-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.0816
 Vulnerability in Apache CXF affects WebSphere Application Server shipped
         with IBM® Intelligent Operations Center (CVE-2019-12406)
                               5 March 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Intelligent Operations Center
Publisher:         IBM
Operating System:  Linux variants
                   Windows
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-12406  

Reference:         ESB-2020.0564
                   ESB-2020.0401
                   ESB-2019.4157

Original Bulletin: 
   https://www.ibm.com/support/pages/node/5692184

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Vulnerability in Apache CXF affects WebSphere Application
Server shipped with IBM(R) Intelligent Operations Center (CVE-2019-12406)

Security Bulletin


Summary

IBM WebSphere Application Server is shipped with IBM Intelligent Operations
Center. Information about a security vulnerability affecting IBM WebSphere
Application Server has been published in a security bulletin. There is a denial
of service in the Apache CXF library used by WebSphere Application Server
shipped with IBM(R) Intelligent Operations Center. This has been addressed.

Vulnerability Details

Refer to the security bulletins(s) listed in the Remediation/Fixes section

Affected Products and Versions

+------------------------------------------------------+----------------------+
|Affected Product(s)                                   |Version(s)            |
+------------------------------------------------------+----------------------+
|IBM(R) Intelligent Operations Center V1.5.0, V1.5.0.1,  |IBM WebSphere(R)        |
|V1.5.0.2, V1.6.0, V1.6.0.1, V1.6.0.2, V1.6.0.3,       |Application Server    |
|V5.1.0, V5.1.0.1, V5.1.0.2, V5.1.0.3, V5.1.0.4,       |V9.0, and             |
|V5.1.0.5, V5.1.0.6, V5.1.0.7, V5.1.0.8, V5.1.0.9,     |Liberty 17.0.0.3 -    |
|V5.1.0.10, V5.1.0.11, V5.1.0.12, V5.1.0.13, V5.1.0.14,|20.0.0.1              |
|V5.2.0, and V5.2.1                                    |                      |
+------------------------------------------------------+----------------------+
|IBM(R) Intelligent Operations Center for Emergency      |                      |
|Management V1.6, V5.1.0, V5.1.0.1, V5.1.0.2, V5.1.0.3,|                      |
|V5.1.0.4, V5.1.0.5, and V5.1.0.6                      |                      |
+------------------------------------------------------+----------------------+
|IBM(R) Water Operations for Waternamics V5.1, V5.2.0,   |                      |
|V5.2.0.1, V5.2.0.2, V5.2.0.3, V5.2.0.4, V5.2.0.5,     |                      |
|V5.2.0.6, V5.2.1, and V5.2.1.1                        |                      |
+------------------------------------------------------+----------------------+


Remediation/Fixes

Download the correct version of the fix from the following link: Security
Bulletin: Vulnerability in Apache CXF affects WebSphere Application Server
(CVE-2019-12406. Installation instructions for the fix are included in the
readme document that is in the fix package.

Workarounds and Mitigations

None

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXmCTqWaOgq3Tt24GAQhuSBAAxVyT3GjfpmC0cdRB+09JzwDlidwWVoSu
5mGhtZf2pQ1XLLAaLswcqFoxmZPqVHwB3HUpbmNwEA9vIgjE7etk7VPLPYiHvydG
Vzklt1Ok/kQWiQ3QXwJQLVgEP46sRqHQzq/9DX++sGgioIgXYtP9mJrpbosy3/UU
fN0k6H9XzH/UbaKsymOtRrdx6Qm6qHptwpUiKum07wWuv2uVo2sSQ2BDHIJCeTcF
P4qrdumue//bDzLGcKwkZzAynas7rk6ZhMra83knj4MYqtRDUuDcYnCedC4cJIse
+F9e+AgjVqgJcb8Dw/P3gQWhOikdGC8kymmS7lBOjYIAGksXkvHouRe8UsHp013T
DYgO1kDJg9B/vQ5oUc3TE4E+cBseuWZZD3JV3nuDH2NSIaHPsJKQVIkrz9PCK6VX
iRsJFuSw+HpEmWNR0zKV7Su6wjlcdr3PNd8JwHdkageJqsmOx/EdVyBs486GOAut
POMvbEu6N3N4ObDnvQG8riEI9LQhFTnabRdph7rbGq3cjHsasjgho3PmHbwgNqi3
Or7bBYV9V9Vju4zHbYQvMidqOPaPqZpdUnN06JXN6Bxa5ZyWERskRI/+oNxFUpsk
rGyihz+YftvhcOgnxxwns1jKwQso4AwpdthAv6f5oyuTo23URDBR98c6zwA8E5vG
sclA1TtmcWU=
=Xy7+
-----END PGP SIGNATURE-----