Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4585
Security Bulletin: Multiple vulnerabilities in IBM Cloud Pak for Data
9 December 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Watson Discovery
Publisher: IBM
Operating System: Linux variants
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-16335 CVE-2019-14540
Reference: ESB-2019.4324
ESB-2019.4323
ESB-2019.3949
ESB-2019.3734
ESB-2019.3722
Original Bulletin:
https://www.ibm.com/support/pages/node/1126401
https://www.ibm.com/support/pages/node/1126347
https://www.ibm.com/support/pages/node/1126395
https://www.ibm.com/support/pages/node/1126365
https://www.ibm.com/support/pages/node/1125585
Comment: This bulletin contains five (5) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Multiple vulnerabilities in IBM Cloud Pak for Data
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in
FasterXML jackson-databind
Security Bulletin
Summary
IBM Watson Discovery for IBM Cloud Pak for Data ships with versions of
FasterXML jackson-databind vulnerable to serialization gadgets.
Vulnerability Details
CVEID: CVE-2019-17267
DESCRIPTION: A Polymorphic Typing issue was discovered in FasterXML
jackson-databind before 2.9.10. It is related to
net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
168514 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Affected Products and Versions
+-------------------+-----------+
|Affected Product(s)|Version(s) |
+-------------------+-----------+
|ICP - Discovery |2.0.0-2.0.1|
+-------------------+-----------+
Remediation/Fixes
Upgrade to IBM Watson Discovery 2.1
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
- --------------------------------------------------------------------------------
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in
FasterXML jackson-databind
Security Bulletin
Summary
IBM Watson Discovery for IBM Cloud Pak for Data is shipped with versions of
FasterXML jackson-databind vulnerable to serialization gadgets.
Vulnerability Details
CVEID: CVE-2019-16335
DESCRIPTION: A Polymorphic Typing issue was discovered in FasterXML
jackson-databind before 2.9.10. It is related to
com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than
CVE-2019-14540.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
167205 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
+-------------------+-----------+
|Affected Product(s)|Version(s) |
+-------------------+-----------+
|ICP - Discovery |1.0.0-2.0.1|
+-------------------+-----------+
Remediation/Fixes
Upgrade to IBM Watson Discovery 2.1
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
- --------------------------------------------------------------------------------
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in
FasterXML jackson-databind
Security Bulletin
Summary
IBM Watson Discovery for IBM Cloud Pak for Data ships with versions of
FasterXML jackson-databind vulnerable to serialization gadgets.
Vulnerability Details
CVEID: CVE-2019-17531
DESCRIPTION: A Polymorphic Typing issue was discovered in FasterXML
jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either
globally or for a specific property) for an externally exposed JSON endpoint
and the service has the apache-log4j-extra (version 1.2.x) jar in the
classpath, and an attacker can provide a JNDI service to access, it is possible
to make the service execute a malicious payload.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169073 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
+-------------------+-----------+
|Affected Product(s)|Version(s) |
+-------------------+-----------+
|ICP - Discovery |2.0.0-2.0.1|
+-------------------+-----------+
Remediation/Fixes
Upgrade to IBM Watson Discovery 2.1
https://www.ibm.com/support/knowledgecenter/SSQNUZ_2.5.0/cpd/svc/watson/
discovery-install.html
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
- --------------------------------------------------------------------------------
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in
FasterXML jackson-databind
Security Bulletin
Summary
IBM Watson Discovery for IBM Cloud Pak for Data ships with versions of
FasterXML jackson-databind vulnerable to serialization gadgets.
