Operating System:

[LINUX]

Published:

13 December 2019

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2019.4664 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4664
         Security Bulletin: Multiple vulnerabilities in IBM Cloud
                             13 December 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Cloud
Publisher:         IBM
Operating System:  Linux variants
Impact/Access:     Access Privileged Data -- Remote with User Interaction
                   Denial of Service      -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-9518 CVE-2019-9517 CVE-2019-9515
                   CVE-2019-9514 CVE-2019-9513 CVE-2019-9512
                   CVE-2014-3603  

Reference:         ESB-2018.1786.2
                   ESB-2016.0913
                   ESB-2016.0704
                   ESB-2016.0265

Original Bulletin: 
   https://www.ibm.com/support/pages/node/1128399
   https://www.ibm.com/support/pages/node/1128387

Comment: This bulletin contains two (2) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Man in the middle vulnerability in Liberty for Java for IBM Cloud
(CVE-2014-3603)

Security Bulletin

Summary

There is a man in the middle vulnerability in WebSphere Application Server
Liberty. This vulnerability has been addressed.

Vulnerability Details

CVEID: CVE-2014-3603
DESCRIPTION: The (1) HttpResource and (2) FileBackedHttpResource
implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML
Java 2.6.2 do not verify that the server hostname matches a domain name in the
subject's Common Name (CN) or subjectAltName field of the X.509 certificate,
which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary
valid certificate.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
164271 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

Affected Products and Versions

+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|Liberty for Java    |3.37      |
+--------------------+----------+

Remediation/Fixes

To upgrade to Liberty for v3.39-20191121-1047 or higher, you must re-stage or
re-push your application.

To find the current version of Liberty for Java in IBM Cloud being used, from
the command-line Cloud Foundry client by running the following commands:

cf ssh <appname> -c cat "staging_info.yml"

Look for the following lines:

{"detected_buildpack":"Liberty for Java(TM) (WAR, liberty-18.0.0_3,
buildpack-v3.25-20180918-1034, ibmjdk-1.8.0_20180214, env)
","start_command":".liberty/initial_startup.rb"}

To re-stage your application using the command-line Cloud Foundry client, use
the following command:

cf restage <appname>

To re-push your application using the command-line Cloud Foundry client, use
the following command:

cf push <appname>

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

- -------------------------------------------------------------------------------

Multiple vulnerabilities in HTTP/2 implementation used by Liberty for Java for
IBM Cloud

Security Bulletin

Summary

There are multiple vulnerabilities in the HTTP/2 implementation that is used by
WebSphere Application Server Liberty. This affects the servlet-4.0 and
servlet-3.1 features. These vulnerabilities have been addressed.

Vulnerability Details

CVEID: CVE-2019-9515
DESCRIPTION: Some HTTP/2 implementations are vulnerable to a settings flood,
potentially leading to a denial of service. The attacker sends a stream of
SETTINGS frames to the peer. Since the RFC requires that the peer reply with
one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost
equivalent in behavior to a ping. Depending on how efficiently this data is
queued, this can consume excess CPU, memory, or both.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
165181 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2019-9518
DESCRIPTION: Some HTTP/2 implementations are vulnerable to a flood of empty
frames, potentially leading to a denial of service. The attacker sends a stream
of frames with an empty payload and without the end-of-stream flag. These
frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends
time processing each frame disproportionate to attack bandwidth. This can
consume excess CPU.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
164904 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2019-9517
DESCRIPTION: Some HTTP/2 implementations are vulnerable to unconstrained
interal data buffering, potentially leading to a denial of service. The
attacker opens the HTTP/2 window so the peer can send without constraint;
however, they leave the TCP window closed so the peer cannot actually write
(many of) the bytes on the wire. The attacker then sends a stream of requests
for a large response object. Depending on how the servers queue the responses,
this can consume excess memory, CPU, or both.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
165183 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2019-9512
DESCRIPTION: Some HTTP/2 implementations are vulnerable to ping floods,
potentially leading to a denial of service. The attacker sends continual pings
to an HTTP/2 peer, causing the peer to build an internal queue of responses.
Depending on how efficiently this data is queued, this can consume excess CPU,
memory, or both.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
164903 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2019-9514
DESCRIPTION: Some HTTP/2 implementations are vulnerable to a reset flood,
potentially leading to a denial of service. The attacker opens a number of
streams and sends an invalid request over each stream that should solicit a
stream of RST_STREAM frames from the peer. Depending on how the peer queues the
RST_STREAM frames, this can consume excess memory, CPU, or both.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
164640 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2019-9513
DESCRIPTION: Some HTTP/2 implementations are vulnerable to resource loops,
potentially leading to a denial of service. The attacker creates multiple
request streams and continually shuffles the priority of the streams in a way
that causes substantial churn to the priority tree. This can consume excess
CPU.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
164639 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|Liberty for Java    |3.37      |
+--------------------+----------+

Remediation/Fixes

To upgrade to Liberty for v3.39-20191121-1047 or higher, you must re-stage or
re-push your application.

To find the current version of Liberty for Java in IBM Cloud being used, from
the command-line Cloud Foundry client by running the following commands:

cf ssh <appname> -c cat "staging_info.yml"

Look for the following lines:

{"detected_buildpack":"Liberty for Java(TM) (WAR, liberty-18.0.0_3,
buildpack-v3.25-20180918-1034, ibmjdk-1.8.0_20180214, env)
","start_command":".liberty/initial_startup.rb"}

To re-stage your application using the command-line Cloud Foundry client, use
the following command:

cf restage <appname>

To re-push your application using the command-line Cloud Foundry client, use
the following command:

cf push <appname>

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXfLS32aOgq3Tt24GAQiXkg//WK2zVzVMjiEC54YmpCySTcRg7kU/u2qM
yFnHx1KPHJIzutfbKIjQBTrCXwdRkkD0vzYAs0V3ko/Gh84neqe8/dc1EoHrr4sf
ymJ/XoaVHMOsnt15IlKbXGuks39xkk4Cny8Bv+KiCe8X4dLxpkdR73JV0Iwdq5Dw
q9kxtLJSR0lzQMZZghpTJFBVS6fHTbX6bQsVlvgkyIpuZyVnhiegsjB+0cMQIqxL
XJNBMX9KcrGGY0gVCSXV3dJeABLlGAZRsbhME1BN9589Dx+87glQJYUjGKyk3/q5
O6p0WzSWIogZicHWPU7nURMe6D0kZjQTBDV74jB4K/tOfQ2KQRg4JCsalkS/dypJ
1CtP8QAB8x+0MewOv2tR6zLWWWLHYwCRtZhhMvFFcXEcE4bgUX5zQQ/6vX6wxbIr
7YZLcRRV3uRGahWl6EwfYvTEYN0WK8lbceqZPuJYFwOok6AoXi2dCprRarXyVFb2
6f07bR93PcuXV14P6MX+HT1nVgD+vv8fSYpcrGC+Axdh8TsQrOLcm1Z7h1OZ/zJX
OKKZCapLq9Tmk4gHbT5hoj3DKfRkwk/zmSIHs1z2TcWpBu6EBMjmyvyHk2/smLnG
FOvUCiL9/NMXvytu2FA/HvnVZhZtX7BZ4wqbXf/8W/BC2XP0BTkNW3gY8bfS7YMN
IftUjmMKcLk=
=VTcT
-----END PGP SIGNATURE-----