-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4745
        Security Bulletin: Various security vulnerabilities in IBM
             Financial Transaction Manager for SWIFT Services
                             20 December 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Financial Transaction Manager
Publisher:         IBM
Operating System:  AIX
                   Linux variants
                   Z Systems
Impact/Access:     Cross-site Request Forgery -- Remote with User Interaction
                   Cross-site Scripting       -- Remote with User Interaction
                   Access Confidential Data   -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-4744 CVE-2019-4743 CVE-2019-4742
                   CVE-2019-4736 CVE-2018-15494 

Reference:         ESB-2019.3988
                   ESB-2019.2916.2
                   ESB-2019.2889
                   ESB-2019.1481

Original Bulletin: 
   https://www.ibm.com/support/pages/node/1135173

- --------------------------BEGIN INCLUDED TEXT--------------------

Various security vulnerabilities in IBM Financial Transaction Manager for SWIFT
Services

Security Bulletin

Summary

Various security vulnerabilities in IBM Financial Transaction Manager for SWIFT
Services could allow a remote attacker to gain access to unauthorized actions
and data.

Vulnerability Details

CVEID: CVE-2018-15494
DESCRIPTION: In Dojo Toolkit before 1.14, there is unescaped string injection
in dojox/Grid/DataGrid.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
148556 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2019-4742
DESCRIPTION: IBM Financial Transaction Manager could allow a remote attacker to
hijack the clicking action of the victim. By persuading a victim to visit a
malicious Web site, a remote attacker could exploit this vulnerability to
hijack the victim's click actions and possibly launch further attacks against
the victim.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
172877 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2019-4744
DESCRIPTION: IBM Financial Transaction Manager is vulnerable to cross-site
scripting. This vulnerability allows users to embed arbitrary JavaScript code
in the Web UI thus altering the intended functionality potentially leading to
credentials disclosure within a trusted session.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
172882 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2019-4743
DESCRIPTION: IBM Financial Transaction Manager does not set the secure
attribute on authorization tokens or session cookies. Attackers may be able to
get the cookie values by sending a http:// link to a user or by planting this
link in a site the user goes to. The cookie will be sent to the insecure link
and the attacker can then obtain the cookie value by snooping the traffic.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
172880 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

CVEID: CVE-2019-4736
DESCRIPTION: IBM Financial Transaction Manager is vulnerable to cross-site
request forgery which could allow an attacker to execute malicious and
unauthorized actions transmitted from a user that the website trusts.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
172706 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)

Affected Products and Versions

+-------------------------------------------------------------------+---------+
|Affected Product(s)                                                |Version  |
|                                                                   |(s)      |
+-------------------------------------------------------------------+---------+
|IBM Financial Transaction Manager for SWIFT Services for           |3.0.0    |
|Multiplatforms                                                     |         |
+-------------------------------------------------------------------+---------+

Remediation/Fixes

Install Fix Pack 13 of IBM Financial Transaction Manager for SWIFT Services for
Multiplatforms 3.0 .

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXfxdlWaOgq3Tt24GAQio4w//ewqSlZWfaWfZ7MOxK8wSA9O2A5SFF2bp
Q4Yv95jbFNHgdoR3d0+UMbCb+erB6vP03QVTUsi7KuT+S8z2SzQ2kVgDikBM3SZ7
RskgziCyJl2FSTpqM4UO62AX8GiRQ5K8CY9lYKHmKzMaZHhMDNqYVxhh2ZG0XSBD
iDK4ul7OzSssEBCLWIJBFnjvPlsgoApCme5ZXShmCrOnSsxnKW8eA1QdOW9asz6U
nv3b9RnTcSN9LC+tzJhIbrfIck4hG3SHJflop/ynXPuKa6SOirPFpA0rn6KP2fV1
WqjkOkoC2WpEGx2MWYC4CMoFVhpV7j/4htdQRot7cX9nCw4yzij6NprGckCTjSuI
Nt6iqEjXlg3LBYjoubvdL+lTwjgecxIuY6BoFvCS9ecZ0XF2hBjIUAc/iAs+e1fj
7UhEHwKfEvj8t25n6rHamPNMOQga8DZ5+eRxt7qEZh0kOHnaRMMLjiaWkX381uf6
nDyG72/ZlT7V7CkV/aG5X4EiFPaCR7Xo0MSH3kw3FHXSx6GAC4yiqKb9f1Xeu0Ah
LuRshGfQAdtMUoMYM+xbWu+iW1j4qgSFp8YGJaw/UdTfLQ8xkch86FJK+YgzFgi0
2ULLWcWkvyLzPJ9s3qjv7JUylOCbQM1/iXfW48o5/3sYZH2CBY5nQbx3FMgX07I6
8lTWy9M4U2g=
=VE8z
-----END PGP SIGNATURE-----