Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3976
Multiple vulnerabilities have been identified in IBM
Security Guardium Big Data Intelligence (SonarG)
28 October 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Security Guardium Big Data Intelligence
Publisher: IBM
Operating System: Linux variants
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Unauthorised Access -- Existing Account
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-4339 CVE-2019-4330 CVE-2019-4329
CVE-2019-4314 CVE-2019-4313 CVE-2019-4311
CVE-2019-4309 CVE-2019-4306
Original Bulletin:
https://www.ibm.com/support/pages/node/1096912
https://www.ibm.com/support/pages/node/1096906
https://www.ibm.com/support/pages/node/1096396
https://www.ibm.com/support/pages/node/1096384
https://www.ibm.com/support/pages/node/1096348
https://www.ibm.com/support/pages/node/1096924
https://www.ibm.com/support/pages/node/1096918
https://www.ibm.com/support/pages/node/1098069
Comment: This bulletin contains eight (8) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Cleartext
Transmission of Sensitive Information vulnerability
Document Information
More support for:
IBM Security Guardium Big Data Intelligence
Component:
- --
Software version:
4.0
Operating system(s):
Platform Independent
Reference #:
1096912
Modified date:
23 October 2019
Security Bulletin
Summary
IBM Security Guardium Big Data Intelligence (SonarG) has addressed the
following vulnerability.
Vulnerability Details
CVEID: CVE-2019-4314
DESCRIPTION: IBM Security Guardium Big Data Intelligence (SonarG) stores
sensitive information in cleartext within a resource that might be accessible
to another control sphere.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
161041 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
+--------------------------------------------------------------+-----------------+
|Affected IBM Security Guardium Big Data Intelligence (SonarG) |Affected Versions|
+--------------------------------------------------------------+-----------------+
|IBM Security Guardium Big Data Intelligence (SonarG) |4.0 |
+--------------------------------------------------------------+-----------------+
Remediation/Fixes
+-----------------------------------+-------------+-------------------------------------------------------------+
| Product | VRMF | Remediation / First Fix |
+-----------------------------------+-------------+-------------------------------------------------------------+
|IBM Security Guardium Big Data |4.0 |rhel7.x_IBM_Guardium_big_data_security_installer_4.1.0.tar.gz|
|Intelligence (SonarG) | | |
+-----------------------------------+-------------+-------------------------------------------------------------+
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
- ---
IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Hazardous
Input Validation vulnerability
Document Information
More support for:
IBM Security Guardium Big Data Intelligence
Component:
- --
Software version:
4.0
Operating system(s):
Platform Independent
Reference #:
1096906
Modified date:
23 October 2019
Security Bulletin
Summary
IBM Security Guardium Big Data Intelligence (SonarG) has addressed the
following vulnerability.
Vulnerability Details
CVEID: CVE-2019-4329
DESCRIPTION: IBM Security Guardium Big Data Intelligence (SonarG) uses
incomplete blacklisting for input validation which allows attackers to bypass
application controls resulting in direct impact to the system and data
integrity.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
161209 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Affected Products and Versions
+--------------------------------------------------------------+-----------------+
|Affected IBM Security Guardium Big Data Intelligence (SonarG) |Affected Versions|
+--------------------------------------------------------------+-----------------+
|IBM Security Guardium Big Data Intelligence (SonarG) |4.0 |
+--------------------------------------------------------------+-----------------+
Remediation/Fixes
+-----------------------------------+-------------+-------------------------------------------------------------+
| Product | VRMF | Remediation / First Fix |
+-----------------------------------+-------------+-------------------------------------------------------------+
|IBM Security Guardium Big Data |4.0 |rhel7.x_IBM_Guardium_big_data_security_installer_4.1.0.tar.gz|
|Intelligence (SonarG) | | |
+-----------------------------------+-------------+-------------------------------------------------------------+
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
- ---
IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Missing
Authentication for Critical Function vulnerability
Document Information
More support for:
IBM Security Guardium Big Data Intelligence
Component:
- --
Software version:
4.0
Operating system(s):
Platform Independent
Reference #:
1096396
Modified date:
22 October 2019
Security Bulletin
Summary
IBM Security Guardium Big Data Intelligence (SonarG) has addressed the
following vulnerability.
