Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1984 Multiple Liberty for Java vulnerabilities 8 June 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Liberty for Java Publisher: IBM Operating System: Linux variants Impact/Access: Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Provide Misleading Information -- Existing Account Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-4421 CVE-2020-4329 CVE-2020-2830 CVE-2020-2805 CVE-2020-2803 CVE-2020-2800 CVE-2020-2781 CVE-2020-2773 CVE-2020-2757 CVE-2020-2756 CVE-2020-2755 CVE-2020-2754 CVE-2019-2949 Reference: ESB-2020.1797 ESB-2020.1794 ESB-2020.1601 ESB-2020.1730.2 Original Bulletin: https://www.ibm.com/support/pages/node/6220572 https://www.ibm.com/support/pages/node/6220574 https://www.ibm.com/support/pages/node/6220578 https://www.ibm.com/support/pages/node/6220570 Comment: This bulletin contains four (4) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- CVE-2019-2949 may affect IBM SDK, Java Technology Edition used in Liberty for Java Security Bulletin Summary CVE-2019-2949 was disclosed in the Oracle October 2019 Critical Patch Update Vulnerability Details CVEID: CVE-2019-2949 DESCRIPTION: An unspecified vulnerability in Java SE related to the Kerberos component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. CVSS Base score: 6.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 169254 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N) Affected Products and Versions +--------------------+----------+ |Affected Product(s) |Version(s)| +--------------------+----------+ |Liberty for Java |3.44 | +--------------------+----------+ Remediation/Fixes To upgrade to Liberty for Java 3.45-20200601-1056or higher, you must re-stage or re-push your application To find the current version of Liberty for Java in IBM Cloud being used, from the command-line Cloud Foundry client by running the following commands: cf ssh <appname> -c cat "staging_info.yml" Look for the following lines: {"detected_buildpack":"Liberty for Java(TM) (WAR, liberty-19.0.0_9, buildpack-v3.44-20200430-1451, ibmjdk-1.8.0_sr5fp41-20190919, env) ","start_command":".liberty/initial_startup.rb"} To re-stage your application using the command-line Cloud Foundry client, use the following command: cf restage <appname> To re-push your application using the command-line Cloud Foundry client, use the following command: cf push <appname> Workarounds and Mitigations None - -------------------------------------------------------------------------------- IBM SDK, Java Technology Edition Quarterly CPU - Apr 2020 - Includes Oracle Apr 2020 CPU minus CVE-2020-2773 affects Liberty for Java for IBM Cloud Security Bulletin Summary Multiple Vulnerabilities in IBM Java SDK affect Liberty for Java April 2020 CPU. Vulnerability Details CVEID: CVE-2020-2805 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Libraries component could allow an unauthenticated attacker to take control of the system. CVSS Base score: 8.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 179703 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) CVEID: CVE-2020-2803 DESCRIPTION: An unspecified vulnerability in multiple Oracle products could allow an unauthenticated attacker to take control of the system. CVSS Base score: 8.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 179701 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) CVEID: CVE-2020-2830 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Concurrency component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 179728 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2020-2781 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE JSSE component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 179681 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2020-2800 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Lightweight HTTP Server component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 4.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 179698 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) CVEID: CVE-2020-2757 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 179657 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2020-2756 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 179656 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2020-2755 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Scripting component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 179655 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2020-2754 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Scripting component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 179654 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Affected Products and Versions +--------------------+----------+ |Affected Product(s) |Version(s)| +--------------------+----------+ |Liberty for Java |3.44 | +--------------------+----------+ Remediation/Fixes To upgrade to Liberty for Java 3.45-20200601-1056or higher, you must re-stage or re-push your application To find the current version of Liberty for Java in IBM Cloud being used, from the command-line Cloud Foundry client by running the following commands: cf ssh <appname> -c cat "staging_info.yml" Look for the following lines: {"detected_buildpack":"Liberty for Java(TM) (WAR, liberty-19.0.0_9, buildpack-v3.44-20200430-1451, ibmjdk-1.8.0_sr5fp41-20190919, env) ","start_command":".liberty/initial_startup.rb"} To re-stage your application using the command-line Cloud Foundry client, use the following command: cf restage <appname> To re-push your application using the command-line Cloud Foundry client, use the following command: cf push <appname> Workarounds and Mitigations None - -------------------------------------------------------------------------------- Potential spoofing attack in Liberty for Java (CVE-2020-4421) Security Bulletin Summary IBM WebSphere Application Server Liberty using openidConnectServer feature could allow spoofing identity by an authenticated user. This has been addressed. Vulnerability Details CVEID: CVE-2020-4421 DESCRIPTION: IBM WebSphere Application Liberty 19.0.0.5 through 20.0.0.4 could allow an authenticated user using openidconnect to spoof another users identify. IBM X-Force ID: 180084. CVSS Base score: 5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 180084 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L) Affected Products and Versions +--------------------+----------+ |Affected Product(s) |Version(s)| +--------------------+----------+ |Liberty for Java |3.44 | +--------------------+----------+ Remediation/Fixes To upgrade to Liberty for Java 3.45-20200601-1056or higher, you must re-stage or re-push your application To find the current version of Liberty for Java in IBM Cloud being used, from the command-line Cloud Foundry client by running the following commands: cf ssh <appname> -c cat "staging_info.yml" Look for the following lines: {"detected_buildpack":"Liberty for Java(TM) (WAR, liberty-19.0.0_9, buildpack-v3.44-20200430-1451, ibmjdk-1.8.0_sr5fp41-20190919, env) ","start_command":".liberty/initial_startup.rb"} To re-stage your application using the command-line Cloud Foundry client, use the following command: cf restage <appname> To re-push your application using the command-line Cloud Foundry client, use the following command: cf push <appname> Workarounds and Mitigations None - -------------------------------------------------------------------------------- There is an information disclosure vulnerability in Liberty for Java (CVE-2020-4329) Security Bulletin Summary There is an information disclosure in WebSphere Application Server Liberty. Vulnerability Details CVEID: CVE-2020-4329 DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. CVSS Base score: 4.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 177841 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions +--------------------+----------+ |Affected Product(s) |Version(s)| +--------------------+----------+ |Liberty for Java |3.44 | +--------------------+----------+ Remediation/Fixes To upgrade to Liberty for Java 3.45-20200601-1056or higher, you must re-stage or re-push your application To find the current version of Liberty for Java in IBM Cloud being used, from the command-line Cloud Foundry client by running the following commands: cf ssh <appname> -c cat "staging_info.yml" Look for the following lines: {"detected_buildpack":"Liberty for Java(TM) (WAR, liberty-19.0.0_9, buildpack-v3.44-20200430-1451, ibmjdk-1.8.0_sr5fp41-20190919, env) ","start_command":".liberty/initial_startup.rb"} To re-stage your application using the command-line Cloud Foundry client, use the following command: cf restage <appname> To re-push your application using the command-line Cloud Foundry client, use the following command: cf push <appname> Workarounds and Mitigations None - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXt2IguNLKJtyKPYoAQgvpBAAnzKmAnTi3EnsSTQoGVy+VoB5DmIaMars dOt+qG/dQWrNsE9dfnBliNDQagoKfZETzYwTfFWL18KYHEq67fTA8537YFAiiNer CFmDo4zGqZHdgT3pRvMLfsMNCAEPw2UUSwR/xCybpFT73QgoMjGoolb6hZh7JTAW UbPokAh/1xi3NdKTEfcVLrICgvWqgbL7rdAT0jQcRZvo5YcBXJ/nF4ufgGUQYCyN +xs6RJ6AU1H9eQ1/zinPZhoncfAtjQWneTyp0AIt1NCa8Ieev1sfddouFtcyuIhO iJZAtIIqbX1F2uXaJA1LpqArwFh/9ot+WCdchTSurNasOkX3fK5Tef/SH0B8D150 k+LiTpyQ68b+WRMeTMb3uGZMHPjykzY+WFCjKtl8gLQVvh5JzsU3ZJ6MTgnQbfkY d2CaTCppt0MWAvpbylb7XNBXV3+1LnZ6AyzoDJmuuEPVowhMRNwVuq0ZHAw1hrKR 1XtefPL5M3rsb6vLIJJ7ih9t4Ephp3L+/CwicPWTPwIO0C2RXrWCV+qDIeBREc31 PaalLQtkubyL3/ZVFqB17FXXGz8s/Sj5VpHaYLTqMjx0dsB2QwjcTJ4sCKLEP9l+ /QMEicPPQUxniJXuOxxXgdWb27TsxuPfQnnV/mhdtKDd6hG1rF6q61O3IeotMD6W sjPkvbhPP/Y= =nmJ0 -----END PGP SIGNATURE-----