copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.0980 - [Win][RedHat][AIX] IBM PureApplication System: Multiple vulnerabilities

Date: 16 June 2014
References: ASB-2014.0005  ESB-2014.0058  ESB-2014.0065  ESB-2014.0102  ESB-2014.0114  ESB-2014.0867  ESB-2014.0966  ESB-2014.0982  ESB-2014.1090  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0980
         Multiple vulnerabilities have been discovered within IBM
                          PureApplication system
                               16 June 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM PureApplication System
Publisher:         IBM
Operating System:  AIX
                   Red Hat
                   Windows
Impact/Access:     Modify Arbitrary Files -- Remote/Unauthenticated
                   Denial of Service      -- Remote/Unauthenticated
                   Unauthorised Access    -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0960 CVE-2014-0411 

Reference:         ASB-2014.0005
                   ESB-2014.0966
                   ESB-2014.0867
                   ESB-2014.0114
                   ESB-2014.0102
                   ESB-2014.0065
                   ESB-2014.0058

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21675216
   http://www-01.ibm.com/support/docview.wss?uid=swg21675223

Comment: This bulletin contains two (2) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

IBM PureApplication System - Users can logon over SSH to system from
deployed VMs

Flash (Alert)

Document information

More support for:
PureApplication System
Security

Software version:
1.0, 1.0.0.1, 1.0.0.2, 1.0.0.3, 1.0.0.4, 1.1.0.0, 1.1.0.1, 1.1.0.2, 1.1.0.3

Operating system(s):
AIX, Linux Red Hat - xSeries, Windows

Reference #:
1675216

Modified date:
2014-06-09


Abstract

Security vulnerability found where local users can SSH to system from
deployed VMs

Content

VULNERABILITY DETAILS:
CVE ID: CVE-2014-0960

DESCRIPTION:
The IBM PureApplication System contains a security bypass vulnerability
that might allow a local user to SSH to the system from a virtual machine.

CVSS:
CVSS Base Score: 6.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92743 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:S/C:C/I:C/A:C)

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Flash.

AFFECTED PRODUCTS AND VERSIONS:

    IBM PureApplication System 1.0 and later
    IBM PureApplication System 1.1 and later


REMEDIATION:
Upgrade your IBM PureApplication System environment as follows:

    For IBM PureApplication System 1.0 and later, upgrade to Version
    1.0.0.4 cfix8 or later.
    For IBM PureApplication System 1.1 and later, upgrade to Version
    1.1.0.4 Interim Fix 1 or later.

WORKAROUND:
None

MITIGATION:
None

REFERENCES:
Complete CVSS Guide ( http://www.first.org/cvss/cvss-guide.html)
On-line Calculator V2 (
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2)

RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

CHANGE HISTORY:
06 June 2014 - Original Copy Published

Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- -------------------------------------------------------------------------------

IBM PureApplication System - Vulnerability in current IBM SDK for Java -
January 2014 CPU
Flash (Alert)

Document information

More support for:
PureApplication System
Security

Software version:
1.0, 1.0.0.1, 1.0.0.2, 1.0.0.3, 1.0.0.4, 1.1.0.0, 1.1.0.1, 1.1.0.2, 1.1.0.3

Operating system(s):
AIX, Linux Red Hat - xSeries, Windows

Reference #:
1675223

Modified date:
2014-06-09

Abstract

Security vulnerability exists in the IBM SDK for Java that is shipped with
IBM PureApplication System

Content

VULNERABILITY DETAILS:
CVE ID: CVE-2014-0411

DESCRIPTION:
The IBM PureApplication System is shipped with an IBM SDK for Java that is
based on the Oracle JDK. Oracle has released January 2014 critical patch
updates (CPU) which contain security vulnerability fixes. The IBM SDK for
Java has been updated to incorporate these fixes. .

CVSS:
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90357 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

The following advisories are included in the SDK but IBM PureApplication
System is not vulnerable to them. You will need to evaluate your own
code to determine if you are vulnerable. Please refer to the Reference
section for more information on the advisories not applicable to IBM
PureApplication System:

CVE-2014-0428 CVE-2014-0422 CVE-2013-5907 CVE-2014-0415 CVE-2014-0410
CVE-2013-5889 CVE-2014-0417 CVE-2014-0387 CVE-2014-0424 CVE-2013-5878
CVE-2014-0373 CVE-2014-0375 CVE-2014-0403 CVE-2014-0423 CVE-2014-0376
CVE-2013-5910 CVE-2013-5884 CVE-2013-5896 CVE-2013-5899 CVE-2014-0416
CVE-2013-5887 CVE-2014-0368 CVE-2013-5888 CVE-2013-5898 .

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Flash.

AFFECTED PRODUCTS AND VERSIONS:

    IBM PureApplication System 1.0 and later
    IBM PureApplication System 1.1 and later


REMEDIATION:
Upgrade your IBM PureApplication System environment as follows:

    For IBM PureApplication System 1.0 and later, upgrade to Version
    1.0.0.4 cfix8 or later.
    For IBM PureApplication System 1.1 and later, upgrade to Version
    1.1.0.4 Interim Fix 1 or later.

WORKAROUND:
None

MITIGATION:
None

REFERENCES:
Complete CVSS Guide ( http://www.first.org/cvss/cvss-guide.html)
On-line Calculator V2 (
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2)

RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog


ACKNOWLEDGEMENT:
None

CHANGE HISTORY:
06 June 2014 - Original Copy Published

Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU55AKRLndAQH1ShLAQKspBAAhX9XJmioDf9sg/aWanhXRTB/5A4IjaMm
QyDr4fk7auinVXy/vxmqX4foR6JsJM3Ox5jkr0wKjZ9InrinwxDhG+bFiagNAFjw
hOdEyCGxRxFOqtKvvAGbNovEybgF3e4MNPJk4lGFkN2mxIFeI2N2YLZYUVJLeofb
gKoAKtYbovYLIfvb1PBi+TcT4d7ayXhV9P4B3SV+Je+F03Dm3cZNNtpBzT+kPydY
w2rzytcu6sODyStZ/WHJ7eqPPXN9gESBa8kg+hZuDFDAOUQVrhEPBxtceKF5K94P
8jGA/PuqLhhlQE6IgbCikRrMZnWhzw3rBIffdv/kb+8RLq5t4xAl9Y04HqfeAFbB
Tr2bqtZ8/7lbgvwBt0vLEppg26zqAq/T3z5ebI2LZdKaBfN8APpM5v4xLwkNFn8v
Vnas4tg3qb0d3NGX+shK9BhgdluTMPJLErxU1qJ9z0LiUZxHWQTlsPJjH8xHfm23
Q9HrAOVYx8te/WCsxNoGIh32bQcEQyh8gdHGIJLtY2/rzcBQZyhHo9BVJ1K/8Gzg
LItEuCGFAy655z0pS2u9iIYclcX+bqYaX7HLqc4dRp80M6wuYRsXmUaEBsz86mMs
4AyXfqP94f0NoOgtkUqoIUnymbnriWxECFxLjime1JzdHBciJIVCXGR1zza4F+g6
dFe5SBsKS+s=
=TW1W
-----END PGP SIGNATURE-----