Vulnerability Details
CVEID: CVE-2019-4306
DESCRIPTION: IBM Security Guardium Big Data Intelligence (SonarG) specifies
permissions for a security-critical resource which could lead to the exposure
of sensitive information or the modification of that resource by unintended
parties.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
160986 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Affected Products and Versions
+--------------------------------------------------------------+-----------------+
|Affected IBM Security Guardium Big Data Intelligence (SonarG) |Affected Versions|
+--------------------------------------------------------------+-----------------+
|IBM Security Guardium Big Data Intelligence (SonarG) |4.0 |
+--------------------------------------------------------------+-----------------+
Remediation/Fixes
+-----------------------------------+-------------+-------------------------------------------------------------+
| Product | VRMF | Remediation / First Fix |
+-----------------------------------+-------------+-------------------------------------------------------------+
|IBM Security Guardium Big Data |4.0 |rhel7.x_IBM_Guardium_big_data_security_installer_4.1.0.tar.gz|
|Intelligence (SonarG) | | |
+-----------------------------------+-------------+-------------------------------------------------------------+
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
- ---
IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Missing
Cookie Secure Attribute vulnerability
Document Information
More support for:
IBM Security Guardium Big Data Intelligence
Component:
- --
Software version:
4.0
Operating system(s):
Platform Independent
Reference #:
1096384
Modified date:
22 October 2019
Security Bulletin
Summary
IBM Security Guardium Big Data Intelligence (SonarG) has addressed the
following vulnerability.
Vulnerability Details
CVEID: CVE-2019-4330
DESCRIPTION: IBM Security Guardium Big Data Intelligence (SonarG) does not set
the secure attribute for cookies in HTTPS sessions, which could cause the user
agent to send those cookies in plaintext over an HTTP session.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
161210 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)
Affected Products and Versions
+--------------------------------------------------------------+-----------------+
|Affected IBM Security Guardium Big Data Intelligence (SonarG) |Affected Versions|
+--------------------------------------------------------------+-----------------+
|IBM Security Guardium Big Data Intelligence (SonarG) |4.0 |
+--------------------------------------------------------------+-----------------+
Remediation/Fixes
+-----------------------------------+-------------+-------------------------------------------------------------+
| Product | VRMF | Remediation / First Fix |
+-----------------------------------+-------------+-------------------------------------------------------------+
|IBM Security Guardium Big Data |4.0 |rhel7.x_IBM_Guardium_big_data_security_installer_4.1.0.tar.gz|
|Intelligence (SonarG) | | |
+-----------------------------------+-------------+-------------------------------------------------------------+
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
- ---
IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Use of
Hard-coded Credentials vulnerability
Document Information
More support for:
IBM Security Guardium Big Data Intelligence
Component:
- --
Software version:
4.0
Operating system(s):
Platform Independent
Reference #:
1096348
Modified date:
22 October 2019
Security Bulletin
Summary
IBM Security Guardium Big Data Intelligence (SonarG) has addressed the
following vulnerability.
Vulnerability Details
CVEID: CVE-2019-4309
DESCRIPTION: IBM Security Guardium Big Data Intelligence (SonarG) uses hard
coded credentials which could allow a local user to obtain highly sensitive
information.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
161035 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)
Affected Products and Versions
+--------------------------------------------------------------+-----------------+
|Affected IBM Security Guardium Big Data Intelligence (SonarG) |Affected Versions|
+--------------------------------------------------------------+-----------------+
|IBM Security Guardium Big Data Intelligence (SonarG) |4.0 |
+--------------------------------------------------------------+-----------------+
Remediation/Fixes
+-----------------------------------+-------------+-------------------------------------------------------------+
| Product | VRMF | Remediation / First Fix |
+-----------------------------------+-------------+-------------------------------------------------------------+
|IBM Security Guardium Big Data |4.0 |rhel7.x_IBM_Guardium_big_data_security_installer_4.1.0.tar.gz|
|Intelligence (SonarG) | | |
+-----------------------------------+-------------+-------------------------------------------------------------+
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
- ---
IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Use of a
Broken or Risky Cryptographic Algorithm vulnerability
Document Information
More support for:
IBM Security Guardium Big Data Intelligence
Component:
- --
Software version:
4.0
Operating system(s):
Platform Independent
Reference #:
1096924
Modified date:
23 October 2019
Security Bulletin
Summary
IBM Security Guardium Big Data Intelligence (SonarG) has addressed the
following vulnerability.
Vulnerability Details
CVEID: CVE-2019-4339
DESCRIPTION: IBM Security Guardium Big Data Intelligence (SonarG) uses weaker
than expected cryptographic algorithms that could allow an attacker to decrypt
highly sensitive information.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
161418 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
+--------------------------------------------------------------+-----------------+
|Affected IBM Security Guardium Big Data Intelligence (SonarG) |Affected Versions|
+--------------------------------------------------------------+-----------------+
|IBM Security Guardium Big Data Intelligence (SonarG) |4.0 |
+--------------------------------------------------------------+-----------------+
Remediation/Fixes
+-----------------------------------+-------------+-------------------------------------------------------------+
| Product | VRMF | Remediation / First Fix |
+-----------------------------------+-------------+-------------------------------------------------------------+
|IBM Security Guardium Big Data |4.0 |rhel7.x_IBM_Guardium_big_data_security_installer_4.1.0.tar.gz|
|Intelligence (SonarG) | | |
+-----------------------------------+-------------+-------------------------------------------------------------+
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
- ---
IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Use of a
One-Way Hash without a Salt vulnerability
Document Information
More support for:
IBM Security Guardium Big Data Intelligence
Component:
- --
Software version:
4.0
Operating system(s):
Platform Independent
Reference #:
1096918
Modified date:
23 October 2019
Security Bulletin
Summary
IBM Security Guardium Big Data Intelligence (SonarG) has addressed the
following vulnerability.
