Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3558
Security vulnerabilities have been fixed in the IBM Security Access Manager
and IBM Security Verify Access products
15 October 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Security Access Manager
Publisher: IBM
Operating System: Network Appliance
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-24616 CVE-2020-13817 CVE-2020-13692
CVE-2020-11868 CVE-2020-9548 CVE-2020-9547
CVE-2020-9546 CVE-2020-7656 CVE-2020-4499
CVE-2019-13734 CVE-2019-4552 CVE-2018-20852
CVE-2018-14404 CVE-2018-1311 CVE-2012-6153
CVE-2012-5783
Reference: ESB-2020.3190
ESB-2020.2619
ESB-2020.2287
ESB-2015.2574
ESB-2015.1317
ESB-2013.0227
Original Bulletin:
https://www.ibm.com/support/pages/node/6348046
- --------------------------BEGIN INCLUDED TEXT--------------------
Security vulnerabilities have been fixed in the IBM Security Access Manager and
IBM Security Verify Access products
Security Bulletin
Summary
Fixes for security vulnerabilities identified in IBM Security Access Manager
and IBM Security Verify Access are available.
Vulnerability Details
CVEID: CVE-2020-11868
DESCRIPTION: NTP is vulnerable to a denial of service, caused by a flaw in
ntpd. By sending a server mode packet with a spoofed source IP address, a
remote attacker could exploit this vulnerability to block unauthenticated
synchronization resulting in a denial of service condition.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
180011 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2020-13817
DESCRIPTION: NTP is vulnerable to a denial of service, caused by an issue when
relying on unauthenticated IPv4 time sources in ntpd. By predicting transmit
timestamps for use in spoofed packets, a remote attacker could exploit this
vulnerability to cause the daemon to crash or system time change.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
183494 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H)
CVEID: CVE-2020-13692
DESCRIPTION: PostgreSQL JDBC Driver could allow a remote authenticated attacker
to obtain sensitive information, caused by an XML external entity (XXE) error
when processing XML data. By sending specially crafted XML data, a remote
attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
183018 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2020-7656
DESCRIPTION: jQuery is vulnerable to cross-site scripting, caused by improper
validation of user-supplied input by the load method. A remote attacker could
exploit this vulnerability to inject malicious script into a Web page which
would be executed in a victim's Web browser within the security context of the
hosting Web site, once the page is viewed. An attacker could use this
vulnerability to steal the victim's cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
182264 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2018-1311
DESCRIPTION: Apache Xerces-C could allow a remote attacker to execute arbitrary
code on the system, caused by an use-after-free error during the scanning of
external DTDs. By sending a specially crafted file, an attacker could exploit
this vulnerability to execute arbitrary code or cause a denial of service
condition on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
173437 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-4552
DESCRIPTION: IBM Security Access Manager Appliance is vulnerable to HTTP
response splitting attacks. A remote attacker could exploit this vulnerability
using specially-crafted URL to cause the server to return a split response,
once the URL is clicked. This would allow the attacker to perform further
attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain
sensitive information.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
165960 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2020-9547
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by the mishandling of interaction
between serialization gadgets and typing in
com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka
ibatis-sqlmap). By sending a specially-crafted request, an attacker could
exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
177103 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-9548
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by the mishandling of interaction
between serialization gadgets and typing in
br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). By sending a
specially-crafted request, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
177104 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-9546
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by the mishandling of interaction
between serialization gadgets and typing in
org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded
hikari-config). By sending a specially-crafted request, an attacker could
exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
177102 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-13734
DESCRIPTION: Google Chrome could allow a remote attacker to execute arbitrary
code on the system, caused by an out-of-bounds write in SQLite. By persuading a
