Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1984
Multiple Liberty for Java vulnerabilities
8 June 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Liberty for Java
Publisher: IBM
Operating System: Linux variants
Impact/Access: Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Provide Misleading Information -- Existing Account
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-4421 CVE-2020-4329 CVE-2020-2830
CVE-2020-2805 CVE-2020-2803 CVE-2020-2800
CVE-2020-2781 CVE-2020-2773 CVE-2020-2757
CVE-2020-2756 CVE-2020-2755 CVE-2020-2754
CVE-2019-2949
Reference: ESB-2020.1797
ESB-2020.1794
ESB-2020.1601
ESB-2020.1730.2
Original Bulletin:
https://www.ibm.com/support/pages/node/6220572
https://www.ibm.com/support/pages/node/6220574
https://www.ibm.com/support/pages/node/6220578
https://www.ibm.com/support/pages/node/6220570
Comment: This bulletin contains four (4) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
CVE-2019-2949 may affect IBM SDK, Java Technology Edition used in Liberty for
Java
Security Bulletin
Summary
CVE-2019-2949 was disclosed in the Oracle October 2019 Critical Patch Update
Vulnerability Details
CVEID: CVE-2019-2949
DESCRIPTION: An unspecified vulnerability in Java SE related to the Kerberos
component could allow an unauthenticated attacker to obtain sensitive
information resulting in a high confidentiality impact using unknown attack
vectors.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169254 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)
Affected Products and Versions
+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|Liberty for Java |3.44 |
+--------------------+----------+
Remediation/Fixes
To upgrade to Liberty for Java 3.45-20200601-1056or higher, you must re-stage
or re-push your application
To find the current version of Liberty for Java in IBM Cloud being used, from
the command-line Cloud Foundry client by running the following commands:
cf ssh <appname> -c cat "staging_info.yml"
Look for the following lines:
{"detected_buildpack":"Liberty for Java(TM) (WAR, liberty-19.0.0_9,
buildpack-v3.44-20200430-1451, ibmjdk-1.8.0_sr5fp41-20190919, env)
","start_command":".liberty/initial_startup.rb"}
To re-stage your application using the command-line Cloud Foundry client, use
the following command:
cf restage <appname>
To re-push your application using the command-line Cloud Foundry client, use
the following command:
cf push <appname>
Workarounds and Mitigations
None
- --------------------------------------------------------------------------------
IBM SDK, Java Technology Edition Quarterly CPU - Apr 2020 - Includes Oracle Apr
2020 CPU minus CVE-2020-2773 affects Liberty for Java for IBM Cloud
Security Bulletin
Summary
Multiple Vulnerabilities in IBM Java SDK affect Liberty for Java April 2020
CPU.
Vulnerability Details
CVEID: CVE-2020-2805
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
Libraries component could allow an unauthenticated attacker to take control of
the system.
CVSS Base score: 8.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179703 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2020-2803
DESCRIPTION: An unspecified vulnerability in multiple Oracle products could
allow an unauthenticated attacker to take control of the system.
CVSS Base score: 8.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179701 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2020-2830
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
Concurrency component could allow an unauthenticated attacker to cause a denial
of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179728 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2020-2781
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
JSSE component could allow an unauthenticated attacker to cause a denial of
service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179681 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2020-2800
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
Lightweight HTTP Server component could allow an unauthenticated attacker to
cause low confidentiality impact, low integrity impact, and no availability
impact.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179698 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2020-2757
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
Serialization component could allow an unauthenticated attacker to cause a
denial of service resulting in a low availability impact using unknown attack
vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179657 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2020-2756
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
Serialization component could allow an unauthenticated attacker to cause a
denial of service resulting in a low availability impact using unknown attack
vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179656 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2020-2755
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
Scripting component could allow an unauthenticated attacker to cause a denial
of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179655 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2020-2754
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
Scripting component could allow an unauthenticated attacker to cause a denial
of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179654 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|Liberty for Java |3.44 |
+--------------------+----------+
Remediation/Fixes
To upgrade to Liberty for Java 3.45-20200601-1056or higher, you must re-stage
or re-push your application
To find the current version of Liberty for Java in IBM Cloud being used, from
the command-line Cloud Foundry client by running the following commands:
cf ssh <appname> -c cat "staging_info.yml"
Look for the following lines:
{"detected_buildpack":"Liberty for Java(TM) (WAR, liberty-19.0.0_9,
buildpack-v3.44-20200430-1451, ibmjdk-1.8.0_sr5fp41-20190919, env)
","start_command":".liberty/initial_startup.rb"}
To re-stage your application using the command-line Cloud Foundry client, use
the following command:
cf restage <appname>
To re-push your application using the command-line Cloud Foundry client, use
the following command:
cf push <appname>
Workarounds and Mitigations
None
- --------------------------------------------------------------------------------
Potential spoofing attack in Liberty for Java (CVE-2020-4421)
Security Bulletin
Summary
IBM WebSphere Application Server Liberty using openidConnectServer feature
could allow spoofing identity by an authenticated user. This has been
addressed.
