Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.0303
Security Bulletin: Vulnerability in IBM Websphere Application Server
Liberty used by IBM Cloud Pak System (CVE-2019-12402)
29 January 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Cloud Pak System
Publisher: IBM
Operating System: Linux variants
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-12402
Reference: ESB-2020.0007
ESB-2019.4596
ESB-2019.4586
ESB-2019.4026
Original Bulletin:
https://www.ibm.com/support/pages/node/1282006
- --------------------------BEGIN INCLUDED TEXT--------------------
Vulnerability in IBM Websphere Application Server Liberty used by IBM Cloud
Pak System (CVE-2019-12402)
Security Bulletin
Summary
There are vulnerabilities in Websphere Liberty used by IBM CloudPak System. IBM
Cloud Pak System has addressed the vulnerability. IBM Cloud Pak System has
released v2.3.1.1 that includes Websphere Application Server Liberty 19.0.0.9 ,
and for Websphere Application Server Traditional v8.5.5.16 and v9.0.5.1.
Vulnerability Details
CVEID: CVE-2019-12402
DESCRIPTION: The file name encoding algorithm used internally in Apache Commons
Compress 1.15 to 1.18 can get into an infinite loop when faced with specially
crafted inputs. This can lead to a denial of service attack if an attacker can
choose the file names inside of an archive created by Compress.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
165956 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|IBM Cloud Pak System|2.3 |
+--------------------+----------+
|IBM Cloud Pak System|2.2 |
+--------------------+----------+
Affected Supporting Products
Liberty
Remediation/Fixes
For Cloud Pak System V2.2.5 - V2.2.6, V2.3.0.1
Apply the fix as per Denial of Service in IBM WebSphere Application Server
Liberty Security Bulletin
OR
Apply Cloud Pak System v2.3.1.1
Information on upgrading can be found here: http://www.ibm.com/support/
docview.wssuid=ibm10887959.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXjD0KmaOgq3Tt24GAQh9ZxAAgX9qfS0wU+as4HekXvZ3vDIDjEqKWtMY
A3HD34hIEiRh6sdnaJ7nFpZt8KiEgBdZlq9rgty9YU04rFqJJWTbX6kJBQZmoOF7
YgRZa5LDZFRO5uHgdNKurlyJ0uwfFSa3mPPLs4c1u5jAZ/mH9R4tQ8iDP3FrDop2
bkvZTeXTMuxT2K+7wQTh1uuvPT2J8iJv/FAdEKYKsqGzL73WDLI4Eze9kj+Cli6c
DmaLYyt9lQYAOmha9g/3uoxBez8BFaFBmSTBBajVS7VPRzsCEaEBRRH+5y7bzvJk
j8K52CqPd+jJGOHeDjGCxNl08obfJZoMKdf1jp2lnW2dn3U07HnmJ65LeAQJ24nM
bNeS9a1stNvVYUIT9C4YS2VqwkXzIs9NrFVv6LYOHt7sa3IWgsilXz3SstaK8dJ8
z8MNml78js/DMQBx3YV3+k4NalggkzYTAttQumr1Kf85b4xbsiQZA+oDTpiBed5G
bJW8eR6UEPM7OBhwoHgLxEAotjMgTAdldAO5P6OPoEmkklQLCqvqCqvDAJx/wUKH
CijoQW0WgMTUVjbvR5VpIcnOGcD4ebiARi1pWifOpZgJjjUIe6SP9XDgLijw0wEZ
rbsmlptLJ9+N13BRy2ILevJMTw+LkpBz05l0DCZl89flTnGmgjZ6H1/Cft3IFchG
njd1mL7tS04=
=ezzp
-----END PGP SIGNATURE-----