Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0314 Security Bulletin: IBM MQ Appliance is affected by OpenSSL vulnerabilities (CVE-2018-0734 and CVE-2019-1559) 29 January 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM MQ Appliance Publisher: IBM Operating System: Network Appliance Impact/Access: Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-9513 CVE-2019-9511 CVE-2019-1559 CVE-2018-15473 CVE-2018-0734 Reference: ESB-2020.0192 ESB-2019.3666 ESB-2019.2320.2 ESB-2019.3732 Original Bulletin: https://www.ibm.com/support/pages/node/1126791 https://www.ibm.com/support/pages/node/1125879 https://www.ibm.com/support/pages/node/1126773 Comment: This bulletin contains three (3) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- IBM MQ Appliance is affected by OpenSSL vulnerabilities (CVE-2018-0734 and CVE-2019-1559) Security Bulletin Summary IBM MQ Appliance has addressed the following OpenSSL vulnerabilities. Vulnerability Details CVEID: CVE-2019-1559 DESCRIPTION: If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q). CVSS Base score: 5.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 157514 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N) CVEID: CVE-2018-0734 DESCRIPTION: The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p). CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 152085 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions +--------------------+----------+ |Affected Product(s) |Version(s)| +--------------------+----------+ |IBM MQ Appliance |8.0 | +--------------------+----------+ |IBM MQ Appliance |9.1 LTS | +--------------------+----------+ |IBM MQ Appliance |9.1 CD | +--------------------+----------+ Remediation/Fixes IBM MQ Appliance 8 Apply fix pack 8.0.0.14 , or later. IBM MQ Appliance version 9.1 LTS Apply fix pack 9.1.0.4 , or later. IBM MQ Appliance version 9.1 CD Apply continuous delivery release 9.1.4 , or later. Workarounds and Mitigations None - -------------------------------------------------------------------------------- IBM MQ Appliance is affected by an OpenSSH vulnerability (CVE-2018-15473) Security Bulletin Summary IBM MQ Appliance has addressed the following OpenSSH vulnerability. Vulnerability Details CVEID: CVE-2018-15473 DESCRIPTION: OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 148397 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions +--------------------+----------+ |Affected Product(s) |Version(s)| +--------------------+----------+ |IBM MQ Appliance |8.0 | +--------------------+----------+ |IBM MQ Appliance |9.1 LTS | +--------------------+----------+ |IBM MQ Appliance |9.1 CD | +--------------------+----------+ Remediation/Fixes IBM MQ Appliance 8 Apply fix pack 8.0.0.14 , or later. IBM MQ Appliance version 9.1 LTS Apply fix pack 9.1.0.4 , or later. IBM MQ Appliance version 9.1 CD Apply continuous delivery release 9.1.4 , or later. Workarounds and Mitigations None - -------------------------------------------------------------------------------- IBM MQ Appliance affected by HTTP/2 vulnerabilities (CVE-2019-9511 and CVE-2019-9513) Security Bulletin Summary IBM MQ Appliance has addressed the following HTTP/2 vulnerabilities. Vulnerability Details CVEID: CVE-2019-9513 DESCRIPTION: Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 164639 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-9511 DESCRIPTION: Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 164638 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Affected Products and Versions +--------------------+----------+ |Affected Product(s) |Version(s)| +--------------------+----------+ |IBM MQ Appliance |8.0 | +--------------------+----------+ |IBM MQ Appliance |9.1 LTS | +--------------------+----------+ |IBM MQ Appliance |9.1 CD | +--------------------+----------+ Remediation/Fixes IBM MQ Appliance 8 Apply fix pack 8.0.0.14 , or later. IBM MQ Appliance version 9.1 LTS Apply fix pack 9.1.0.4 , or later. IBM MQ Appliance version 9.1 CD Apply continuous delivery release 9.1.4 , or later. Workarounds and Mitigations None - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXjEIqmaOgq3Tt24GAQgoIw//fmlK4kJGpnHSLDzjbNXKkvaVUcUS1AMW 1PzhTugJX0mVP7vHQIvyuoEKKFC2PAkkArBAM1Apvm0dOvD5YtrFOwdQH6SFvKKw PBiDQVbdlA+W8+JlDIQEUgAM3iaJAlEo9a+8RaMwmeCX2Oqc0dn+2rFa8sVJEdeh meKWaaMJ9BIHgkUTL2is9OIpy9r4yh7flRmiUj0gmjH/wWiSE6w3Wal+zKX2dxXj eKH3OV1QYmj0Xv38ysWNxVZWAhm5jpGkBbeaQukCK+jseWySy+D7G4agHjv6obxG qJLCLrgaGjq85vk0LjhMDvBfukfuq4HVkhyB6nrQ3gggnhRiNJErPWaxR7KVBMk7 Z1hnGHjbBud3YnzUszwb0ybIvs58+QX6IQD7zTucsjQyVvK/YJ2YpfG7ecJJ40Od pKhiHQnqojVM97gEfUV9eykRxYLPW6qp5Z/oFciwr+A1gTYRQDT4oN2ccvs6aEwm F66ON2iNtCkf6yQHKyDTCi49BEqfjhvFtgeIR7wRHaBhE0T9v93ELP4K/jauEHbN T0PzNabFveOZw64Lq8cKmT4BytyCYBOFavG954Gwos+toY3XOK5uGWaBWb0Tiggh +s1tqAHSu1353IoCaxCP0Dz5cbhzoOCqtOG5u2qMLypO/r5aQAThRoovJ7dRXsUx 4B5u3bmYOFg= =hPQG -----END PGP SIGNATURE-----