Vulnerability Details
CVEID: CVE-2019-16943
DESCRIPTION: A Polymorphic Typing issue was discovered in FasterXML
jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either
globally or for a specific property) for an externally exposed JSON endpoint
and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can
find an RMI service endpoint to access, it is possible to make the service
execute a malicious payload. This issue exists because of
com.p6spy.engine.spy.P6DataSource mishandling.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
168255 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-16942
DESCRIPTION: A Polymorphic Typing issue was discovered in FasterXML
jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either
globally or for a specific property) for an externally exposed JSON endpoint
and the service has the commons-dbcp (1.4) jar in the classpath, and an
attacker can find an RMI service endpoint to access, it is possible to make the
service execute a malicious payload. This issue exists because of
org.apache.commons.dbcp.datasources.SharedPoolDataSource and
org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
168254 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
+-------------------+-----------+
|Affected Product(s)|Version(s) |
+-------------------+-----------+
|ICP - Discovery |2.0.0-2.0.1|
+-------------------+-----------+
Remediation/Fixes
Upgrade to IBM Watson Discovery 2.1
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
- --------------------------------------------------------------------------------
Vulnerability affects IBM Watson Assistant for IBM Cloud Pak for Data
Security Bulletin
Summary
DOM-based vulnerability affects IBM Watson (TM) Assistant for IBM Cloud Pak for
Data. A DOM-based, cross-site scripting vulnerability was found in the admin
console where user input was not validated correctly. An authenticated user
could exploit the flaw by injecting JavaScript code into the application in a
request, and the payload would be stored. Subsequent navigation to the affected
pages would result in the code being executed in the browser.
Vulnerability Details
CVEID: CVE-2019-4428
DESCRIPTION: IBM WDC - Watson Assistant is vulnerable to cross-site scripting.
This vulnerability allows users to embed arbitrary JavaScript code in the Web
UI thus altering the intended functionality potentially leading to credentials
disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
162807 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
+-------------------------------------------+-------------+
|Affected Product(s) |Version(s) |
+-------------------------------------------+-------------+
|Watson Assistant for IBM Cloud Pak for Data|1.0.0 - 1.3.0|
+-------------------------------------------+-------------+
Remediation/Fixes
Upgrade to IBM Watson Assistant for IBM Cloud Pak for Data 1.4.0. To download
the software, go to Passport Advantage, then search for "watson assistant cloud
pak data". Select either IBM Watson Assistant for IBM Cloud Pak for Data
Installation Packages Linux English eAssembly, part number CC4F1EN, or IBM
Watson Assistant for IBM Cloud Pak for Data Add-on V1.4.0, part number CJ6I6EN.
Installation instructions for IBM Watson Assistant for IBM Cloud Pak for Data
1.4.0 can be found at https://cloud.ibm.com/docs/services/assistant-datatopic=
assistant-data-install-140
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXe2JTWaOgq3Tt24GAQhClhAAl+NJnJ2qYBqIlOJm2dSzcsSw4eucF3VI
GFm02UKkKhPpns3UfZzJ5UPuKvo3tVUEiKOb57BDRj1th1NKSMS9OJnwG9grWW7Z
o9wb9aFkb6L8sqAWu8OP5QDPKRGjV2ktl0JVbwH4+orrcvq3hA8mJA2Q3rRXgXaR
gyn2hVkq5LlA4hRcP4fg30iB6sJzcEfSjDrc53V5ZsYUbZ1gjC8IK9BLDIHBqFJT
BR0ZjsNoU1fg1yHSSkNrRMaqYVcgcyLMmVjCO4IpHJBpdH2rwrrWQzd5GmzO0Qup
IYCgmE8PiDKYobtKNim7tABll/yhFe5S8jAzY4pHjRBmMP/l6cT9Gx9HF+Be2hXE
/FoF3J7+nc8RdZ93kGXkqtI3J6eJAQQBZ5imW0ErHnfosPaM5aBukkbn/jUxmzHz
duVFSWFo4umQmdA4PT9FpoZSF76XfJLAKaznMUMGVn/5wYJJxUFjpoc4OrQDMUCW
aZxhnKG/j0wu6cELBT/Ap9YBXBIB0AETvVV6zmvoTIZWjfj9bYmxKoJ0HQLbouDr
Svggov/zQ9oqHEQVrNa29jKsJIgWj7dTXHPXAXaMWMZOjKEcXzg2xYFW2MS7k+Xh
3Uyqm1jgvS3byix2L7MFITxTPpwSnR0Js+GfjkIaZqS9JlN+21TzBr9pmMXZJiry
in6lU85Nv+4=
=BQxP
-----END PGP SIGNATURE-----