Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4742
Security Bulletin: Multiple vulnerabilities of Mozzila Firefox (less than
Firefox 68.2.0 ESR) have affected Synthetic Playback Agent
20 December 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Mozzila Firefox
Publisher: IBM
Operating System: Linux variants
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Access Privileged Data -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-11764 CVE-2019-11763 CVE-2019-11762
CVE-2019-11761 CVE-2019-11760 CVE-2019-11759
CVE-2019-11758 CVE-2019-11757
Reference: ASB-2019.0307
ESB-2019.4478.2
ESB-2019.3995
Original Bulletin:
https://www.ibm.com/support/pages/node/1138810
https://www.ibm.com/support/pages/node/1138804
Comment: This bulletin contains two (2) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Multiple vulnerabilities of Mozzila Firefox (less than Firefox 68.2.0 ESR) have
affected Synthetic Playback Agent 8.1.4.0 - 8.1.4 IF09
Security Bulletin
Summary
Synthetic Playback Agent has addressed the following vulnerabilities: CVE-ID:
CVE-2019-11761,CVE-ID: CVE-2019-11762,CVE-ID: CVE-2019-11760,CVE-ID:
CVE-2019-11763,CVE-ID: CVE-2019-11759,CVE-ID: CVE-2019-11757
Vulnerability Details
CVEID: CVE-2019-11761
DESCRIPTION:
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169923 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID: CVE-2019-11762
DESCRIPTION:
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169924 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID: CVE-2019-11760
DESCRIPTION:
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169922 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-11763
DESCRIPTION:
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169925 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2019-11759
DESCRIPTION:
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-11757
DESCRIPTION:
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169920 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Affected Products and Versions
+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|APM AM |8.1.4 |
+--------------------+----------+
|BAM |1.0 |
+--------------------+----------+
|APM SaaS |8.1.4 |
+--------------------+----------+
|APM on-premise |8.1.4 |
+--------------------+----------+
|ICAM |2019.3.0 |
+--------------------+----------+
Remediation/Fixes
Product Remediation Fix
APM on-premise Synthetic Playback Agent 8.1.4 IF10
ICAM 2019.4.0
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
==============================================================================
Multiple vulnerabilities of Mozzila Firefox (less than Firefox 68.2.0 ESR) have
affected Synthetic Playback Agent 8.1.4.0 - 8.1.4 IF09 + ICAM Synthetic 3.0
Security Bulletin
Summary
Synthetic Playback Agent has addressed the following vulnerabilities: CVEID:
CVE-2019-11764, CVEID: CVE-2019-11758
Vulnerability Details
CVEID: CVE-2019-11764
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary
code on the system, caused by memory safety bugs within the browser engine. By
persuading a victim to visit a specially-crafted Web site, a remote attacker
could exploit this vulnerability using unknown attack vectors to execute
arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169930 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-11758
DESCRIPTION: Mozilla Firefox is vulnerable to a denial of service, caused by a
memory safety bug in Firefox 68 when 360 Total Security was installed. By
persuading a victim to visit a specially-crafted Web site, a remote attacker
could exploit this vulnerability to cause the application to crash.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169932 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Affected Products and Versions
+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|APM AM |8.1.4 |
+--------------------+----------+
|BAM |1.0 |
+--------------------+----------+
|APM SaaS |8.1.4 |
+--------------------+----------+
|APM on-premise |8.1.4 |
+--------------------+----------+
|ICAM |2019.3.0 |
+--------------------+----------+
Remediation/Fixes
Product Remediation Fix
APM on-premise Synthetic Playback Agent 8.1.4 IF10
ICAM 2019.4.0
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXfxX7maOgq3Tt24GAQgl5A//ZdQymwacUqqC+LxzQEa5StMN6W2dNmr+
L9Aupysdhbd4VBk+IMo2emuQkK+ys9gCi9a/+4ts8LhhAHwfSmZGlkbjBAwtW6Ih
acG4EHu5epgbOvC+OOez8XXhTnFeqO1d06uvfQTn60RtnonQU72DfDLPao3qA9se
SOm8g5P5g9n7djQaUOftnGleMeq7QaYzF4pSxWth9KjArhoDtjFS42ibNdvsBuTc
9rxcQZuDnRlqAtEDG2vViDCeanhSC2qSJflvz2pP0PACdJ3CBiW13sQK6bJpgKKb
Nt3+MFO75vYikJLWvb8CHHTM3DMNuKhyibjV+pUNU4Z2wCBP+A5pfzvCvYvH/ywr
M+w4axnPTAMub8bzZF8McqGpL44e17BqC7/wxRHY5ByG3GfOb4XfvXv7ZxL+Bd0c
Vq+b2kIc288QZENhoX/IywDG2WRnQ3ot2Wo3Dn7Ajn76Pr+hlaax4numZ4c6YAhq
DF7UDyB5mzVsvnpdZZ8OwsSMffQBQxKo6Q2LDE1CWXEZofg6xlVJjucYtiQ9mSfm
iAYomW5MGOp+gXWUtglZIortulKGjFPhC4a+aRqRkum2lS+oQfiTTQJLXtUNQkDL
xp18BuSlKutUyYQ6cj4ncMzruHiTKgcRn67UP6zsaEuw6zLr97I+0TQZwr2U1JJ+
+jQSD+1v4Xw=
=VeY5
-----END PGP SIGNATURE-----