Operating System:

[UNIX/Linux][Appliance]

Published:

09 October 2020

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2020.3499 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3499
Security Bulletin: Security vulnerabilities have been fixed in IBM Security
               Access Manager and IBM Security Verify Access
               (CVE-2020-4661, CVE-2020-4699, CVE-2020-4660)
                              9 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Security Access Manager
                   IBM Security Verify Access
Publisher:         IBM
Operating System:  Network Appliance
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-4699 CVE-2020-4661 CVE-2020-4660

Original Bulletin: 
   https://www.ibm.com/support/pages/node/6346619

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than IBM. It is recommended that administrators 
         running IBM Security Access Manager or IBM Security Verify Access 
         check for an updated version of the software for their operating 
         system.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security vulnerabilities have been fixed in IBM Security Access Manager and IBM
Security Verify Access (CVE-2020-4661, CVE-2020-4699, CVE-2020-4660)

Security Bulletin

Summary

Several security vulneraabilties have been fixed in both IBM Security Access
Manager and IBM Security Verify Access products.

Vulnerability Details

CVEID: CVE-2020-4661
DESCRIPTION: IBM Security Access Manager Appliance could allow an attacker to
obtain sensitive using timing side channel attacks which could aid in further
attacks against the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
186142 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2020-4699
DESCRIPTION: IBM Security Access Manager Appliance could allow an attacker to
obtain sensitive using timing side channel attacks which could aid in further
attacks against the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
186947 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2020-4660
DESCRIPTION: IBM Security Access Manager Appliance could allow an attacker to
obtain sensitive using timing side channel attacks which could aid in further
attacks against the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
186140 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|ISAM                |9.0.7     |
+--------------------+----------+
|ISVA                |10.0.0    |
+--------------------+----------+

Remediation/Fixes

Fix Central
+---------------------------+-------------+--------------------------------+
|Product Name               |Fixed in VRMF|Fix availability                |
+---------------------------+-------------+--------------------------------+
|IBM Security Access Manager|9.0.7.2      |fix pack: 9.0.7-ISS-ISAM-FP0002 |
+---------------------------+-------------+--------------------------------+
|IBM Security Verify Access |10.0.0.1     |fix pack: 10.0.0-ISS-ISVA-FP0001|
+---------------------------+-------------+--------------------------------+

Docker

Log into docker.com and then execute the corresponding command for the release

ISAM 9.0.7.2 - docker pull ibmcom/isam:9.0.7.2

ISVA 10.0.0.1 - docker pull ibmcom/verify-access:10.0.0.1

AWS Marketplace

+-------+------------------------------+
|Product|First Fix availability        |
+-------+------------------------------+
|ISAM   |IBM Security Access Manager v9|
+-------+------------------------------+
|ISVA   |IBM Security Verify Access v10|
+-------+------------------------------+

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX3/3cuNLKJtyKPYoAQjktA//f6ucYq6s7jqWQYZFO3vJpEmgNNGUmpU3
Up1OkEaHWd7fNmYntSIP1EF3M1uPUB5r1jDPVDl8sJ3PUjjmRyF53PT6RhomZKvt
nByo/wiunbLitkwMxy9AgKyRNBIVSTohtGHf6/FoaDG4OdbxwcWMzzzurZno6k3S
QdG1ZrcfOXExLGkq2a5JbX7CY28yz8xfgfiAsUx77IQdUkZdOQQ50lIzakaXtknG
d1gD5v66sTbr5IE2b3FOUWgWrOyY2YR2fEV7JTvBIHT3yrTLg1fyCOjCt0q1Txrq
bYxb4q7Xv7geOf2chG+BueKW1FOCW/+GH46SQ/ppUFNXS1s6MzeuvZ7p3tfjmXqP
WQ7W1p+AKQfpQl7SxlsgDdHmGoMkubXbMfsibpljrdjYtHfa2Jx6lT+SSV2qvKOa
ZEMIxQ9IxAenkpgKNLDy+6cb76CYXel6I2xkFSk7OiLV/S/BB6ogcQ4GNClZiXku
qu1WxJFWgVjUPFiM77WVy0JldsAeAa2k7vNiEl5gmhrZAMzRvt6oEeErmPBemgU6
RPUGYhzW3b49TRq+F8ps7goJh2TjBps7l9MUcLyMCfIt6QzRJrdJkeelTE4XkewJ
vtoX7dRVf0bofgltRYxOb322WOzAn0sMpiaZIF0TruKSgm16l1FWUBwbN6dU0plW
s+VZG46WsNs=
=pLHy
-----END PGP SIGNATURE-----