Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4745 Security Bulletin: Various security vulnerabilities in IBM Financial Transaction Manager for SWIFT Services 20 December 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Financial Transaction Manager Publisher: IBM Operating System: AIX Linux variants Z Systems Impact/Access: Cross-site Request Forgery -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-4744 CVE-2019-4743 CVE-2019-4742 CVE-2019-4736 CVE-2018-15494 Reference: ESB-2019.3988 ESB-2019.2916.2 ESB-2019.2889 ESB-2019.1481 Original Bulletin: https://www.ibm.com/support/pages/node/1135173 - --------------------------BEGIN INCLUDED TEXT-------------------- Various security vulnerabilities in IBM Financial Transaction Manager for SWIFT Services Security Bulletin Summary Various security vulnerabilities in IBM Financial Transaction Manager for SWIFT Services could allow a remote attacker to gain access to unauthorized actions and data. Vulnerability Details CVEID: CVE-2018-15494 DESCRIPTION: In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid. CVSS Base score: 6.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 148556 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVEID: CVE-2019-4742 DESCRIPTION: IBM Financial Transaction Manager could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. CVSS Base score: 6.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 172877 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVEID: CVE-2019-4744 DESCRIPTION: IBM Financial Transaction Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 6.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 172882 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVEID: CVE-2019-4743 DESCRIPTION: IBM Financial Transaction Manager does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. CVSS Base score: 4.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 172880 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) CVEID: CVE-2019-4736 DESCRIPTION: IBM Financial Transaction Manager is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. CVSS Base score: 4.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 172706 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) Affected Products and Versions +-------------------------------------------------------------------+---------+ |Affected Product(s) |Version | | |(s) | +-------------------------------------------------------------------+---------+ |IBM Financial Transaction Manager for SWIFT Services for |3.0.0 | |Multiplatforms | | +-------------------------------------------------------------------+---------+ Remediation/Fixes Install Fix Pack 13 of IBM Financial Transaction Manager for SWIFT Services for Multiplatforms 3.0 . Workarounds and Mitigations None Get Notified about Future Security Bulletins References - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXfxdlWaOgq3Tt24GAQio4w//ewqSlZWfaWfZ7MOxK8wSA9O2A5SFF2bp Q4Yv95jbFNHgdoR3d0+UMbCb+erB6vP03QVTUsi7KuT+S8z2SzQ2kVgDikBM3SZ7 RskgziCyJl2FSTpqM4UO62AX8GiRQ5K8CY9lYKHmKzMaZHhMDNqYVxhh2ZG0XSBD iDK4ul7OzSssEBCLWIJBFnjvPlsgoApCme5ZXShmCrOnSsxnKW8eA1QdOW9asz6U nv3b9RnTcSN9LC+tzJhIbrfIck4hG3SHJflop/ynXPuKa6SOirPFpA0rn6KP2fV1 WqjkOkoC2WpEGx2MWYC4CMoFVhpV7j/4htdQRot7cX9nCw4yzij6NprGckCTjSuI Nt6iqEjXlg3LBYjoubvdL+lTwjgecxIuY6BoFvCS9ecZ0XF2hBjIUAc/iAs+e1fj 7UhEHwKfEvj8t25n6rHamPNMOQga8DZ5+eRxt7qEZh0kOHnaRMMLjiaWkX381uf6 nDyG72/ZlT7V7CkV/aG5X4EiFPaCR7Xo0MSH3kw3FHXSx6GAC4yiqKb9f1Xeu0Ah LuRshGfQAdtMUoMYM+xbWu+iW1j4qgSFp8YGJaw/UdTfLQ8xkch86FJK+YgzFgi0 2ULLWcWkvyLzPJ9s3qjv7JUylOCbQM1/iXfW48o5/3sYZH2CBY5nQbx3FMgX07I6 8lTWy9M4U2g= =VE8z -----END PGP SIGNATURE-----