Vulnerability Details
CVEID: CVE-2019-4313
DESCRIPTION: IBM Security Guardium Big Data Intelligence (SonarG) uses a
one-way cryptographic hash against an input that should not be reversible, such
as a password, but the software does not also use a salt as part of the input.
CVSS Base Score: 5.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
161040 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
+--------------------------------------------------------------+-----------------+
|Affected IBM Security Guardium Big Data Intelligence (SonarG) |Affected Versions|
+--------------------------------------------------------------+-----------------+
|IBM Security Guardium Big Data Intelligence (SonarG) |4.0 |
+--------------------------------------------------------------+-----------------+
Remediation/Fixes
+-----------------------------------+-------------+-------------------------------------------------------------+
| Product | VRMF | Remediation / First Fix |
+-----------------------------------+-------------+-------------------------------------------------------------+
|IBM Security Guardium Big Data |4.0 |rhel7.x_IBM_Guardium_big_data_security_installer_4.1.0.tar.gz|
|Intelligence (SonarG) | | |
+-----------------------------------+-------------+-------------------------------------------------------------+
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
- ---
IBM Security Guardium Big Data Intelligence (SonarG) is affected by an
Information Exposure vulnerability
Document Information
More support for:
IBM Security Guardium Big Data Intelligence
Component:
- --
Software version:
4.0
Operating system(s):
Platform Independent
Reference #:
1098069
Modified date:
24 October 2019
Security Bulletin
Summary
IBM Security Guardium Big Data Intelligence (SonarG) has addressed the
following vulnerability.
Vulnerability Details
CVEID: CVE-2019-4311
DESCRIPTION: IBM Security Guardium Big Data Intelligence (SonarG) discloses
sensitive information to unauthorized users. The information can be used to
mount further attacks on the system.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
161037 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
+--------------------------------------------------------------+-----------------+
|Affected IBM Security Guardium Big Data Intelligence (SonarG) |Affected Versions|
+--------------------------------------------------------------+-----------------+
|IBM Security Guardium Big Data Intelligence (SonarG) |4.0 |
+--------------------------------------------------------------+-----------------+
Remediation/Fixes
+-----------------------------------+-------------+-------------------------------------------------------------+
| Product | VRMF | Remediation / First Fix |
+-----------------------------------+-------------+-------------------------------------------------------------+
|IBM Security Guardium Big Data |4.0 |rhel7.x_IBM_Guardium_big_data_security_installer_4.1.0.tar.gz|
|Intelligence (SonarG) | | |
+-----------------------------------+-------------+-------------------------------------------------------------+
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXbdzwmaOgq3Tt24GAQhYgBAAqGS/uKXSnsp6o60odoo9T44pEHWZDu/B
mpaGFaEX4XkBBxkQIql9+e5e4kikQBCx0iSWr3LASbHokACEnnVNyzVsAQ8dkVYa
Mr5mNDTzylv8CEJiAdADDcRf5ssBpncG0grPZRaKj1n4f1bVfU8l7PNvVQqN5nZa
k4jZV4qOAxLJaD6yJOCYadtZIojLPbwpfVgkPUxFq77pYvr94Ep9nDXYL+lYHibC
xjS1VIlMgUFjTwcJOLW4erNUiossc7GbV1JQLmAuXdb0ti7zZuM9lMC/o3n70ryR
xPWz/fw5vhx32BxkuPLxpyAgo0pQgVO9gPr5NdZNYj1+ghijpiYjeGikFPs6IY7N
Bkln1YfDBgCu5PUdZAim+3wp2aEwASI8OquO0NpwDd9FB6GP+2SJCI6CFp8MgzMW
SZhqLOQwvLuw8m/jN2zlMDdaYVXQ85Ex2bFNNbFE3ASjm9fE4W20AQYXn+yDnSE1
prXF0Z/fptGF5OIRAseSXTuuG6giQLpY3yMSDdHn38oyZtzXssngtsKjJ6UdO6wQ
FAmFAqOr+KEui8MK2RJi2zlZMWlaJ8ZtiqAQpLSX8NEfU/AjStbY2OAZ0ls/xESx
biUAjVP1ATZKeJZDqu8lbJzv8bU8GETDF4dJKQr5Z0Z1iqtP3xZ5AW1LmMgtpRS6
c5aMjRFBgHc=
=2ZCs
-----END PGP SIGNATURE-----