Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4585 Security Bulletin: Multiple vulnerabilities in IBM Cloud Pak for Data 9 December 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Watson Discovery Publisher: IBM Operating System: Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-16335 CVE-2019-14540 Reference: ESB-2019.4324 ESB-2019.4323 ESB-2019.3949 ESB-2019.3734 ESB-2019.3722 Original Bulletin: https://www.ibm.com/support/pages/node/1126401 https://www.ibm.com/support/pages/node/1126347 https://www.ibm.com/support/pages/node/1126395 https://www.ibm.com/support/pages/node/1126365 https://www.ibm.com/support/pages/node/1125585 Comment: This bulletin contains five (5) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Multiple vulnerabilities in IBM Cloud Pak for Data IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind Security Bulletin Summary IBM Watson Discovery for IBM Cloud Pak for Data ships with versions of FasterXML jackson-databind vulnerable to serialization gadgets. Vulnerability Details CVEID: CVE-2019-17267 DESCRIPTION: A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. CVSS Base score: 7.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 168514 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) Affected Products and Versions +-------------------+-----------+ |Affected Product(s)|Version(s) | +-------------------+-----------+ |ICP - Discovery |2.0.0-2.0.1| +-------------------+-----------+ Remediation/Fixes Upgrade to IBM Watson Discovery 2.1 Workarounds and Mitigations None Get Notified about Future Security Bulletins References - -------------------------------------------------------------------------------- IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind Security Bulletin Summary IBM Watson Discovery for IBM Cloud Pak for Data is shipped with versions of FasterXML jackson-databind vulnerable to serialization gadgets. Vulnerability Details CVEID: CVE-2019-16335 DESCRIPTION: A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 167205 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions +-------------------+-----------+ |Affected Product(s)|Version(s) | +-------------------+-----------+ |ICP - Discovery |1.0.0-2.0.1| +-------------------+-----------+ Remediation/Fixes Upgrade to IBM Watson Discovery 2.1 Workarounds and Mitigations None Get Notified about Future Security Bulletins References - -------------------------------------------------------------------------------- IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind Security Bulletin Summary IBM Watson Discovery for IBM Cloud Pak for Data ships with versions of FasterXML jackson-databind vulnerable to serialization gadgets. Vulnerability Details CVEID: CVE-2019-17531 DESCRIPTION: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload. CVSS Base score: 9.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 169073 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Affected Products and Versions +-------------------+-----------+ |Affected Product(s)|Version(s) | +-------------------+-----------+ |ICP - Discovery |2.0.0-2.0.1| +-------------------+-----------+ Remediation/Fixes Upgrade to IBM Watson Discovery 2.1 https://www.ibm.com/support/knowledgecenter/SSQNUZ_2.5.0/cpd/svc/watson/ discovery-install.html Workarounds and Mitigations None Get Notified about Future Security Bulletins References - -------------------------------------------------------------------------------- IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind Security Bulletin Summary IBM Watson Discovery for IBM Cloud Pak for Data ships with versions of FasterXML jackson-databind vulnerable to serialization gadgets. Vulnerability Details CVEID: CVE-2019-16943 DESCRIPTION: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. CVSS Base score: 9.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 168255 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2019-16942 DESCRIPTION: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. CVSS Base score: 9.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 168254 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Affected Products and Versions +-------------------+-----------+ |Affected Product(s)|Version(s) | +-------------------+-----------+ |ICP - Discovery |2.0.0-2.0.1| +-------------------+-----------+ Remediation/Fixes Upgrade to IBM Watson Discovery 2.1 Workarounds and Mitigations None Get Notified about Future Security Bulletins References - -------------------------------------------------------------------------------- Vulnerability affects IBM Watson Assistant for IBM Cloud Pak for Data Security Bulletin Summary DOM-based vulnerability affects IBM Watson (TM) Assistant for IBM Cloud Pak for Data. A DOM-based, cross-site scripting vulnerability was found in the admin console where user input was not validated correctly. An authenticated user could exploit the flaw by injecting JavaScript code into the application in a request, and the payload would be stored. Subsequent navigation to the affected pages would result in the code being executed in the browser. Vulnerability Details CVEID: CVE-2019-4428 DESCRIPTION: IBM WDC - Watson Assistant is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 5.4 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 162807 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions +-------------------------------------------+-------------+ |Affected Product(s) |Version(s) | +-------------------------------------------+-------------+ |Watson Assistant for IBM Cloud Pak for Data|1.0.0 - 1.3.0| +-------------------------------------------+-------------+ Remediation/Fixes Upgrade to IBM Watson Assistant for IBM Cloud Pak for Data 1.4.0. To download the software, go to Passport Advantage, then search for "watson assistant cloud pak data". Select either IBM Watson Assistant for IBM Cloud Pak for Data Installation Packages Linux English eAssembly, part number CC4F1EN, or IBM Watson Assistant for IBM Cloud Pak for Data Add-on V1.4.0, part number CJ6I6EN. Installation instructions for IBM Watson Assistant for IBM Cloud Pak for Data 1.4.0 can be found at https://cloud.ibm.com/docs/services/assistant-datatopic= assistant-data-install-140 Workarounds and Mitigations None Get Notified about Future Security Bulletins References - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXe2JTWaOgq3Tt24GAQhClhAAl+NJnJ2qYBqIlOJm2dSzcsSw4eucF3VI GFm02UKkKhPpns3UfZzJ5UPuKvo3tVUEiKOb57BDRj1th1NKSMS9OJnwG9grWW7Z o9wb9aFkb6L8sqAWu8OP5QDPKRGjV2ktl0JVbwH4+orrcvq3hA8mJA2Q3rRXgXaR gyn2hVkq5LlA4hRcP4fg30iB6sJzcEfSjDrc53V5ZsYUbZ1gjC8IK9BLDIHBqFJT BR0ZjsNoU1fg1yHSSkNrRMaqYVcgcyLMmVjCO4IpHJBpdH2rwrrWQzd5GmzO0Qup IYCgmE8PiDKYobtKNim7tABll/yhFe5S8jAzY4pHjRBmMP/l6cT9Gx9HF+Be2hXE /FoF3J7+nc8RdZ93kGXkqtI3J6eJAQQBZ5imW0ErHnfosPaM5aBukkbn/jUxmzHz duVFSWFo4umQmdA4PT9FpoZSF76XfJLAKaznMUMGVn/5wYJJxUFjpoc4OrQDMUCW aZxhnKG/j0wu6cELBT/Ap9YBXBIB0AETvVV6zmvoTIZWjfj9bYmxKoJ0HQLbouDr Svggov/zQ9oqHEQVrNa29jKsJIgWj7dTXHPXAXaMWMZOjKEcXzg2xYFW2MS7k+Xh 3Uyqm1jgvS3byix2L7MFITxTPpwSnR0Js+GfjkIaZqS9JlN+21TzBr9pmMXZJiry in6lU85Nv+4= =BQxP -----END PGP SIGNATURE-----