Vulnerability Details
CVEID: CVE-2020-4421
DESCRIPTION: IBM WebSphere Application Liberty 19.0.0.5 through 20.0.0.4 could
allow an authenticated user using openidconnect to spoof another users
identify. IBM X-Force ID: 180084.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
180084 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)
Affected Products and Versions
+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|Liberty for Java |3.44 |
+--------------------+----------+
Remediation/Fixes
To upgrade to Liberty for Java 3.45-20200601-1056or higher, you must re-stage
or re-push your application
To find the current version of Liberty for Java in IBM Cloud being used, from
the command-line Cloud Foundry client by running the following commands:
cf ssh <appname> -c cat "staging_info.yml"
Look for the following lines:
{"detected_buildpack":"Liberty for Java(TM) (WAR, liberty-19.0.0_9,
buildpack-v3.44-20200430-1451, ibmjdk-1.8.0_sr5fp41-20190919, env)
","start_command":".liberty/initial_startup.rb"}
To re-stage your application using the command-line Cloud Foundry client, use
the following command:
cf restage <appname>
To re-push your application using the command-line Cloud Foundry client, use
the following command:
cf push <appname>
Workarounds and Mitigations
None
- --------------------------------------------------------------------------------
There is an information disclosure vulnerability in Liberty for Java
(CVE-2020-4329)
Security Bulletin
Summary
There is an information disclosure in WebSphere Application Server Liberty.
Vulnerability Details
CVEID: CVE-2020-4329
DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty
17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to
obtain sensitive information, caused by improper parameter checking. This could
be exploited to conduct spoofing attacks. IBM X-Force ID: 177841.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
177841 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|Liberty for Java |3.44 |
+--------------------+----------+
Remediation/Fixes
To upgrade to Liberty for Java 3.45-20200601-1056or higher, you must re-stage
or re-push your application
To find the current version of Liberty for Java in IBM Cloud being used, from
the command-line Cloud Foundry client by running the following commands:
cf ssh <appname> -c cat "staging_info.yml"
Look for the following lines:
{"detected_buildpack":"Liberty for Java(TM) (WAR, liberty-19.0.0_9,
buildpack-v3.44-20200430-1451, ibmjdk-1.8.0_sr5fp41-20190919, env)
","start_command":".liberty/initial_startup.rb"}
To re-stage your application using the command-line Cloud Foundry client, use
the following command:
cf restage <appname>
To re-push your application using the command-line Cloud Foundry client, use
the following command:
cf push <appname>
Workarounds and Mitigations
None
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXt2IguNLKJtyKPYoAQgvpBAAnzKmAnTi3EnsSTQoGVy+VoB5DmIaMars
dOt+qG/dQWrNsE9dfnBliNDQagoKfZETzYwTfFWL18KYHEq67fTA8537YFAiiNer
CFmDo4zGqZHdgT3pRvMLfsMNCAEPw2UUSwR/xCybpFT73QgoMjGoolb6hZh7JTAW
UbPokAh/1xi3NdKTEfcVLrICgvWqgbL7rdAT0jQcRZvo5YcBXJ/nF4ufgGUQYCyN
+xs6RJ6AU1H9eQ1/zinPZhoncfAtjQWneTyp0AIt1NCa8Ieev1sfddouFtcyuIhO
iJZAtIIqbX1F2uXaJA1LpqArwFh/9ot+WCdchTSurNasOkX3fK5Tef/SH0B8D150
k+LiTpyQ68b+WRMeTMb3uGZMHPjykzY+WFCjKtl8gLQVvh5JzsU3ZJ6MTgnQbfkY
d2CaTCppt0MWAvpbylb7XNBXV3+1LnZ6AyzoDJmuuEPVowhMRNwVuq0ZHAw1hrKR
1XtefPL5M3rsb6vLIJJ7ih9t4Ephp3L+/CwicPWTPwIO0C2RXrWCV+qDIeBREc31
PaalLQtkubyL3/ZVFqB17FXXGz8s/Sj5VpHaYLTqMjx0dsB2QwjcTJ4sCKLEP9l+
/QMEicPPQUxniJXuOxxXgdWb27TsxuPfQnnV/mhdtKDd6hG1rF6q61O3IeotMD6W
sjPkvbhPP/Y=
=nmJ0
-----END PGP SIGNATURE-----