Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0343 Security Bulletin: Multiple security vulnerabilities were fixed in IBM Security Access Manager Appliance 30 January 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Security Access Manager Publisher: IBM Operating System: Linux variants Network Appliance Impact/Access: Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-20330 CVE-2019-9948 CVE-2019-9947 CVE-2019-9740 CVE-2019-5010 CVE-2019-3861 CVE-2019-3858 CVE-2018-14647 CVE-019-3858 Reference: ESB-2020.0296 ESB-2020.0177 ESB-2020.0044 ESB-2019.4645 Original Bulletin: https://www.ibm.com/support/pages/node/1167892 https://www.ibm.com/support/pages/node/1284292 https://www.ibm.com/support/pages/node/1284616 Comment: This bulletin contains three (3) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Multiple security vulnerabilities were fixed in IBM Security Access Manager Appliance Security Bulletin Summary Multiple vulnerabilities in the python libraries used by the IBM Security Access Manager appliance. Vulnerability Details CVEID: CVE-2019-9948 DESCRIPTION: urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158831 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) CVEID: CVE-2019-9947 DESCRIPTION: An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. CVSS Base score: 6.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158830 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVEID: CVE-2019-9740 DESCRIPTION: An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a character) followed by an HTTP header or a Redis command. CVSS Base score: 6.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158138 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVEID: CVE-2019-5010 DESCRIPTION: An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability. CVSS Base score: 5.9 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 156202 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2018-14647 DESCRIPTION: Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 150579 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Affected Products and Versions +--------------------+----------+ |Affected Product(s) |Version(s)| +--------------------+----------+ |ISAM |9.0 | +--------------------+----------+ Remediation/Fixes +---------------------------------+-------------+-------+---------------------+ |Affected Products |Versions |APAR |Fix Availability | | |Fixed | | | +---------------------------------+-------------+-------+---------------------+ |IBM Security Access Manager |9.0.7.1 |IJ21680|9.0.7-ISS-ISAM-FP0001| |Appliance | | | | +---------------------------------+-------------+-------+---------------------+ Workarounds and Mitigations None Get Notified about Future Security Bulletins References - -------------------------------------------------------------------------------- Multiple security vulnerabilities were fixed in IBM Security Access Manager Appliance (CVE-2019-3861, CVE-019-3858) Security Bulletin Summary Multiple vulnerabilities were fixed in the libssh2 component used by the IBM Security Access Manager Appliance. Vulnerability Details CVEID: CVE-2019-3861 DESCRIPTION: An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory. CVSS Base score: 5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158345 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L) CVEID: CVE-2019-3858 DESCRIPTION: An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory. CVSS Base score: 5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158342 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L) Affected Products and Versions +--------------------+----------+ |Affected Product(s) |Version(s)| +--------------------+----------+ |ISAM |9.0 | +--------------------+----------+ Remediation/Fixes +-------------------------------+---------------+-------+---------------------+ |Affected Products |Affected |APAR |Fix Availability | | |Releases | | | +-------------------------------+---------------+-------+---------------------+ |IBM Security Access Manager |9.0.7 |IJ21679|9.0.7-ISS-ISAM-FP0001| |Appliance | | | | +-------------------------------+---------------+-------+---------------------+ Workarounds and Mitigations None Get Notified about Future Security Bulletins References - -------------------------------------------------------------------------------- Security vulnerabilities in the jackson-databind routines fixed in IBM Security Access Manager Security Bulletin Summary Security vulnerabilities were fixed in the IBM Security Access Manager appliance in the jackson-databind utilities. Vulnerability Details CVEID: CVE-2019-20330 DESCRIPTION: A lacking of certain net.sf.ehcache blocking in FasterXML jackson-databind has an unknown impact and attack vector. CVSS Base score: 7.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 173897 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) Affected Products and Versions +--------------------+----------+ |Affected Product(s) |Version(s)| +--------------------+----------+ |ISAM |9.0 | +--------------------+----------+ Remediation/Fixes +-------------------------------------+-------+-------+-----------------------+ |Product |VRMF |Apar |Remediation/First Fix | +-------------------------------------+-------+-------+-----------------------+ |IBM Security Access Manager Appliance|9.0.7.0|IJ22059|9.0.7.1-ISS-ISAM-IF0002| +-------------------------------------+-------+-------+-----------------------+ For the docker image after authentication to dockerhub.com you can download the image by using the command: docker pull store/ibmcorp/isam:9.0.7.1_IF2 Workarounds and Mitigations None Get Notified about Future Security Bulletins References - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXjJUKGaOgq3Tt24GAQifbA/+NmVGPWGKaCEKmWZuuPKaEyWJOiii+ZW1 vsZdJFMTgYosuwkiT7ZzdxEQvv7/v2haofFEPMtk1hT3TqRK2TBz4mr6SBGeAF9v NO/Qv11Vi5oh0SOR9ICFGim70oQmj1erM+vgKe2+Z53kHso5zO+c1MChFUHNug42 0S8ENkifVWAcolWRBTNov7tU6nbJIwG6KmMAQZFsRg5gvtvWCm7WD5MBMSlsb1M+ 96KUGegcKtAKgfg6vDKVuVqj3MD5YIH7Fw2OBofavrIFat3cKiN5HvwDHBccd8Qd JS9kpLfOwOo7c/aSYFtU3PuVe6ZK9wPbgAGG0iU8ylhttdKhzZEiLkWmiNIoFIaB z+P884tWxVp945FweSjo6KiZ2GeAoXhIv6r87F1VoMSscMq7GawRizvp7EAM3ayy A6/JnYjzskRyLqWQc5reyBkWqzaSxckD9JmKJFhvYXQIfRxQ/5+LF9rhjl12cGUv YbJaR6Tbxr7OnKiWRnWQz37VLav+NDAcmE7fL7CBJ+h1X7Jz2gwlyvSZq5O3Lh5M Hdr5Jr8I2CEQPaCJkV1OKe8nzb+gnJmtWp9iF2hJNtFMli+fiiexKq08jF09/VVc ZxYk5JhSraH/M/sWtunfaQ0Y3Ftg0fZz9DTw+yx1WNYtRqi7luS0NtgsVX5BTjp5 wDm0Lt5edU8= =ZIni -----END PGP SIGNATURE-----