.0 |rhel7.x_IBM_Guardium_big_data_security_installer_4.1.0.tar.gz| |Intelligence (SonarG) | | | +-----------------------------------+-------------+-------------------------------------------------------------+ Workarounds and Mitigations None Get Notified about Future Security Bulletins References - --- IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Use of Hard-coded Credentials vulnerability Document Information More support for: IBM Security Guardium Big Data Intelligence Component: - -- Software version: 4.0 Operating system(s): Platform Independent Reference #: 1096348 Modified date: 22 October 2019 Security Bulletin Summary IBM Security Guardium Big Data Intelligence (SonarG) has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-4309 DESCRIPTION: IBM Security Guardium Big Data Intelligence (SonarG) uses hard coded credentials which could allow a local user to obtain highly sensitive information. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 161035 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N) Affected Products and Versions +--------------------------------------------------------------+-----------------+ |Affected IBM Security Guardium Big Data Intelligence (SonarG) |Affected Versions| +--------------------------------------------------------------+-----------------+ |IBM Security Guardium Big Data Intelligence (SonarG) |4.0 | +--------------------------------------------------------------+-----------------+ Remediation/Fixes +-----------------------------------+-------------+-------------------------------------------------------------+ | Product | VRMF | Remediation / First Fix | +-----------------------------------+-------------+-------------------------------------------------------------+ |IBM Security Guardium Big Data |4.0 |rhel7.x_IBM_Guardium_big_data_security_installer_4.1.0.tar.gz| |Intelligence (SonarG) | | | +-----------------------------------+-------------+-------------------------------------------------------------+ Workarounds and Mitigations None Get Notified about Future Security Bulletins References - --- IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Use of a Broken or Risky Cryptographic Algorithm vulnerability Document Information More support for: IBM Security Guardium Big Data Intelligence Component: - -- Software version: 4.0 Operating system(s): Platform Independent Reference #: 1096924 Modified date: 23 October 2019 Security Bulletin Summary IBM Security Guardium Big Data Intelligence (SonarG) has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-4339 DESCRIPTION: IBM Security Guardium Big Data Intelligence (SonarG) uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 161418 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) Affected Products and Versions +--------------------------------------------------------------+-----------------+ |Affected IBM Security Guardium Big Data Intelligence (SonarG) |Affected Versions| +--------------------------------------------------------------+-----------------+ |IBM Security Guardium Big Data Intelligence (SonarG) |4.0 | +--------------------------------------------------------------+-----------------+ Remediation/Fixes +-----------------------------------+-------------+-------------------------------------------------------------+ | Product | VRMF | Remediation / First Fix | +-----------------------------------+-------------+-------------------------------------------------------------+ |IBM Security Guardium Big Data |4.0 |rhel7.x_IBM_Guardium_big_data_security_installer_4.1.0.tar.gz| |Intelligence (SonarG) | | | +-----------------------------------+-------------+-------------------------------------------------------------+ Workarounds and Mitigations None Get Notified about Future Security Bulletins References - --- IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Use of a One-Way Hash without a Salt vulnerability Document Information More support for: IBM Security Guardium Big Data Intelligence Component: - -- Software version: 4.0 Operating system(s): Platform Independent Reference #: 1096918 Modified date: 23 October 2019 Security Bulletin Summary IBM Security Guardium Big Data Intelligence (SonarG) has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-4313 DESCRIPTION: IBM Security Guardium Big Data Intelligence (SonarG) uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software does not also use a salt as part of the input. CVSS Base Score: 5.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 161040 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) Affected Products and Versions +--------------------------------------------------------------+-----------------+ |Affected IBM Security Guardium Big Data Intelligence (SonarG) |Affected Versions| +--------------------------------------------------------------+-----------------+ |IBM Security Guardium Big Data Intelligence (SonarG) |4.0 | +--------------------------------------------------------------+-----------------+ Remediation/Fixes +-----------------------------------+-------------+-------------------------------------------------------------+ | Product | VRMF | Remediation / First Fix | +-----------------------------------+-------------+-------------------------------------------------------------+ |IBM Security Guardium Big Data |4.0 |rhel7.x_IBM_Guardium_big_data_security_installer_4.1.0.tar.gz| |Intelligence (SonarG) | | | +-----------------------------------+-------------+-------------------------------------------------------------+ Workarounds and Mitigations None Get Notified about Future Security Bulletins References - --- IBM Security Guardium Big Data Intelligence (SonarG) is affected by an Information Exposure vulnerability Document Information More support for: IBM Security Guardium Big Data Intelligence Component: - -- Software version: 4.0 Operating system(s): Platform Independent Reference #: 1098069 Modified date: 24 October 2019 Security Bulletin Summary IBM Security Guardium Big Data Intelligence (SonarG) has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-4311 DESCRIPTION: IBM Security Guardium Big Data Intelligence (SonarG) discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 161037 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions +--------------------------------------------------------------+-----------------+ |Affected IBM Security Guardium Big Data Intelligence (SonarG) |Affected Versions| +--------------------------------------------------------------+-----------------+ |IBM Security Guardium Big Data Intelligence (SonarG) |4.0 | +--------------------------------------------------------------+-----------------+ Remediation/Fixes +-----------------------------------+-------------+-------------------------------------------------------------+ | Product | VRMF | Remediation / First Fix | +-----------------------------------+-------------+-------------------------------------------------------------+ |IBM Security Guardium Big Data |4.0 |rhel7.x_IBM_Guardium_big_data_security_installer_4.1.0.tar.gz| |Intelligence (SonarG) | | | +-----------------------------------+-------------+-------------------------------------------------------------+ Workarounds and Mitigations None Get Notified about Future Security Bulletins References - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXbdzwmaOgq3Tt24GAQhYgBAAqGS/uKXSnsp6o60odoo9T44pEHWZDu/B mpaGFaEX4XkBBxkQIql9+e5e4kikQBCx0iSWr3LASbHokACEnnVNyzVsAQ8dkVYa Mr5mNDTzylv8CEJiAdADDcRf5ssBpncG0grPZRaKj1n4f1bVfU8l7PNvVQqN5nZa k4jZV4qOAxLJaD6yJOCYadtZIojLPbwpfVgkPUxFq77pYvr94Ep9nDXYL+lYHibC xjS1VIlMgUFjTwcJOLW4erNUiossc7GbV1JQLmAuXdb0ti7zZuM9lMC/o3n70ryR xPWz/fw5vhx32BxkuPLxpyAgo0pQgVO9gPr5NdZNYj1+ghijpiYjeGikFPs6IY7N Bkln1YfDBgCu5PUdZAim+3wp2aEwASI8OquO0NpwDd9FB6GP+2SJCI6CFp8MgzMW SZhqLOQwvLuw8m/jN2zlMDdaYVXQ85Ex2bFNNbFE3ASjm9fE4W20AQYXn+yDnSE1 prXF0Z/fptGF5OIRAseSXTuuG6giQLpY3yMSDdHn38oyZtzXssngtsKjJ6UdO6wQ FAmFAqOr+KEui8MK2RJi2zlZMWlaJ8ZtiqAQpLSX8NEfU/AjStbY2OAZ0ls/xESx biUAjVP1ATZKeJZDqu8lbJzv8bU8GETDF4dJKQr5Z0Z1iqtP3xZ5AW1LmMgtpRS6 c5aMjRFBgHc= =2ZCs -----END PGP SIGNATURE-----