victim to visit a specially crafted Web site, a remote attacker could exploit
this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
172917 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-4499
DESCRIPTION: IBM Security Access Manager Appliance could allow an unauthorized
public Oauth client to bypass some or all of the authentication checks and gain
access to applications.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
182216 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2020-24616
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization
between gadgets and typing, related to
br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). By sending
specially-crafted input, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
187229 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2012-5783
DESCRIPTION: Apache Commons HttpClient, as used in Amazon Flexible Payments
Service (FPS) merchant Java SDK and other products, could allow a remote
attacker to conduct spoofing attacks, caused by the failure to verify that the
server hostname matches a domain name in the subject's Common Name (CN) field
of the X.509 certificate. By persuading a victim to visit a Web site containing
a specially-crafted certificate, an attacker could exploit this vulnerability
using man-in-the-middle techniques to spoof an SSL server.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
79984 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2012-6153
DESCRIPTION: Apache HttpComponents could allow a remote attacker to conduct
spoofing attacks, caused by an incomplete fix related to the failure to verify
that the server hostname matches a domain name in the Subject's Common Name
(CN) or SubjectAltName field of certificates. By persuading a victim to visit a
Web site containing a specially-crafted certificate, an attacker could exploit
this vulnerability using man-in-the-middle techniques to spoof an SSL server.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
95328 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2018-14404
DESCRIPTION: libxml2 is vulnerable to a denial of service, caused by a NULL
pointer dereference in the xpath.c:xmlXPathCompOpEval() function. By persuading
a victim to open a specially-crafted file, a remote attacker could exploit this
vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
147260 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-20852
DESCRIPTION: Python could allow a remote attacker to obtain sensitive
information, caused by the failure to correctly validate the domain by
http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py. By
using a server with a hostname that has another valid hostname as a suffix, an
attacker could exploit this vulnerability to obtain leaked existing cookies.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169515 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
+--------------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------------+----------+
|ISAM |9.0.7 |
+--------------------------+----------+
|IBM Security Verify Access|10.0.0 |
+--------------------------+----------+
Remediation/Fixes
Fix Central
+-------------------------+-------------------------+-------------------------+
|Product Name |Fixed in VRMF |Fix availability |
+-------------------------+-------------------------+-------------------------+
|IBM Security Access |9.0.7.2 |fix pack: |
|Manager | |9.0.7-ISS-ISAM-FP0002 |
+-------------------------+-------------------------+-------------------------+
|IBM Security Verify |10.0.0.1 |fix pack: |
|Access | |10.0.0-ISS-ISVA-FP0001 |
+-------------------------+-------------------------+-------------------------+
Docker
Log into docker.com and then execute the corresponding command for the release
ISAM 9.0.7.2 - docker pull ibmcom/isam:9.0.7.2
ISVA 10.0.0.1 - docker pull ibmcom/verify-access:10.0.0.1
AWS Marketplace
+--------------------------------------+--------------------------------------+
|Product |First Fix availability |
+--------------------------------------+--------------------------------------+
|ISAM |IBM Security Access Manager v9 |
+--------------------------------------+--------------------------------------+
|ISVA |IBM Security Verify Access v10 |
+--------------------------------------+--------------------------------------+
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX4fJGuNLKJtyKPYoAQhXMA/+LeGMNwIF5H7pt2cuKzUodc5S/2pDf4f1
v1fcjrvhxWovje235TWrKcfG4B+qcBGFP0eGV0LAGj8BmBfpyk3o0LPdY467b3yv
QMfHzOf+5Sb52OvKJri2q6ppErPf7f2xG4g7Bnxg0eECVtyVa6oWFhQwyUt4N/la
FoYeEzh3OB3AvECFZC0XgIzBttVkSahotmsCI1OeT8Z6ehKG93OsMfVIol+9e7JB
N/2RbYk0U+V0jUMPp89Yp8v14LyvprE0WML++JsfObEdgS/zRtANJLXEfWPBmvCD
mxlwxyjw6RHv0Av0Bq983c2TmXZLelkn2u09+s9pxbE9+HFmvnaFXE7EINRAWgT/
2+PL6f+Ou83JGU4/oFCGI0BADcn+NQKar4ssKrnrAk7K48Q6vgUROfJSDYlWA7eA
nsXNzTccChJTgRZ2y8dqChXQ8becQ2odFqVP1RLz2ZeoXrFkF41W6GzouvT9DFXZ
hJ62qJWAqWcaT2hoaSvDaXGymasM8KCu9t/SH52JPBfQPvz/INhtBkqM1OZmBP65
YXA9ddLupMTzvxqQT0FFJxbvHH2812RlpWrgv2ZjxRSt5PsGIDY4E/ET3hIUI1Oy
ANHPb959IhBtzFol4wpaI2nOTzVCjcVhHcG1A9DWMHNmCbS1SIvaOYueY8jcus0/
Dv57c6JQ5RE=
=KaKC
-----END PGP SIGNATURE-----