Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4664 Security Bulletin: Multiple vulnerabilities in IBM Cloud 13 December 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Cloud Publisher: IBM Operating System: Linux variants Impact/Access: Access Privileged Data -- Remote with User Interaction Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-9518 CVE-2019-9517 CVE-2019-9515 CVE-2019-9514 CVE-2019-9513 CVE-2019-9512 CVE-2014-3603 Reference: ESB-2018.1786.2 ESB-2016.0913 ESB-2016.0704 ESB-2016.0265 Original Bulletin: https://www.ibm.com/support/pages/node/1128399 https://www.ibm.com/support/pages/node/1128387 Comment: This bulletin contains two (2) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Man in the middle vulnerability in Liberty for Java for IBM Cloud (CVE-2014-3603) Security Bulletin Summary There is a man in the middle vulnerability in WebSphere Application Server Liberty. This vulnerability has been addressed. Vulnerability Details CVEID: CVE-2014-3603 DESCRIPTION: The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. CVSS Base score: 6.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 164271 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) Affected Products and Versions +--------------------+----------+ |Affected Product(s) |Version(s)| +--------------------+----------+ |Liberty for Java |3.37 | +--------------------+----------+ Remediation/Fixes To upgrade to Liberty for v3.39-20191121-1047 or higher, you must re-stage or re-push your application. To find the current version of Liberty for Java in IBM Cloud being used, from the command-line Cloud Foundry client by running the following commands: cf ssh <appname> -c cat "staging_info.yml" Look for the following lines: {"detected_buildpack":"Liberty for Java(TM) (WAR, liberty-18.0.0_3, buildpack-v3.25-20180918-1034, ibmjdk-1.8.0_20180214, env) ","start_command":".liberty/initial_startup.rb"} To re-stage your application using the command-line Cloud Foundry client, use the following command: cf restage <appname> To re-push your application using the command-line Cloud Foundry client, use the following command: cf push <appname> Workarounds and Mitigations None Get Notified about Future Security Bulletins References - ------------------------------------------------------------------------------- Multiple vulnerabilities in HTTP/2 implementation used by Liberty for Java for IBM Cloud Security Bulletin Summary There are multiple vulnerabilities in the HTTP/2 implementation that is used by WebSphere Application Server Liberty. This affects the servlet-4.0 and servlet-3.1 features. These vulnerabilities have been addressed. Vulnerability Details CVEID: CVE-2019-9515 DESCRIPTION: Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 165181 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-9518 DESCRIPTION: Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 164904 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-9517 DESCRIPTION: Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 165183 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-9512 DESCRIPTION: Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 164903 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-9514 DESCRIPTION: Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 164640 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-9513 DESCRIPTION: Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 164639 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Affected Products and Versions +--------------------+----------+ |Affected Product(s) |Version(s)| +--------------------+----------+ |Liberty for Java |3.37 | +--------------------+----------+ Remediation/Fixes To upgrade to Liberty for v3.39-20191121-1047 or higher, you must re-stage or re-push your application. To find the current version of Liberty for Java in IBM Cloud being used, from the command-line Cloud Foundry client by running the following commands: cf ssh <appname> -c cat "staging_info.yml" Look for the following lines: {"detected_buildpack":"Liberty for Java(TM) (WAR, liberty-18.0.0_3, buildpack-v3.25-20180918-1034, ibmjdk-1.8.0_20180214, env) ","start_command":".liberty/initial_startup.rb"} To re-stage your application using the command-line Cloud Foundry client, use the following command: cf restage <appname> To re-push your application using the command-line Cloud Foundry client, use the following command: cf push <appname> Workarounds and Mitigations None Get Notified about Future Security Bulletins References - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXfLS32aOgq3Tt24GAQiXkg//WK2zVzVMjiEC54YmpCySTcRg7kU/u2qM yFnHx1KPHJIzutfbKIjQBTrCXwdRkkD0vzYAs0V3ko/Gh84neqe8/dc1EoHrr4sf ymJ/XoaVHMOsnt15IlKbXGuks39xkk4Cny8Bv+KiCe8X4dLxpkdR73JV0Iwdq5Dw q9kxtLJSR0lzQMZZghpTJFBVS6fHTbX6bQsVlvgkyIpuZyVnhiegsjB+0cMQIqxL XJNBMX9KcrGGY0gVCSXV3dJeABLlGAZRsbhME1BN9589Dx+87glQJYUjGKyk3/q5 O6p0WzSWIogZicHWPU7nURMe6D0kZjQTBDV74jB4K/tOfQ2KQRg4JCsalkS/dypJ 1CtP8QAB8x+0MewOv2tR6zLWWWLHYwCRtZhhMvFFcXEcE4bgUX5zQQ/6vX6wxbIr 7YZLcRRV3uRGahWl6EwfYvTEYN0WK8lbceqZPuJYFwOok6AoXi2dCprRarXyVFb2 6f07bR93PcuXV14P6MX+HT1nVgD+vv8fSYpcrGC+Axdh8TsQrOLcm1Z7h1OZ/zJX OKKZCapLq9Tmk4gHbT5hoj3DKfRkwk/zmSIHs1z2TcWpBu6EBMjmyvyHk2/smLnG FOvUCiL9/NMXvytu2FA/HvnVZhZtX7BZ4wqbXf/8W/BC2XP0BTkNW3gY8bfS7YMN IftUjmMKcLk= =VTcT -----END PGP SIGNATURE-----