Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.0314
Security Bulletin: IBM MQ Appliance is affected by OpenSSL
vulnerabilities (CVE-2018-0734 and CVE-2019-1559)
29 January 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM MQ Appliance
Publisher: IBM
Operating System: Network Appliance
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-9513 CVE-2019-9511 CVE-2019-1559
CVE-2018-15473 CVE-2018-0734
Reference: ESB-2020.0192
ESB-2019.3666
ESB-2019.2320.2
ESB-2019.3732
Original Bulletin:
https://www.ibm.com/support/pages/node/1126791
https://www.ibm.com/support/pages/node/1125879
https://www.ibm.com/support/pages/node/1126773
Comment: This bulletin contains three (3) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
IBM MQ Appliance is affected by OpenSSL vulnerabilities (CVE-2018-0734 and
CVE-2019-1559)
Security Bulletin
Summary
IBM MQ Appliance has addressed the following OpenSSL vulnerabilities.
Vulnerability Details
CVEID: CVE-2019-1559
DESCRIPTION: If an application encounters a fatal protocol error and then calls
SSL_shutdown() twice (once to send a close_notify, and once to receive one)
then OpenSSL can respond differently to the calling application if a 0 byte
record is received with invalid padding compared to if a 0 byte record is
received with an invalid MAC. If the application then behaves differently based
on that in a way that is detectable to the remote peer, then this amounts to a
padding oracle that could be used to decrypt data. In order for this to be
exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites
are optimised implementations of certain commonly used ciphersuites. Also the
application must call SSL_shutdown() twice even if a protocol error has
occurred (applications should not do this but some do anyway). Fixed in OpenSSL
1.0.2r (Affected 1.0.2-1.0.2q).
CVSS Base score: 5.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
157514 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)
CVEID: CVE-2018-0734
DESCRIPTION: The OpenSSL DSA signature algorithm has been shown to be
vulnerable to a timing side channel attack. An attacker could use variations in
the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a
(Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in
OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
152085 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|IBM MQ Appliance |8.0 |
+--------------------+----------+
|IBM MQ Appliance |9.1 LTS |
+--------------------+----------+
|IBM MQ Appliance |9.1 CD |
+--------------------+----------+
Remediation/Fixes
IBM MQ Appliance 8
Apply fix pack 8.0.0.14 , or later.
IBM MQ Appliance version 9.1 LTS
Apply fix pack 9.1.0.4 , or later.
IBM MQ Appliance version 9.1 CD
Apply continuous delivery release 9.1.4 , or later.
Workarounds and Mitigations
None
- --------------------------------------------------------------------------------
IBM MQ Appliance is affected by an OpenSSH vulnerability (CVE-2018-15473)
Security Bulletin
Summary
IBM MQ Appliance has addressed the following OpenSSH vulnerability.
Vulnerability Details
CVEID: CVE-2018-15473
DESCRIPTION: OpenSSH through 7.7 is prone to a user enumeration vulnerability
due to not delaying bailout for an invalid authenticating user until after the
packet containing the request has been fully parsed, related to auth2-gss.c,
auth2-hostbased.c, and auth2-pubkey.c.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
148397 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|IBM MQ Appliance |8.0 |
+--------------------+----------+
|IBM MQ Appliance |9.1 LTS |
+--------------------+----------+
|IBM MQ Appliance |9.1 CD |
+--------------------+----------+
Remediation/Fixes
IBM MQ Appliance 8
Apply fix pack 8.0.0.14 , or later.
IBM MQ Appliance version 9.1 LTS
Apply fix pack 9.1.0.4 , or later.
IBM MQ Appliance version 9.1 CD
Apply continuous delivery release 9.1.4 , or later.
Workarounds and Mitigations
None
- --------------------------------------------------------------------------------
IBM MQ Appliance affected by HTTP/2 vulnerabilities (CVE-2019-9511 and
CVE-2019-9513)
Security Bulletin
Summary
IBM MQ Appliance has addressed the following HTTP/2 vulnerabilities.
Vulnerability Details
CVEID: CVE-2019-9513
DESCRIPTION: Some HTTP/2 implementations are vulnerable to resource loops,
potentially leading to a denial of service. The attacker creates multiple
request streams and continually shuffles the priority of the streams in a way
that causes substantial churn to the priority tree. This can consume excess
CPU.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
164639 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-9511
DESCRIPTION: Some HTTP/2 implementations are vulnerable to window size
manipulation and stream prioritization manipulation, potentially leading to a
denial of service. The attacker requests a large amount of data from a
specified resource over multiple streams. They manipulate window size and
stream priority to force the server to queue the data in 1-byte chunks.
Depending on how efficiently this data is queued, this can consume excess CPU,
memory, or both.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
164638 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|IBM MQ Appliance |8.0 |
+--------------------+----------+
|IBM MQ Appliance |9.1 LTS |
+--------------------+----------+
|IBM MQ Appliance |9.1 CD |
+--------------------+----------+
Remediation/Fixes
IBM MQ Appliance 8
Apply fix pack 8.0.0.14 , or later.
IBM MQ Appliance version 9.1 LTS
Apply fix pack 9.1.0.4 , or later.
IBM MQ Appliance version 9.1 CD
Apply continuous delivery release 9.1.4 , or later.
Workarounds and Mitigations
None
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXjEIqmaOgq3Tt24GAQgoIw//fmlK4kJGpnHSLDzjbNXKkvaVUcUS1AMW
1PzhTugJX0mVP7vHQIvyuoEKKFC2PAkkArBAM1Apvm0dOvD5YtrFOwdQH6SFvKKw
PBiDQVbdlA+W8+JlDIQEUgAM3iaJAlEo9a+8RaMwmeCX2Oqc0dn+2rFa8sVJEdeh
meKWaaMJ9BIHgkUTL2is9OIpy9r4yh7flRmiUj0gmjH/wWiSE6w3Wal+zKX2dxXj
eKH3OV1QYmj0Xv38ysWNxVZWAhm5jpGkBbeaQukCK+jseWySy+D7G4agHjv6obxG
qJLCLrgaGjq85vk0LjhMDvBfukfuq4HVkhyB6nrQ3gggnhRiNJErPWaxR7KVBMk7
Z1hnGHjbBud3YnzUszwb0ybIvs58+QX6IQD7zTucsjQyVvK/YJ2YpfG7ecJJ40Od
pKhiHQnqojVM97gEfUV9eykRxYLPW6qp5Z/oFciwr+A1gTYRQDT4oN2ccvs6aEwm
F66ON2iNtCkf6yQHKyDTCi49BEqfjhvFtgeIR7wRHaBhE0T9v93ELP4K/jauEHbN
T0PzNabFveOZw64Lq8cKmT4BytyCYBOFavG954Gwos+toY3XOK5uGWaBWb0Tiggh
+s1tqAHSu1353IoCaxCP0Dz5cbhzoOCqtOG5u2qMLypO/r5aQAThRoovJ7dRXsUx
4B5u3bmYOFg=
=hPQG
-----END PGP SIGNATURE-----