-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.0343
         Security Bulletin: Multiple security vulnerabilities were
              fixed in IBM Security Access Manager Appliance
                              30 January 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Security Access Manager
Publisher:         IBM
Operating System:  Linux variants
                   Network Appliance
Impact/Access:     Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-20330 CVE-2019-9948 CVE-2019-9947
                   CVE-2019-9740 CVE-2019-5010 CVE-2019-3861
                   CVE-2019-3858 CVE-2018-14647 CVE-019-3858

Reference:         ESB-2020.0296
                   ESB-2020.0177
                   ESB-2020.0044
                   ESB-2019.4645

Original Bulletin: 
   https://www.ibm.com/support/pages/node/1167892
   https://www.ibm.com/support/pages/node/1284292
   https://www.ibm.com/support/pages/node/1284616

Comment: This bulletin contains three (3) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Multiple security vulnerabilities were fixed in IBM Security Access Manager
Appliance

Security Bulletin

Summary

Multiple vulnerabilities in the python libraries used by the IBM Security
Access Manager appliance.

Vulnerability Details

CVEID: CVE-2019-9948
DESCRIPTION: urllib in Python 2.x through 2.7.16 supports the local_file:
scheme, which makes it easier for remote attackers to bypass protection
mechanisms that blacklist file: URIs, as demonstrated by triggering a
urllib.urlopen('local_file:///etc/passwd') call.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
158831 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2019-9947
DESCRIPTION: An issue was discovered in urllib2 in Python 2.x through 2.7.16
and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the
attacker controls a url parameter, as demonstrated by the first argument to
urllib.request.urlopen with \r\n (specifically in the path component of a URL
that lacks a  character) followed by an HTTP header or a Redis command. This
is similar to the CVE-2019-9740 query string issue.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
158830 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2019-9740
DESCRIPTION: An issue was discovered in urllib2 in Python 2.x through 2.7.16
and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the
attacker controls a url parameter, as demonstrated by the first argument to
urllib.request.urlopen with \r\n (specifically in the query string after a 
character) followed by an HTTP header or a Redis command.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
158138 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2019-5010
DESCRIPTION: An exploitable denial-of-service vulnerability exists in the X509
certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted
X509 certificate can cause a NULL pointer dereference, resulting in a denial of
service. An attacker can initiate or accept TLS connections using crafted
certificates to trigger this vulnerability.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
156202 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-14647
DESCRIPTION: Python's elementtree C accelerator failed to initialise Expat's
hash salt during initialization. This could make it easy to conduct denial of
service attacks against Expat by constructing an XML document that would cause
pathological hash collisions in Expat's internal data structures, consuming
large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to
be vulnerable.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
150579 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|ISAM                |9.0       |
+--------------------+----------+

Remediation/Fixes

+---------------------------------+-------------+-------+---------------------+
|Affected Products                |Versions     |APAR   |Fix Availability     |
|                                 |Fixed        |       |                     |
+---------------------------------+-------------+-------+---------------------+
|IBM Security Access Manager      |9.0.7.1      |IJ21680|9.0.7-ISS-ISAM-FP0001|
|Appliance                        |             |       |                     |
+---------------------------------+-------------+-------+---------------------+

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References


- --------------------------------------------------------------------------------


Multiple security vulnerabilities were fixed in IBM Security Access Manager
Appliance (CVE-2019-3861, CVE-019-3858)

Security Bulletin

Summary

Multiple vulnerabilities were fixed in the libssh2 component used by the IBM
Security Access Manager Appliance.

Vulnerability Details

CVEID: CVE-2019-3861
DESCRIPTION: An out of bounds read flaw was discovered in libssh2 before 1.8.1
in the way SSH packets with a padding length value greater than the packet
length are parsed. A remote attacker who compromises a SSH server may be able
to cause a Denial of Service or read data in the client memory.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
158345 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID: CVE-2019-3858
DESCRIPTION: An out of bounds read flaw was discovered in libssh2 before 1.8.1
when a specially crafted SFTP packet is received from the server. A remote
attacker who compromises a SSH server may be able to cause a Denial of Service
or read data in the client memory.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
158342 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L)

Affected Products and Versions

+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|ISAM                |9.0       |
+--------------------+----------+

Remediation/Fixes

+-------------------------------+---------------+-------+---------------------+
|Affected Products              |Affected       |APAR   |Fix Availability     |
|                               |Releases       |       |                     |
+-------------------------------+---------------+-------+---------------------+
|IBM Security Access Manager    |9.0.7          |IJ21679|9.0.7-ISS-ISAM-FP0001|
|Appliance                      |               |       |                     |
+-------------------------------+---------------+-------+---------------------+

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References


- --------------------------------------------------------------------------------


Security vulnerabilities in the jackson-databind routines fixed in IBM Security
Access Manager

Security Bulletin

Summary

Security vulnerabilities were fixed in the IBM Security Access Manager
appliance in the jackson-databind utilities.

Vulnerability Details

CVEID: CVE-2019-20330
DESCRIPTION: A lacking of certain net.sf.ehcache blocking in FasterXML
jackson-databind has an unknown impact and attack vector.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
173897 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|ISAM                |9.0       |
+--------------------+----------+

Remediation/Fixes

+-------------------------------------+-------+-------+-----------------------+
|Product                              |VRMF   |Apar   |Remediation/First Fix  |
+-------------------------------------+-------+-------+-----------------------+
|IBM Security Access Manager Appliance|9.0.7.0|IJ22059|9.0.7.1-ISS-ISAM-IF0002|
+-------------------------------------+-------+-------+-----------------------+

For the docker image after authentication to dockerhub.com you can download the
image by using the command: docker pull store/ibmcorp/isam:9.0.7.1_IF2

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXjJUKGaOgq3Tt24GAQifbA/+NmVGPWGKaCEKmWZuuPKaEyWJOiii+ZW1
vsZdJFMTgYosuwkiT7ZzdxEQvv7/v2haofFEPMtk1hT3TqRK2TBz4mr6SBGeAF9v
NO/Qv11Vi5oh0SOR9ICFGim70oQmj1erM+vgKe2+Z53kHso5zO+c1MChFUHNug42
0S8ENkifVWAcolWRBTNov7tU6nbJIwG6KmMAQZFsRg5gvtvWCm7WD5MBMSlsb1M+
96KUGegcKtAKgfg6vDKVuVqj3MD5YIH7Fw2OBofavrIFat3cKiN5HvwDHBccd8Qd
JS9kpLfOwOo7c/aSYFtU3PuVe6ZK9wPbgAGG0iU8ylhttdKhzZEiLkWmiNIoFIaB
z+P884tWxVp945FweSjo6KiZ2GeAoXhIv6r87F1VoMSscMq7GawRizvp7EAM3ayy
A6/JnYjzskRyLqWQc5reyBkWqzaSxckD9JmKJFhvYXQIfRxQ/5+LF9rhjl12cGUv
YbJaR6Tbxr7OnKiWRnWQz37VLav+NDAcmE7fL7CBJ+h1X7Jz2gwlyvSZq5O3Lh5M
Hdr5Jr8I2CEQPaCJkV1OKe8nzb+gnJmtWp9iF2hJNtFMli+fiiexKq08jF09/VVc
ZxYk5JhSraH/M/sWtunfaQ0Y3Ftg0fZz9DTw+yx1WNYtRqi7luS0NtgsVX5BTjp5
wDm0Lt5edU8=
=ZIni
-----END PGP SIGNATURE-----