Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2201 Security Bulletin: ICP Speech to Text, Text to Speech Oracle Java and openSSL vulnerabilities 25 June 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ICP Speech to Text, Text to Speech Publisher: IBM Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Access Privileged Data -- Remote with User Interaction Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-2654 CVE-2019-1563 CVE-2019-1549 CVE-2019-1547 Reference: ASB-2020.0028 ASB-2020.0001 ESB-2020.1889 ESB-2020.1797 ESB-2020.1487 ESB-2020.1224 Original Bulletin: https://www.ibm.com/support/pages/node/6238346 https://www.ibm.com/support/pages/node/6238344 - --------------------------BEGIN INCLUDED TEXT-------------------- ICP Speech to Text, Text to Speech Oracle Java Vulnerability Fix Security Bulletin Summary An Oracle Java vulnerability has been fixed by a Redhat patch (https:// access.redhat.com/errata/RHSA-2020:0202), included in ICP Watson Text to Speech, Speech to Text v1.1.2 ( 6/19/20). Vulnerability Details CVEID: CVE-2020-2654 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 174601 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Affected Products and Versions +-----------------------------------------+----------+ |Affected Product(s) |Version(s)| +-----------------------------------------+----------+ |IBM Watson Speech to Text, Text to Speech|1.0.1-1.1 | +-----------------------------------------+----------+ Remediation/Fixes An Oracle Java vulnerability has been fixed by a Redhat patch ( https:// access.redhat.com/errata/RHSA-2020 :0202), included in ICP Watson Text to Speech, Speech to Text v1.1.2 (6/19/20). Please download and install the latest version to receive this fix. Workarounds and Mitigations None - -------------------------------------------------------------------------------- ICP Speech to Text, Text to Speech - OpenSSL vulnerability fix. Security Bulletin Summary An OpenSSL vulnerability has been fixed by a Redhat patch (https:// access.redhat.com/errata/RHSA-2020:1840) included in ICP Watson Text to Speech, Speech to Text v1.1.2 (6/19/20). Vulnerability Details CVEID: CVE-2019-1563 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a padding oracle attack in PKCS7_dataDecode and CMS_decrypt_set1_pkey. By sending an overly large number of messages to be decrypted, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 167022 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2019-1549 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by the failure to include protection in the event of a fork () system call to ensure that the parent and child processes do not share the same RNG state. An attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 167021 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2019-1547 DESCRIPTION: OpenSSL could allow a local authenticated attacker to obtain sensitive information, caused by the ability to construct an EC group missing the cofactor using explicit parameters instead of using a named curve. An attacker could exploit this vulnerability to obtain full key recovery during an ECDSA signature operation. CVSS Base score: 5.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 167020 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) Affected Products and Versions +-------------------------+----------+ |Affected Product(s) |Version(s)| +-------------------------+----------+ |SpeechToText-TextToSpeech|1.0.1-1.1 | +-------------------------+----------+ Remediation/Fixes An OpenSSL vulnerability has been fixed by a Redhat patch ( https:// access.redhat.com/errata/RHSA-2020 :1840) included in ICP Watson Text to Speech, Speech to Text v1.1.2 (6/19/20). Please download and install the latest version to receive this fix. Workarounds and Mitigations None - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXvQuKeNLKJtyKPYoAQisag/7BciDuWb/KD7P0LaWiovRda7BNAWbUAHx wxcbDME0tt59Eh0axxN06CKsVwEbwyOp/70R/xuLE4An9pDR+ObU1/TjsCTZjKtH bvtmwL4K0l3HSX4FDWn3u4Kb8+l5UvSv+0mqyTS15hqbeNfNNAOKyxvxV0VSu1v+ 5903z6cOs+CEW+2a2h0XjYidPiP53wDNaNvLhTiR1uS+SUien/9+/SXHNhFr56vR 4fRboiWMNohxgY7+KHfFF3ZRDbz0qEl+/Aq+Vq9oj253KoaVn5X1ED1Tt0TmBGxc arsrs3eg6SqgvMvadG+j7sIxJeP74GWxAGQ2YYFtVbuX3HtbIUmpP497VIvc1Zch E9/Z/My1VrTXCImyAn4/VVnjxNPhQOLKbq5bTizx7HjcaJm0cH1JGWPZBOOIh2Ib cbuSWBGOq32ZNyYn1LlQD9AEoOuvagJ5mMZU1t+xw1gdiUhzlmR302g2RqHQMSAI llXLL6OtuMidVHKpRjC5GaAoytn3qV0imf9BEtWu8N1eNjlWKQUCoe3brKM1/ksY BiUHTfrNQTAWxLYS8WIRP6YzGplhXmtsqaqUbG+Wo9uchRFUrXgJszPet3y3/l1r /OCU2Fs1i9ZOcEIL9c/gHjeq5yfLcDG3Q3T5mL6SMcyeNWgUDV90nQmlVvsPUd+w t0kh5Dvc1tg= =ccaE -----END PGP SIGNATURE-----